Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: ltwally on February 14, 2007, 03:35:24 PM
-
I'm getting the following error when I connect Outlook users to the server via secure smtp/pop3:
The server you are connected to is using a security certificate that could not be verified.
The certificate's CN name does not match the passed value.
I've tried to resolve this with the following methods:
1) I went to https://myserverIP.com:465/ and installed the certificate onto the computer.
2) I went to https://myserverdomainname:465/ and installed the certificate onto the computer.
3) I copied the certificate file out of /home/e-smith/ssl.crt/MYSERVERDOMAINNAME.crt onto the individual machines and then installing into Windows.
These attempts did, indeed, install the certificate onto Windows. However, that did not fix the problem. Outlook still throws a hissy fit, requiring users to hit "YES" with every first connection by Outlook.
This is obviously not desired. What can I do, beyond purchasing a certificate or dropping down to unsecured smtp/pop3?
Thanks in advance.
-
What can I do, beyond purchasing a certificate or dropping down to unsecured smtp/pop3?
Search for Shad Lords mini how-to on getting a free cacert
-
I'm getting the following error ...
Please report all problems via the bug tracker. Thanks.
-
Please report all problems via the bug tracker. Thanks.
I'm not reporting a bug with SME. I'm asking how to make something work.
-
Please report all problems via the bug tracker. Thanks.
I'm not reporting a bug with SME. I'm asking how to make something work.
SME should "just work". If it doesn't, then it needs to be fixed, or something needs to be documented.
-
SME should "just work". If it doesn't, then it needs to be fixed, or something needs to be documented.
Everything but the certificates "just work." And, it's not really that the certificates aren't working -- it's that they're from an untrusted source...
Although the complaint about the C-NAME not matching does make me wonder what's going on. I'll test it some more before I submit an actual bug-report, though.
-
untrested source is that the cert is not signed by a autority that is recognized by microsoft's software.
installing the .cert on the computer manually should resolve this.
if outlook still complaining after ther should be two reason:
the server name you connect to is not the same that the one of the certificat : cert for www.domain.com and trying to connect to mail.domaine.com
the second problem could be due to another cert imported before with the same domain, or another subdomain of this domain (if you have generate a new cert and the older is not out of date.
-
Try this:
https://servername.domain.com and install the certificate. This has always solved this issue for me.
-
pfloor: I've tried this, as well. It didn't work.
However, I was told that this method is actually wrong. As explained to me, the certificate used by SSMTP is a different cert than the one used by HTTPS. So, you should only get it via https://servername.domainname.com:465/
Of course, we all know that failed for me, too. Oh well.. I'll just use plain-jain smtp/pop3/imap for now.
Thanks for trying, though, guys.
-
pfloor: I've tried this, as well. It didn't work.
However, I was told that this method is actually wrong. As explained to me, the certificate used by SSMTP is a different cert than the one used by HTTPS. So, you should only get it via https://servername.domainname.com:465/
Of course, we all know that failed for me, too. Oh well.. I'll just use plain-jain smtp/pop3/imap for now.
Thanks for trying, though, guys.
Did you open a bug report as requested?
-
-- it's that they're from an untrusted source...
To avoid an initial popup about an untrusted certificate you will need to install a root certificate at workstation deployment time. I'm not sure if your SMEserver will produce a root ca.
Although the complaint about the C-NAME not matching does make me wonder what's going on. I'll test it some more before I submit an actual bug-report, though.
This can occur when you use mail.domain.com as you mail server address and your sme machine is not called 'mail'.
I would suggest a free certificate from CaCert.org and use Shad Lords customs script to generate your request. It will use all the domains defined in the domains panel of server-manager.
You will still have the problem of distributing the root certificate that CaCert provides. That will depend on the size of your network.
http://forums.contribs.org/index.php?topic=34624.0
-
Isn't this opening yourself up to automatically accepting any CACERT certificates?
I'm not sure but doesn't this mean that your browser will automatically accept any certs issued by CACERT.org even if they aren't on your network? I'm just a bit cautious of stuff that is free .... "free&security" don't usually go hand and hand in my opinion.
Maybe it is totally acceptable but I find more comfort in paying for a certificate from a recognized certificate provider like Equifax Secure and they are by default installed as a root authority in all MS IE browsers.