locked
Exchange 2013, IMAP4 and Certificate Selection RRS feed

  • Question

  • Hey Guys, 

    I am trying to configure IMAP4 using certificates and when i connect to the server with outlook the server responds however the default machine certificate of the exchange server is used and not my trusted public certificate. 

    I have enabled services for IMAP and have restarted the services, i have also set the X509 certificate name but no luck. Any ideas?

    Robert 


    Robert

    Friday, August 5, 2016 5:01 AM

Answers

  • IMAP used to take the certificate preference based on below criteria.

    X509certificatename on IMAP setting for the server like below.

    [PS] C:\Windows\system32>Get-ImapSettings -Server servername |fl *x509**


    X509CertificateName : imap.domain.com

    And the certificate assigned to the receive connector where you allowed the imap connnection to go through.

    Get-ReceiveConnector -Identity "servername\imap smtp connection" |fl *TLScertificatename*

    It should be a public cert assigned to the IMAP receive connector.

    And also make sure no other internal cert include the same san name as imap.domain.com because if the X509certificatename match to any of the certificate name stored on exchange server, it start responding to imap requests.

    Try to use openSSL client to check the cert which is responding to imap request.

    https://delog.wordpress.com/2011/05/10/access-imap-server-from-the-command-line-using-openssl/


    • Proposed as answer by Niko.Cheng Monday, August 15, 2016 6:47 AM
    • Marked as answer by Niko.Cheng Friday, August 19, 2016 2:08 AM
    Tuesday, August 9, 2016 9:04 AM

All replies

  • Hi Robert,

    Please run the following command to list all your certificate setting in exchange server, that would help us troubleshoot the issue:

    Get-ExchangeCertificate | fl Thumbprint,IsSelfSigned,Services,Subject,Status 
    Get-ImapSettings  |fl X509*,IsValid 


    Best regards,

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Friday, August 5, 2016 8:59 AM
  • Niko, 

    Here is the output of the first command: 

    [PS] C:\Windows\system32>Get-ExchangeCertificate -server exch2k13mr2| fl Thumbprint,IsSelfSigned,Services,Subject,Status



    Thumbprint   : F2F3CA329A598B2C15795226771C17311C626BCD
    IsSelfSigned : True
    Services     : IIS, SMTP
    Subject      : CN=exch2k13mr2
    Status       : Valid

    Thumbprint   : 2619D513C0E0EC437593AF5DF5455B329A85F6EB
    IsSelfSigned : True
    Services     : None
    Subject      : CN=WMSvc-EXCH2K13MR2
    Status       : Valid

    Thumbprint   : 64558530FD2A91FFB6AAFEBECD1858F1DA1931EE
    IsSelfSigned : False
    Services     : IMAP, POP, IIS, SMTP
    Subject      : CN=mail.domainname.com, OU=Domain Control Validated
    Status       : Valid

    Thumbprint   : 57F6763E9A6FFF129132B9D9D52A220217B0B8B9
    IsSelfSigned : True
    Services     : SMTP, Federation
    Subject      : CN=Federation

    and the second:

    [PS] C:\Windows\system32>
    [PS] C:\Windows\system32>Get-ImapSettings  |fl X509*,IsValid


    X509CertificateName : mail.domainname.com
    IsValid             : True

    Thanks, 

    Robert 


    Robert


    Friday, August 5, 2016 1:58 PM
  • Hi Robert,

    Based on the IMAP setting information, it seems that everything is OK.

    Could you explain that How did you confirm which certificate is used in IMAP connection ?

    Based on my knowledge, the certificate selection process for POP3 and IMAP4, Exchange must select a FQDN and find a certificate based on a matching value in the CertificateDomains field. The FQDN is chosen on the basis of the X509CertificateName attribute in the POP3 or IMAP4 service settings. Moreover, Exchange would select certificates issued by a trusted CA over self-signed certificates regardless of the age of the certificate.

    I also recommend you can run EXRCA to test your IMAP email, and check if there is any related error.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Monday, August 8, 2016 2:40 AM
  • Hi Robert,

    Is there any update on this thread?

    If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Tuesday, August 9, 2016 6:37 AM
  • IMAP used to take the certificate preference based on below criteria.

    X509certificatename on IMAP setting for the server like below.

    [PS] C:\Windows\system32>Get-ImapSettings -Server servername |fl *x509**


    X509CertificateName : imap.domain.com

    And the certificate assigned to the receive connector where you allowed the imap connnection to go through.

    Get-ReceiveConnector -Identity "servername\imap smtp connection" |fl *TLScertificatename*

    It should be a public cert assigned to the IMAP receive connector.

    And also make sure no other internal cert include the same san name as imap.domain.com because if the X509certificatename match to any of the certificate name stored on exchange server, it start responding to imap requests.

    Try to use openSSL client to check the cert which is responding to imap request.

    https://delog.wordpress.com/2011/05/10/access-imap-server-from-the-command-line-using-openssl/


    • Proposed as answer by Niko.Cheng Monday, August 15, 2016 6:47 AM
    • Marked as answer by Niko.Cheng Friday, August 19, 2016 2:08 AM
    Tuesday, August 9, 2016 9:04 AM
  • Hi Robert,

    Do you have any update on it?

    Monday, August 15, 2016 3:33 PM