1 Topic by Aurum

  • Aurum
  • Member
  • Offline
  • Registered: 2018-06-04
  • Posts: 21

Topic: Self Signed Certificate is seen in Outlook and not CA Certificate

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Ubuntu 18
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Email Server has a name as mail.abc.com and it was installed with all default parameters including Self Signed Certificate with 10 years expiry. This server hosts two other domains for email i.e. mail.xyz.com and mail def.com. The email subdomains were covered by Letsencrypt Certificates. So was the email server mail.abc.com.
Now when I configured Outlook 2007 client to access emails alpha@xyz.com from server mail.xyz.com with SSL:993, the Outlook raises alert of the Un-Verified Security Certificate of the Server mail.abc.com... and can not be trusted.
Any clue on how to fix this Certificate issue? Solution deserves a coffee.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Self Signed Certificate is seen in Outlook and not CA Certificate

The mail server address you configured in Outlook must be supported by the ssl cert.

3 Reply by nadams

  • nadams
  • Member
  • Offline
  • Registered: 2014-04-19
  • Posts: 24

Re: Self Signed Certificate is seen in Outlook and not CA Certificate

Aurum wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Ubuntu 18
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Email Server has a name as mail.abc.com and it was installed with all default parameters including Self Signed Certificate with 10 years expiry. This server hosts two other domains for email i.e. mail.xyz.com and mail def.com. The email subdomains were covered by Letsencrypt Certificates. So was the email server mail.abc.com.
Now when I configured Outlook 2007 client to access emails alpha@xyz.com from server mail.xyz.com with SSL:993, the Outlook raises alert of the Un-Verified Security Certificate of the Server mail.abc.com... and can not be trusted.
Any clue on how to fix this Certificate issue? Solution deserves a coffee.

Sounds like dovecot does not have the Let's Encrypt certs or you need to restart dovecot.

Check what certificate it's presenting using this command:

openssl s_client -showcerts -connect 127.0.0.1:993

I would think that Outlook uses the certificate trust store from the OS so if IE trusts it - Outlook should trust it as well.

nadams's Website

4 Reply by Aurum

  • Aurum
  • Member
  • Offline
  • Registered: 2018-06-04
  • Posts: 21

Re: Self Signed Certificate is seen in Outlook and not CA Certificate

Hi @nadams Thanks..
Yes it returns Self Signed Certificate:
....
....
....
    Start Time: 1529686263
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
....
....
This verifies my concern. How to redirect Dovecot / Postfix to look at CA issued certificate?

5 Reply by nadams

  • nadams
  • Member
  • Offline
  • Registered: 2014-04-19
  • Posts: 24

Re: Self Signed Certificate is seen in Outlook and not CA Certificate

Aurum wrote:

Hi @nadams Thanks..
Yes it returns Self Signed Certificate:
....
....
....
    Start Time: 1529686263
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
....
....
This verifies my concern. How to redirect Dovecot / Postfix to look at CA issued certificate?

You'll need to edit /etc/dovecot/dovecot.conf and /etc/postfix/main.cf . The settings that contain the cert path should be obvious. Then restart dovecot and postfix and you should be good.

I usually don't say this but Outlook 2007 is pretty old - you should sign up for an Office 365 subscription so you can get the latest outlook/office. The latest outlook supports activesync connections so you can connect to SOGo and sync email/contacts/calendar. The only issue I've ran into is Outlook for Mac does not support Activesync.

nadams's Website