how does IMAP health check works?

The IMAP monitor speaks the IMAP protocol, not IMAPS (IMAP over SSL). It also does not support STARTTLS, so it can not change to SSL after connecting to port 143.

If your pool members are on port 443 then you can override that port on the monitor and force it to use 143 by setting the 'alias service port' advanced field of the monitor definition. Note that this field can only be set when creating a monitor, and can't be modified after that.

Check to see if they are listening on port 143, and whether they accept plaintext authentication. In my lab, the pool member is 172.126.218.10 and the test imap account has a username of 'imap', and a password of 'imap':

(bigip)  telnet 172.16.218.10 143
Trying 172.16.218.10...
Connected to 172.16.218.10.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
1 LOGIN imap imap
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
2 LOGOUT
* BYE Logging out
2 OK Logout completed.
Connection closed by foreign host.

You mention 'advanced monitoring', which makes me think you're using the Exchange iApp, but then you say you're not using SSL Bridging, or SSL offload, which are the only two options in the iApp template. Are you load balancing SSL traffic, and have manually created an imap monitor for the pool ?

I suggest you enable the 'Debug' option under advanced options in the monitor, and then review the log file in /var/log/monitors/Common__.log to see exactly what it is trying to do. It may be that port 143 is listening, but does not allow plain text logins (which Exchange prohibits by default), and the imap monitor can only perform plain text authentication.

For reference, I've included a sample log file showing a successful check.

(bigip)  tail -f /var/log/monitors/Common_imap_monitor-Common_172.16.218.10-143.log

05:33:22.879445:(_Tcl /Common/imap_monitor): ************ Debugging session begins,
Environment variables:

05:33:22.879538:(_Tcl /Common/imap_monitor): ha_state active
05:33:22.879554:(_Tcl /Common/imap_monitor): sw_product BIG-IP
05:33:22.879563:(_Tcl /Common/imap_monitor): bigd_version 12.0.0.0.0.606
05:33:22.879572:(_Tcl /Common/imap_monitor): pointerSize 4
05:33:22.879580:(_Tcl /Common/imap_monitor): cluster_primary false
05:33:22.879588:(_Tcl /Common/imap_monitor): slot_id 0
05:33:22.879597:(_Tcl /Common/imap_monitor): wordSize 4
05:33:22.879605:(_Tcl /Common/imap_monitor): byteOrder littleEndian
05:33:22.879613:(_Tcl /Common/imap_monitor): osVersion 2.6.32-431.56.1.el6.f5.x86_64
05:33:22.879622:(_Tcl /Common/imap_monitor): os Linux
05:33:22.879630:(_Tcl /Common/imap_monitor): platform unix
05:33:22.879638:(_Tcl /Common/imap_monitor): machine x86_64
05:33:22.879708:(_Tcl /Common/imap_monitor): user root
05:33:22.879719:(_Tcl /Common/imap_monitor): hostname ltm-1200-211.local
05:33:22.879764:(_Tcl /Common/imap_monitor): ::monitor::type imap
05:33:22.879839:(_Tcl /Common/imap_monitor): ::monitor::password imap
05:33:22.879851:(_Tcl /Common/imap_monitor): ::monitor::url imap://172.16.218.10:143
05:33:22.879861:(_Tcl /Common/imap_monitor): ::monitor::folder INBOX
05:33:22.879870:(_Tcl /Common/imap_monitor): ::monitor::reverse 0
05:33:22.879881:(_Tcl /Common/imap_monitor): ::monitor::interval 10
05:33:22.879890:(_Tcl /Common/imap_monitor): ::monitor::node_ip 172.16.218.10
05:33:22.879900:(_Tcl /Common/imap_monitor): ::monitor::route_domain 0
05:33:22.879909:(_Tcl /Common/imap_monitor): ::monitor::debug yes
05:33:22.879917:(_Tcl /Common/imap_monitor): ::monitor::username imap
05:33:22.879926:(_Tcl /Common/imap_monitor): ::monitor::name /Common/imap_monitor
05:33:22.879936:(_Tcl /Common/imap_monitor): ::monitor::node_port 143
05:33:22.879944:(_Tcl /Common/imap_monitor): ::monitor::node_name /Common/172.16.218.10
05:33:22.879953:(_Tcl /Common/imap_monitor): ::monitor::is_ip_v6 0
05:33:22.879963:(_Tcl /Common/imap_monitor): ::monitor::timeout 31
05:33:22.880078:(_Tcl /Common/imap_monitor): URL: imap://172.16.218.10:143/INBOX Options: -username "imap" -password "imap" -timeout 9 -connecttimeout 5 -writeproc write_to_debug -verbose 1 -debugproc verbose_write

05:33:22.880094:(_Tcl /Common/imap_monitor): Connection Log:
05:33:22.880476:(_Tcl /Common/imap_monitor): timeout on name lookup is not supported
05:33:22.880516:(_Tcl /Common/imap_monitor): About to connect() to 172.16.218.10 port 143 (0)
05:33:22.880552:(_Tcl /Common/imap_monitor):   Trying 172.16.218.10...
05:33:22.884341:(_Tcl /Common/imap_monitor): connected
05:33:22.884379:(_Tcl /Common/imap_monitor): Connected to 172.16.218.10 (172.16.218.10) port 143 (0)
05:33:22.896946:(_Tcl /Common/imap_monitor): * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.

05:33:22.897017:(_Tcl /Common/imap_monitor): B LOGIN imap imap
05:33:22.927866:(_Tcl /Common/imap_monitor): B OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
05:33:22.927945:(_Tcl /Common/imap_monitor): C SELECT INBOX
05:33:22.932823:(_Tcl /Common/imap_monitor): * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
05:33:22.932851:(_Tcl /Common/imap_monitor): * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
05:33:22.932859:(_Tcl /Common/imap_monitor): * 1 EXISTS
05:33:22.932866:(_Tcl /Common/imap_monitor): * 0 RECENT
05:33:22.932873:(_Tcl /Common/imap_monitor): * OK [UIDVALIDITY 1462451573] UIDs valid
05:33:22.932880:(_Tcl /Common/imap_monitor): * OK [UIDNEXT 2] Predicted next UID
05:33:22.932887:(_Tcl /Common/imap_monitor): * OK [HIGHESTMODSEQ 1] Highest
05:33:22.932893:(_Tcl /Common/imap_monitor): C OK [READ-WRITE] Select completed.
05:33:22.932914:(_Tcl /Common/imap_monitor): D FETCH 1 BODY[TEXT]
05:33:22.937804:(_Tcl /Common/imap_monitor): * 1 FETCH (BODY[TEXT] {34}
05:33:22.937823:(_Tcl /Common/imap_monitor): Found 34 bytes to download
05:33:22.937841:(_Tcl /Common/imap_monitor):

sdaf
sf
sdf
sdfsdf
.

05:33:22.937850:(_Tcl /Common/imap_monitor): Filesize left: 0
05:33:22.937862:(_Tcl /Common/imap_monitor): Connection 0 to host 172.16.218.10 left intact
05:33:22.937886:(_Tcl /Common/imap_monitor): A LOGOUT
05:33:22.942813:(_Tcl /Common/imap_monitor): )
05:33:22.942831:(_Tcl /Common/imap_monitor): D OK Fetch completed.
05:33:22.942844:(_Tcl /Common/imap_monitor): * BYE Logging out
05:33:22.942851:(_Tcl /Common/imap_monitor): A OK Logout completed.

05:33:22.942859:(_Tcl /Common/imap_monitor): Closing connection 0

As you can see, the imap monitor connects, authenticates using plain text, selects the inbox, and fetches the first message from it. If any of those steps fail, the monitor gets marked down.

thank you!!

so I did troubleshoot and looks like server side doesn't accept plaintext authentication. I will try to test it with plaintext enabled and let you know the results.

My another question, how I can achieve the same for secure IMAP? I'm not using iapp template and all config is manual. I want to define username and password to login to the server. should I be using IMAP or HTTPS monitor?

Thanks in advance for your help.

Hi Eddy, I have the same issue with monitoring IMAP/POP3 over SSL, have you resolved with a script?

Thank you for your time.