KB4467697 causes certificate binding error

Discussions on webmail and the Professional version.
Post Reply
dreniarb
Posts: 316
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

KB4467697 causes certificate binding error

Post by dreniarb » Mon Nov 19, 2018 5:44 pm

This weekend I rebooted my server (Windows Server 2012 R2 running ME Pro 10.19). This morning I started noticing "tls unavailable for temporary reason" errors in the smtp log. I looked at the debug log and saw errors about not being able to bind to the certificate. Rechecked permissions, still nothing. Installed a 90 day let's encrypt certificate, still nothing. Finally realized that an update probably installed during the reboot. Took a look at the history and sure enough 3 updates had installed.

I uninstalled the first one in the list, KB4467697, rebooted, and immediately started getting emails from my gmail account that I had been sending all morning as tests. Checked the debug log and ME was able to bind to the certificate.

The other two updates that installed were KB4459941 and KB 4459935. I have no idea if those in conjunction with the other was causing problems or what but the problem is fixed so I'm ok for now.

Just wanted to share in case anyone else ran into this problem.

quotesguy
Posts: 1
Joined: Tue Nov 27, 2018 3:34 pm

Re: KB4467697 causes certificate binding error

Post by quotesguy » Tue Nov 27, 2018 3:51 pm

We saw the same thing with TLS on the IMAP component this month. We disabled TLS1.0 via the registry months ago with no issues. Microsoft has EOL'd TLS 1.0 support as of Oct 30th, so it appears that this month's, and all future cumulative patches will cause the registry setting which wasn't doing much before to actually disable TLS1.0. This brings to light that the mailenable software is still using it, and relies on it, despite it stating TLS1.2 is supported. I have not been able to get TLS to work with TLS1.0 disabled on the server after this month's patches. Using the identical mail enable config with TLS1.0 enabled allows it to work. Hopefully MailEnable can shed some light on this as I don't think not running the monthly microsoft security updates from here on out is the best path forward for their customers. Then again, maybe I have something configured incorrectly.

Running server 2016, ME 10.19.

Error in IMAP-Activity-*.log when TLS 1.0 is disabled in the registry:
STARTTLS **** BAD TLS not available due to temporary reason

Error in the windows system log:
SCHANNEL: A fatal error occured while creating a TLS server credential. The internal error stat is 10013.

Post Reply