SSL on IMAP provide Wrong certificate

Discussions on webmail and the Professional version.
Post Reply
YAS(SKYLIGHT)
Posts: 25
Joined: Thu May 05, 2005 3:32 pm

SSL on IMAP provide Wrong certificate

Post by YAS(SKYLIGHT) » Wed Sep 03, 2014 12:05 am

I had "ME Standard Edition" with a configured webmail. The Webmail has domain address webmail.company.com, with assigned SSL certificate (httpS://webmail.company.com). Mail server itself working like mail.company.com (smtp).
Now I ugrade it to Professional edition for evaluate.
I imported mail.company.com certificate to IIS, and selected it in "Localhost Properties - SSL" (http://www.mailenable.com/documentation ... ption.html).
In "IMAP Properties" I selected "Also listen on alternate port", assign 993 (port) and mark SSL.

On the client (outlook 2013), I select IMAP, incoming mail server: mail.company.com, port:993, encrypted connection:SSL.
On the test I get warning about "The target principal name is incorrect" (like here: http://cdn.inmotionhosting.com/support/ ... 10-ssl.jpg). I select "View Certificate" and see certificate of webmail.company.com (instead of mail.company.com)

If i change incoming mail server to webmail.company.com - it's working, but i need mail.company.com.
How I can correct this situation.

YAS(SKYLIGHT)
Posts: 25
Joined: Thu May 05, 2005 3:32 pm

Re: SSL on IMAP provide Wrong certificate

Post by YAS(SKYLIGHT) » Wed Sep 03, 2014 1:34 am

Strange.
If I select other certificates (they was imported before upgrade), they working correctly.
But when I select mail.company.com, it use webmail.company.com

YAS(SKYLIGHT)
Posts: 25
Joined: Thu May 05, 2005 3:32 pm

Re: SSL on IMAP provide Wrong certificate

Post by YAS(SKYLIGHT) » Wed Sep 03, 2014 2:02 am

With other newly imported certificate it working correctly.
Only with mail.company.com wont work. But certificate is correct and checked.
It seems like ME didn't like exactly mail.company.com

MailEnable-Ian
Site Admin
Posts: 8951
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: SSL on IMAP provide Wrong certificate

Post by MailEnable-Ian » Wed Sep 03, 2014 3:04 am

Hi,

Its not MailEnable. Its the SSL certificate which is specifically for webmail.company.com and not mail.company.com. You really needed to purchase a wildcard SSL certificate to cater for all host names under the domain. I.e *.company.com
Regards,

Ian Margarone
MailEnable Support

YAS(SKYLIGHT)
Posts: 25
Joined: Thu May 05, 2005 3:32 pm

Re: SSL on IMAP provide Wrong certificate

Post by YAS(SKYLIGHT) » Wed Sep 03, 2014 10:01 am

Hi.

If I select certificate for webnav.company.com (for example) it working correctly.
So it does not depend on *.company.com

What you think?

YAS(SKYLIGHT)
Posts: 25
Joined: Thu May 05, 2005 3:32 pm

Re: SSL on IMAP provide Wrong certificate

Post by YAS(SKYLIGHT) » Wed Sep 03, 2014 1:19 pm

This problem on MailEnable side.
When I removed webmail.company.com from certificate store it start working correctly.
But when I add back, it again start use wrong certificate.
It seems like ME choose certificate from store not by exact match, but by mask for the selected certificate. And ME see webMAIL.comp.com the same like MAIL.comp.com, tralalaMAIL.comp.com, doesnotmatterMAIL.comp.com.uk

Your argument to use wildcards is incorrect, because I use exact certificate with exact domain name.
Wildcards could be a solution. Like to use complitle other name (without MAIL.domain) for webmail or mail server, in my case.

So, How I can assign/select exact certificate? May be via registry or some config files?

jac
Posts: 6
Joined: Thu Mar 05, 2015 6:22 pm

Re: SSL - Wrong certificate

Post by jac » Tue Nov 08, 2016 11:01 pm

Just experienced same problem -- we have two certificates -- "domain.com" and "sub.domain.com". When either certificate is selected "sub.domain.com" certificate is served. It seems that first match is used? As a workaround I created "mail.domain.com" certificate and it works fine. Can someone please have a look at it? ME Enterprise 9.51, SSL/TLS on incoming SMTP.

Thanks!

227ths
Posts: 6
Joined: Wed May 02, 2018 9:14 pm

Re: SSL on IMAP provide Wrong certificate

Post by 227ths » Sun Dec 23, 2018 6:23 pm

Same problem when using a bunch Let's Encrypt certificates installed on same machine.
If the 'issued to' is same you see this in dropdown (under Servers/Localhost/Properties/SSL):

*.example.com
*.example.com
*.example.com

It does not show an expire date or Windows "friendly name".
No way to differentiate or know which one you are picking.

But, ^that^ doesn't matter much since ME never reflects a change if you pick a different one above, anyway.

It keeps using the same certificate. After selecting/applying a different certificate, I tried stopping/starting services/rebooting/etc. It simple will not pick it up. (assuming this is a bug). It keeps using same one previously picked.

Under IIS Manager you can clearly see the 'friendly' windows certificate name which helps to distinguish the certificate - and of course picking a different certificate works even when they are listed as same names.. So, it's just 'broken' under Servers/Localhost/Properties/SSL (the SSL for email services - not the web/IIS side).

Admin
Site Admin
Posts: 804
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: SSL on IMAP provide Wrong certificate

Post by Admin » Wed Jan 02, 2019 2:30 am

Hi,

It uses the subject name in the certificate so that if you replace a certificate you don't need to select it again, it will be picked up. The services will check to make sure it has not expired and select any non-expired one it finds first. Make sure you are using a recent version of MailEnable, since we have added SNI and improved the logging. If you check the debug log it will show you if there are problems using a certificate, or if it has to use an expired one if it didn't find a valid one.

SteveJohns
Posts: 2
Joined: Mon Jan 21, 2019 4:05 pm

Re: SSL on IMAP provide Wrong certificate

Post by SteveJohns » Wed Jan 23, 2019 12:12 pm

Hi Admin,

I think you might be incorrect with your statement. I have tested this with LetsEncrypt certificates and every time LE renews a cert it keeps the subject name the same but creates a completely new cert with a different friendly name (althoou this isn't actually the issue.... the issue is that the new cert has a different thumbprint and it would seem that ME is selecting the cert using it's thumbprint signature rather than the subject name as you suggest.

My rreasons for thinking this are as follows.

Create initial cert in LE and select this cert in ME - all services that use SSL work correctly. issuing the following statement returns the details of the certificate.

openssl s_client -showcerts -servername xxxxxxx.com -connect xxxxxxx.com:993

at this point 1 cert is shown in Windows cert manager and all is working fine (1.png)

If I get LE to renew the cert, 2 cerst are shown in Windows cert manager - the original one and a second one with a different friendly name (date added etc.). At this point all is still working (2.png).

If I now remove the original cert from Windows cert manager to simulate the cert expiring, (3.png) the all SSL services in ME stop working. Restarting the ME services does not resolve the issue and neither does restarting ther server. the error in the IMAP debug log is as follows

01/21/19 16:19:27 **** Error 0x8009030d returned by AcquireCredentialsHandle
01/21/19 16:19:27 SSL/TLS unable to be used due to error.
01/21/19 16:19:27 Unable to locate or bind to certificate with name "xxxxxxx.com"



at this point if I go into the SSL selection in ME I see the cert selected (using the cert name - it does not show the friendlt name in that box) - (ssl.png).
If I select "NONE", click apply, then select the cert and click apply, all of the SSL enabled ME services start to work.

I believe that the SSL selection in ME is therefore using the thumbprint of the cert and not selecting it from the subject line as you have suggested.

can you do one of the following please,

1. get a developer to change the ME SSL selection to use the subject of the SSL correctly and select only the cert that has a valid (i.e. not expired) date.
2. give us a powershell comment to change the cert used so that this can be triggered after LE has renewed the cert.

thanks

Steve
1.PNG
1.PNG (62.88 KiB) Viewed 6490 times
2.PNG
2.PNG (56.99 KiB) Viewed 6490 times
3.PNG
3.PNG (56.04 KiB) Viewed 6490 times

SteveJohns
Posts: 2
Joined: Mon Jan 21, 2019 4:05 pm

Re: SSL on IMAP provide Wrong certificate

Post by SteveJohns » Mon Jan 28, 2019 3:00 pm

its been a week and no reply as yet from anyone at ME - do you guys even look at this forum ?

it looks like you want to charge for support tokens - so I should pay for you to fix a bug in your product ???? err... no.

MailEnable-Ian
Site Admin
Posts: 8951
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: SSL on IMAP provide Wrong certificate

Post by MailEnable-Ian » Tue Jan 29, 2019 5:23 am

Hi,

The error that is being returned indicates a problem with the certificates private key. The first step is to ensure that you have imported the certificate correctly with the associated private key. We match on the subject name and not on the thumbprint. If you require more immediate help with this then you should seek support via our support ticketing system. We try to review the forum when possible but it should not be used for managed support.
Regards,

Ian Margarone
MailEnable Support

aksint
Posts: 1
Joined: Sat Sep 07, 2019 10:02 am

Re: SSL on IMAP provide Wrong certificate

Post by aksint » Sat Sep 07, 2019 10:32 am

I had the same problem but then with the SMTP server.
It seems that mailenable chooses itself which certificate to use. Even when you select a specific certificate in ssl settings.

Tested on microsoft server 2012 with iis and mailenable pro.

After you have added the certificate for webmail to iis it will be in the personal store. Open certificate manager on your server and drag the webmail domain certificate from personal to web hosting store.

this should fix the problem.

Post Reply