none
wildcard ssl, pop3 imap and outlook

    Question

  • Hey all,

    I have begun migrating our exchange 2010 setup over to 2013, I have setup two CA servers with live IP addresses and one MD server on a local range, both CA servers are loadbalanced, external and internal URL's are setup to go to  the external load balanced url (for now call it owa.bla.com) a wild card SSL has been installed onto the servers and OWA is accessible via https  with the correct ssl.

    imap and pop3 are another matter all together, when assigning the ssl to the system it says I need to use powershell it says this:

     This certificate with thumbprint XXXX and subject '*.blah.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

    pushing forward I went to the CLI and used set-popsettings -x509certificatename "owa.blah.com" which was successfully completed. going back to ECP I attempted to run this again with no love.

    digging further into it I ran a get-popsettings |fl  and get the following information:

    RunspaceId                        : XXXX
    Name                              : 1
    ProtocolName                      : POP3
    MaxCommandSize                    : 512
    MessageRetrievalSortOrder         : Ascending
    UnencryptedOrTLSBindings          : {[::]:110, 0.0.0.0:110}
    SSLBindings                       : {[::]:995, 0.0.0.0:995}
    InternalConnectionSettings        : {md-1.office.blah.net:995:SSL, md-1.office.blah.net:110:TLS}
    ExternalConnectionSettings        : {}
    X509CertificateName               : owa.blah.com
    Banner                            : The Microsoft Exchange POP3 service is ready.
    LoginType                         : SecureLogin
    AuthenticatedConnectionTimeout    : 00:30:00
    PreAuthenticatedConnectionTimeout : 00:01:00
    MaxConnections                    : 2147483647
    MaxConnectionFromSingleIP         : 2147483647
    MaxConnectionsPerUser             : 16
    MessageRetrievalMimeFormat        : BestBodyFormat
    ProxyTargetPort                   : 9955
    CalendarItemRetrievalOption       : iCalendar
    OwaServerUrl                      :
    EnableExactRFC822Size             : False
    LiveIdBasicAuthReplacement        : False
    SuppressReadReceipt               : False
    ProtocolLogEnabled                : False
    EnforceCertificateErrors          : False
    LogFileLocation                   : E:\Exchange 2013\Logging\Pop3
    LogFileRollOverSettings           : Daily
    LogPerFileSizeQuota               : 0 B (0 bytes)
    ExtendedProtectionPolicy          : None
    EnableGSSAPIAndNTLMAuth           : True
    Server                            : MD-1
    AdminDisplayName                  :
    ExchangeVersion                   : 0.10 (14.0.100.0)
    DistinguishedName                 : CN=1,CN=POP3,CN=Protocols,CN=MD-1,CN=Servers,CN=Exchange Administrative Group
                                        (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Netregistry,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=office,DC=blah,DC=net
    Identity                          : MD-1\1
    Guid                              : XXXX
    ObjectCategory                    : office.blah.net/Configuration/Schema/ms-Exch-Protocol-Cfg-POP-Server
    ObjectClass                       : {top, protocolCfg, protocolCfgPOP, protocolCfgPOPServer}
    WhenChanged                       : 14/11/2013 11:23:13 AM
    WhenCreated                       : 29/10/2013 3:01:14 PM
    WhenChangedUTC                    : 14/11/2013 12:23:13 AM
    WhenCreatedUTC                    : 29/10/2013 4:01:14 AM
    OrganizationId                    :
    OriginatingServer                 : adcore-2.office.blah.net
    IsValid                           : True
    ObjectState                       : Unchanged

    seeing this I tried to change the ExternalConnectionSettings to match the certificate name (also tried the internalconnectionsettings)

    and got this:

    [PS] C:\Windows\system32>Set-PopSettings -ExternalConnectionSettings {owa.blah.com:995:SSL}
    The ExternalConnectionSettings property is read-only when the Mailbox role: Mailbox service server role is installed.
        + CategoryInfo          : InvalidArgument: (:) [Set-PopSettings], ExInvalidArgumentForServerRoleException
        + FullyQualifiedErrorId : C197DF96,Microsoft.Exchange.Management.Tasks.SetPop3Configuration
        + PSComputerName        : ca-1.blah.net

    WARNING: Changes to POP3 settings will only take effect after all Microsoft Exchange POP3 services are restarted on
    server MD-1.

    any thoughts?

    servers are setup like so:

    ca-1.blah.net (live ip) 

    ca-1.office.blah.net(internal server)

    ca-2.blah.net

    ca-2.office.blah.net

    both of these are load balanced onto owa.bla.com

    Let me know if you need any more information.

    Tuesday, November 19, 2013 10:50 PM

Answers

  • OK!

    Here is how you do it.

    you do set-imap/popsettings -server ca-1 -x509certificatename owa.blah.com 

    to both servers then restart imap/pop and it works.  you need to use the -server 

    • Marked as answer by mcassar Thursday, November 21, 2013 9:53 PM
    Thursday, November 21, 2013 9:52 PM

All replies

  • have I missed the issue,? cert Has now been assigned?

    Sukh

    Wednesday, November 20, 2013 12:08 AM
  • Ok, So the certificate has been assigned to IIS and SMTP, however the IMAP and POP3 still use the self signed server SSL certificate.

    thoughts?

    • Edited by mcassar Wednesday, November 20, 2013 3:08 AM
    Wednesday, November 20, 2013 12:14 AM
  • how do you know that?  After restarting both service you still have this issue?

    Sukh

    Wednesday, November 20, 2013 7:20 AM
  • We test this by pointing a email client at owa.blah.com. when you put your details in it comes up with certificate warnings. Yes we have restarted both services + rebooted servers.
    Wednesday, November 20, 2013 9:19 PM
  • If any other cert are assigned to POP/IMAP, can you remove them then try again use pop-settings?

    Can you also post output for Get-ExchangeCertificate | fl


    Sukh

    Wednesday, November 20, 2013 10:27 PM
  • The other Certs installed are the self signed certificates that get generated upon installation of the servers, I am pretty sure those are the ones that are getting picked up 

    here is the get-EC |fl 

    AccessRules        :
    CertificateDomains : {*.blah.com, blah.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
    NotAfter           : 14/11/2017 8:06:48 PM
    NotBefore          : 13/11/2013 5:09:18 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 02A354
    Services           : IIS, SMTP
    Status             : Valid
    Subject            : CN=*.blah.com, O=BLAH PTY LTD, L=moonbase 5, S=south moon, C=mu,
                         SERIALNUMBER=XXXXX
    Thumbprint         : XXXX

    AccessRules        :
    CertificateDomains : {md-1, md-1.office.blah.net}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=md-1
    NotAfter           : 29/10/2018 2:54:12 PM
    NotBefore          : 29/10/2013 2:54:12 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : XXXX
    Services           : IIS, SMTP
    Status             : Valid
    Subject            : CN=md-1
    Thumbprint         : XXXX

    AccessRules        :
    CertificateDomains : {WMSvc-MD-1}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-MD-1
    NotAfter           : 27/10/2023 1:56:28 PM
    NotBefore          : 29/10/2013 1:56:28 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : XXXX
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-MD-1
    Thumbprint         : XXXX

    AccessRules        :
    CertificateDomains : {}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=Microsoft Exchange Server Auth Certificate
    NotAfter           : 28/09/2018 10:57:10 AM
    NotBefore          : 24/10/2013 11:57:10 AM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : XXXX
    Services           : SMTP
    Status             : Valid
    Subject            : CN=Microsoft Exchange Server Auth Certificate
    Thumbprint         : XXXX

    Wednesday, November 20, 2013 10:40 PM
  • Can you remove the self-signed certs that aren't needed, it seems like none are needed as you've got the wild card.

    I would remove, restart services for POP and then test again.


    Sukh

    Wednesday, November 20, 2013 11:13 PM
  • Ok, removing the cert now kills imap and pop via SSL. running:

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint  "19CC227CCEAD814A93A248FCC2EC495B8F9416F6" -Services IMAP,POP,SMTP,IISWARNING: This certificate with thumbprint 19CC227CCEAD814A93A248FCC2EC495B8F9416F6 and subject '*.blah.com'cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command

    Set-POPSettings to set X509CertificateName to the FQDN of the service. WARNING: This certificate with thumbprint 19CC227CCEAD814A93A248FCC2EC495B8F9416F6 and subject '*.blah.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use commandSet-IMAPSettings to set X509CertificateName to the FQDN of the service.

    this still causes issues.

    Thursday, November 21, 2013 12:32 AM
  • Set-POPSettings to set X509CertificateName has that been run again?

    Sukh

    Thursday, November 21, 2013 12:35 AM
  • running set-popsettings -x509certificatename "owa.blah.com" comes up with:

    WARNING: The command completed successfully but no settings of 'MD-1\1' have been modified.

    Thursday, November 21, 2013 12:37 AM
  • What do you mean it kills pop/imap?

    Are the services crashing?

    Can you check the app log around time of issue?


    Sukh

    Thursday, November 21, 2013 12:43 AM
  • No the services are not crashing, telnetting to 993 allow connection but does this:

    * BYE Connection is closed. 14

    I am guessing its freaking out due to lack of a cert being assigned to the process.

    Thursday, November 21, 2013 12:45 AM
  • Log Name:      Application
    Source:        MSExchangePOP3
    Date:          21/11/2013 11:49:58 AM
    Event ID:      1102
    Task Category: (1)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:     ca-1.office.blah.net
    Description:
    The POP3 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSExchangePOP3" />
        <EventID Qualifiers="49156">1102</EventID>
        <Level>2</Level>
        <Task>1</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-11-21T00:49:58.000000000Z" />
        <EventRecordID>33242</EventRecordID>
        <Channel>Application</Channel>
        <Computer>ca-1.office.blah.net</Computer>
        <Security />
      </System>
      <EventData>
      </EventData>
    </Event>
    Thursday, November 21, 2013 12:47 AM
  • see if the cert is in the local cert store

    Sukh

    Thursday, November 21, 2013 12:51 AM
  • Yeah its installed on the system, I can see it in the store, this cert does work for https and SMTP.

    Thursday, November 21, 2013 12:52 AM
  • try this, get thumbprint.

    Enable POP and IMAP

    Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS

    Use the set-pop3 and set-imap4 cmdlets to set POP3 and IMAP4 to use SSL

    Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com

    Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com

    Restart the POP and IMAP services


    Sukh

    Thursday, November 21, 2013 12:55 AM
  • so you believe to set the imap and pop to match the server and not the load balanced url ?


    • Edited by mcassar Thursday, November 21, 2013 2:18 AM
    Thursday, November 21, 2013 2:12 AM
  • FYI

    I changed the imap x509 certificate name over to imap.blah.com and attempted to add the service to it with that Cert and had no success.

    Thursday, November 21, 2013 2:39 AM
  • Just tried changing the x509 name over to pop.blah.com and blah.com neither had any luck.

    Thursday, November 21, 2013 2:45 AM
  • Found this entry in TN

    http://technet.microsoft.com/en-us/library/aa997231.aspx

    it says not to use enable-exchangecertificate when using a wild card ssl with pop and imap.

    any ideas how to get past this?

    Thursday, November 21, 2013 3:55 AM
  • run the enable-cert  and only specify IIS, SMTP....

    Sukh

    Thursday, November 21, 2013 6:47 AM
  • OK!

    Here is how you do it.

    you do set-imap/popsettings -server ca-1 -x509certificatename owa.blah.com 

    to both servers then restart imap/pop and it works.  you need to use the -server 

    • Marked as answer by mcassar Thursday, November 21, 2013 9:53 PM
    Thursday, November 21, 2013 9:52 PM