none
IMAP SSL In exchange 2013 with Nat address

    Question

  • Hello Guys,

    Please help me out, i am really stuck with IMAP SSL configuration.

    I have external interface which is nat ing all the traffic which comes on port 993 to the internal Exchange server and i have already done this configuration on the exchange server.

    Start-ServiceMSExchangeIMAP4; Start-ServiceMSExchangeIMAP4BE

    INFO: I use the wild card certificate for all other email services and it just works fine except when i try to assign the IMAP Services to the Wildcard certificate and i get this error mentioned below

    This certificate with thumbprint  and subject ‘*.domain.com’ cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    and when run the Set-ImapSettings command , I gets this error messages below.

    Set-ImapSettings -ExternalConnectionSettings “mail.domain.com:993:SSL”,”mail.domain.com::143:TLS" -X509CertificateName Mail_Wildcard_Cert

    The certificate with the subject ‘mail_Wildcard_cert’ can't be used for SSL or TLS connections because the subject

    isn't a valid fully qualified domain name (FQDN).

    Please help me find my mistake, 

    thank you for all the help…




    Friday, July 13, 2018 11:50 AM

Answers

  • The -X509CertificateName needs to match a subject name or subject alternative name within the wildcard certificate.

    Try use the following if you don't have mail.domain.com as an Subject Alternative Name in the Wildcard: 

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName domain.com

    • Marked as answer by SJ04 Monday, July 16, 2018 2:37 PM
    Friday, July 13, 2018 12:33 PM

All replies

  • Try running the following:

    # Get all Exchange certificates and copy thumbprint from the wildcard certificate
    Get-ExchangeCertificate
    
    # Enable the certificate on the email service
    Enable-ExchangeCertificate -Server $ENV:COMPUTERNAME -Thumbprint <thumbprint from above> -Services IMAP
    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName mail.domain.com
    Set-ImapSettings -Server $ENV:COMPUTERNAME -InternalConnectionSettings mail.domain.com:993:ssl, mail.domain.com:143:tls
    Set-ImapSettings -Server $ENV:COMPUTERNAME -ExternalConnectionSettings mail.domain.com:993:ssl, mail.domain.com:143:tls
    
    # Start the services
    Start-service msExchangeIMAP4
    Start-service msExchangeIMAP4BE

    Friday, July 13, 2018 11:59 AM
  • Hello @Joel,

    thank you for the time; i tried as you mentioned, but i get this warning messages,

    <style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; color: #454545} </style>

    WARNING: This certificate with thumbprint  and subject '*.ruptly.tv' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command

    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName ( what name should i user there )

    what will be the -X509CertificateName,  name of the wild card certificate , this is the other question ?



    • Edited by SJ04 Friday, July 13, 2018 12:23 PM
    Friday, July 13, 2018 12:22 PM
  • The -X509CertificateName needs to match a subject name or subject alternative name within the wildcard certificate.

    Try use the following if you don't have mail.domain.com as an Subject Alternative Name in the Wildcard: 

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName domain.com

    • Marked as answer by SJ04 Monday, July 16, 2018 2:37 PM
    Friday, July 13, 2018 12:33 PM
  • The -X509CertificateName needs to match a subject name or subject alternative name within the wildcard certificate.

    Try use the following if you don't have mail.domain.com as an Subject Alternative Name in the Wildcard: 

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName domain.com

    I have domain.com in the wildcard certificate and all the command works except the enable certificate and I get same warning about the fully qualified domain name.

    these two Subject alternative name exists inside wildcard.

    domain.com

    *.domain.com

    Friday, July 13, 2018 12:43 PM
  • Hi,

    As per my knowledge, a valid value for the parameter X509CertificateName is the FQDN from the ExternalConnectionSettings or InternalConnectionSettings parameters (for example, mail.contoso.com or mailbox01.contoso.com).

    Run with mail.domain.com in your command:

    Set-ImapSettings -ExternalConnectionSettings “mail.domain.com:993:SSL”,”mail.domain.com::143:TLS" -X509CertificateName mail.domain.com

    Hope it helps.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, July 16, 2018 9:01 AM
    Moderator
  • The -X509CertificateName needs to match a subject name or subject alternative name within the wildcard certificate.

    Try use the following if you don't have mail.domain.com as an Subject Alternative Name in the Wildcard: 

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName domain.com

    that worked, there was still a warning but IMAP Service was assigned to the Wildcard certificate and it it worked.

    because domain.com, was inside the Wildcard certificate as SAN

    Set-ImapSettings -Server $ENV:COMPUTERNAME -X509CertificateName domain.com

    it works

    Monday, July 16, 2018 2:38 PM