SSL Certificate for POP

After installing updates (CU7 and windows), our pop server now will not negotiate the certificate.  Remote Connectivity Analyzer shows:

July 9th, 2015 11:11am

Port 995 is SSL and therefore requires a certificate.  It has nothing to do with the authentication type.

I can't help further without knowing more details about what you've configured, such as the certificate properties and the results of Get-PopSet

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 11:28am

This is what it shows on the mailbox server.  110 was enabled for troubleshooting but usually is not set.  CAS server settings below.

Name                              : 1
ProtocolName                      : POP3
MaxCommandSize                    : 512
MessageRetrievalSortOrder         : Ascending
UnencryptedOrTLSBindings          : {[::]:110, 0.0.0.0:110}
SSLBindings                       : {[::]:995, 0.0.0.0:995}
InternalConnectionSettings        : {PTM-SVR-EX1.xxx.xxx:995:SSL, PTM-SVR-EX1.xxx.xxx:110:TLS}
ExternalConnectionSettings        : {}
X509CertificateName               : mail.xxxxxxxxxxxxxxxx.com
Banner                            : The Microsoft Exchange POP3 service is ready.
LoginType                         : PlainTextLogin
AuthenticatedConnectionTimeout    : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections                    : 2147483647
MaxConnectionFromSingleIP         : 2147483647
MaxConnectionsPerUser             : 16
MessageRetrievalMimeFormat        : BestBodyFormat
ProxyTargetPort                   : 9995
CalendarItemRetrievalOption       : iCalendar
OwaServerUrl                      :
EnableExactRFC822Size             : False
LiveIdBasicAuthReplacement        : False
SuppressReadReceipt               : False
ProtocolLogEnabled                : True
EnforceCertificateErrors          : False
LogFileLocation                   : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3
LogFileRollOverSettings           : Daily
LogPerFileSizeQuota               : 0 B (0 bytes)
ExtendedProtectionPolicy          : None
EnableGSSAPIAndNTLMAuth           : True
Server                            : PTM-SVR-EX1
AdminDisplayName                  :
ExchangeVersion                   : 0.10 (14.0.100.0)
DistinguishedName                 : CN=1,CN=POP3,CN=Protocols,CN=PTM-SVR-EX1,CN=Servers,CN=Exchange Administrative
                                    Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=GIS,CN=Microsoft
                                    Exchange,CN=Services,CN=Configuration,DC=GIS,DC=local
Identity                          : PTM-SVR-EX1\1
Guid                              : 32a4f790-8282-43bd-ad81-e687c9b8673d
ObjectCategory                    : xxx.xxx/Configuration/Schema/ms-Exch-Protocol-Cfg-POP-Server
ObjectClass                       : {top, protocolCfg, protocolCfgPOP, protocolCfgPOPServer}
WhenChanged                       : 7/9/2015 10:38:20 AM
WhenCreated                       : 10/10/2013 2:06:17 PM
WhenChangedUTC                    : 7/9/2015 2:38:20 PM
WhenCreatedUTC                    : 10/10/2013 6:06:17 PM
OrganizationId                    :
Id                                : PTM-SVR-EX1\1
OriginatingServer                 : PTM-SVR-PDC.xxx.xxx
IsValid                           : True
ObjectState                       : Unchanged

CAS Server settings:

Name                              : 1
ProtocolName                      : POP3
MaxCommandSize                    : 512
MessageRetrievalSortOrder         : Ascending
UnencryptedOrTLSBindings          : {0.0.0.0:110}
SSLBindings                       : {0.0.0.0:995}
InternalConnectionSettings        : {ptm-svr-ex1.xxx.xxx:995:SSL}
ExternalConnectionSettings        : {Mail.xxxxxxxxxxxxx.com:995:SSL}
X509CertificateName               : mail.xxxxxxxxxxxx.com
Banner                            : The Microsoft Exchange POP3 service is ready.
LoginType                         : PlainTextLogin
AuthenticatedConnectionTimeout    : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections                    : 2147483647
MaxConnectionFromSingleIP         : 2147483647
MaxConnectionsPerUser             : 16
MessageRetrievalMimeFormat        : BestBodyFormat
ProxyTargetPort                   : 9955
CalendarItemRetrievalOption       : iCalendar
OwaServerUrl                      :
EnableExactRFC822Size             : False
LiveIdBasicAuthReplacement        : False
SuppressReadReceipt               : False
ProtocolLogEnabled                : True
EnforceCertificateErrors          : False
LogFileLocation                   : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3
LogFileRollOverSettings           : Daily
LogPerFileSizeQuota               : 0 B (0 bytes)
ExtendedProtectionPolicy          : None
EnableGSSAPIAndNTLMAuth           : True
Server                            : PTM-SVR-CAS1
AdminDisplayName                  :
ExchangeVersion                   : 0.10 (14.0.100.0)
DistinguishedName                 : CN=1,CN=POP3,CN=Protocols,CN=PTM-SVR-CAS1,CN=Servers,CN=Exchange Administrative
                                    Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=GIS,CN=Microsoft
                                    Exchange,CN=Services,CN=Configuration,DC=GIS,DC=local
Identity                          : PTM-SVR-CAS1\1
Guid                              : c0bd5068-4092-418e-bb31-737f89b4d3d2
ObjectCategory                    : xxx.xxx/Configuration/Schema/ms-Exch-Protocol-Cfg-POP-Server
ObjectClass                       : {top, protocolCfg, protocolCfgPOP, protocolCfgPOPServer}
WhenChanged                       : 7/9/2015 11:20:15 AM
WhenCreated                       : 8/7/2013 1:21:21 PM
WhenChangedUTC                    : 7/9/2015 3:20:15 PM
WhenCreatedUTC                    : 8/7/2013 5:21:21 PM
OrganizationId                    :
Id                                : PTM-SVR-CAS1\1
OriginatingServer                 : PTM-SVR-PDC.xxx.xxx
IsValid                           : True
ObjectState                       : Unchanged

July 9th, 2015 11:36am

It amuses me that you spent the time to obfuscate your domain name after having already posted it in your original post.

It looks like you have separate internal and external namespaces. Is there any reason you don't have split-brain DNS so that you can use the same name, mail.gerardiinsurance.com, both internally and externally?  That way you don't need a certificate that has both internal and external domains, something certificate issuers are increasingly reluctant to issue.

I don't see anything else obviously wrong, but you didn't post your certificate bindings (Get-ExchangeCertificate).

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 11:56am

Yeah, I realized that after doing a replace.  Doesn't really matter anyway! 

I actually do have a split DNS, just haven't changed everything over.

MB Certs:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 4/1/2020 1:25:26 PM
NotBefore          : 4/1/2015 1:25:26 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 579572B06AB67E9742AB4FB266C9D281
Services           : POP, SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 6444B98F81779097D099707FA621BC9B68DBBEAD

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.gerardiinsurance.com, PTM-SVR-EX1.GIS.local, gerins.com, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.gerardiinsurance.com
NotAfter           : 3/28/2020 7:27:59 PM
NotBefore          : 3/28/2015 7:27:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 7E85FAB2480CF7BB4FD32E6677DF488A
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=mail.gerardiinsurance.com
Thumbprint         : 447EC60890575CC7442DE3242086C80334E2D66F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {PTM-SVR-EX1.GIS.local, AutoDiscover.gerins.com, AutoDiscover.GIS.local,
                     AutoDiscover.gerardiinsurance.com, PTM-SVR-EX1, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : C=US, S=CONNECTICUT, L=PUTNAM, O=IT, OU="Gerardi Insurance Sevices, Inc", CN=PTM-SVR-EX1.GIS.local
NotAfter           : 10/14/2018 5:28:44 PM
NotBefore          : 10/14/2013 5:28:44 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6D77BB7114AB738841C43C2CD80B7A0F
Services           : IMAP, SMTP
Status             : Valid
Subject            : C=US, S=CONNECTICUT, L=PUTNAM, O=IT, OU="Gerardi Insurance Sevices, Inc", CN=PTM-SVR-EX1.GIS.local
Thumbprint         : B0390000DEF280CEC6C6CD1574D5FFCBB59D25D8

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-PTM-SVR-EX1}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-PTM-SVR-EX1
NotAfter           : 10/8/2023 12:05:49 AM
NotBefore          : 10/10/2013 12:05:49 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 2E48AD95DF58FE9D439976AA08BA8FC6
Services           : None
Status             : Valid
Subject            : CN=WMSvc-PTM-SVR-EX1
Thumbprint         : 00498F5D6655771E01FDF764ACC7FF22196C9571

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {PTM-SVR-EX1.GIS.local, AutoDiscover.gerins.com, AutoDiscover.GIS.local,
                     AutoDiscover.gerardiinsurance.com, PTM-SVR-EX1, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Gerardi Insurance Services Inc
NotAfter           : 10/7/2015 12:22:53 PM
NotBefore          : 10/7/2013 12:22:53 PM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 1F00000067CEC74D168929469B000000000067
Services           : IMAP, UM, IIS, SMTP
Status             : Valid
Subject            : CN=PTM-SVR-EX1.GIS.local, OU="Gerardi Insurance Sevices, Inc", O=IT, L=PUTNAM, S=CONNECTICUT, C=US
Thumbprint         : A19645B1C09786C60AE3051ACFDA60AA1E14B0A0

CAS Certs:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 4/1/2020 1:25:26 PM
NotBefore          : 4/1/2015 1:25:26 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 579572B06AB67E9742AB4FB266C9D281
Services           : POP, SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 6444B98F81779097D099707FA621BC9B68DBBEAD

AccessRules        :
CertificateDomains : {mail.gerardiinsurance.com, PTM-SVR-EX1.GIS.local, gerins.com, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.gerardiinsurance.com
NotAfter           : 3/28/2020 7:27:59 PM
NotBefore          : 3/28/2015 7:27:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 7E85FAB2480CF7BB4FD32E6677DF488A
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=mail.gerardiinsurance.com
Thumbprint         : 447EC60890575CC7442DE3242086C80334E2D66F

AccessRules        :
CertificateDomains : {PTM-SVR-EX1.GIS.local, AutoDiscover.gerins.com, AutoDiscover.GIS.local,
                     AutoDiscover.gerardiinsurance.com, PTM-SVR-EX1, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : C=US, S=CONNECTICUT, L=PUTNAM, O=IT, OU="Gerardi Insurance Sevices, Inc", CN=PTM-SVR-EX1.GIS.local
NotAfter           : 10/14/2018 5:28:44 PM
NotBefore          : 10/14/2013 5:28:44 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6D77BB7114AB738841C43C2CD80B7A0F
Services           : IMAP, SMTP
Status             : Valid
Subject            : C=US, S=CONNECTICUT, L=PUTNAM, O=IT, OU="Gerardi Insurance Sevices, Inc", CN=PTM-SVR-EX1.GIS.local
Thumbprint         : B0390000DEF280CEC6C6CD1574D5FFCBB59D25D8

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-PTM-SVR-EX1}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-PTM-SVR-EX1
NotAfter           : 10/8/2023 12:05:49 AM
NotBefore          : 10/10/2013 12:05:49 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 2E48AD95DF58FE9D439976AA08BA8FC6
Services           : None
Status             : Valid
Subject            : CN=WMSvc-PTM-SVR-EX1
Thumbprint         : 00498F5D6655771E01FDF764ACC7FF22196C9571

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {PTM-SVR-EX1.GIS.local, AutoDiscover.gerins.com, AutoDiscover.GIS.local,
                     AutoDiscover.gerardiinsurance.com, PTM-SVR-EX1, GIS.local, gerardiinsurance.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Gerardi Insurance Services Inc
NotAfter           : 10/7/2015 12:22:53 PM
NotBefore          : 10/7/2013 12:22:53 PM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 1F00000067CEC74D168929469B000000000067
Services           : IMAP, UM, IIS, SMTP
Status             : Valid
Subject            : CN=PTM-SVR-EX1.GIS.local, OU="Gerardi Insurance Sevices, Inc", O=IT, L=PUTNAM, S=CONNECTICUT, C=US
Thumbprint         : A19645B1C09786C60AE3051ACFDA60AA1E14B0A0

July 9th, 2015 12:10pm

In general, you shouldn't be messing around with certificates on the mailbox server, just the CAS.

First, it appears that you have more certificates than you really need.  Consider simplifying your configuration.

You have two certificates enabled for POP on the CAS, the first two in your list, which look like self-signed certificates.  Clients won't trust these certificates unless users have added it to their certificate stores as a trusted root.

You can make this a lot easier by deploying split-brain DNS, using mail.gerardiinsurance.com for all services internal and external, and obtaining a UCC certificate containing mail.gerardiinsurance.com (common name) and autodiscover.gerardiinsurance.com (SAN) and using this certificate instead of all the others you have.  (Leave the server name self-signed certificate in place for transport, but that should be on the back-end so you don't need to mess wit

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 12:23pm
Yeah, I have only been working on the CAS.  The IMAP is not enabled so haven't bothered to do anything about the certificates with it.  Everything else on the CAS is working fine, it just has the issue with POP3.  I have been working on it for a while and everything seemed correct to me, just refuses to negotiate the certificate for POP.  I'm at a loss for where to look!
July 9th, 2015 12:27pm
Yeah, I was correcting my post while you were typing your response, sorry.  Please re-read it.
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 12:33pm

Ah, okay.  The DNS is already set, so I can just change the cert.  And I have that UCC cert already as well.  I did see that it listed multiple certs enabled for POP but thought it would only matter what X509CertificateName was set to.  It has actually been working that way for a while but may an update made it more sensitive.  I'll work on those things and post back.

Thank you.

July 9th, 2015 12:52pm

Hi,

As Ed mentioned, the first two certificate seems self-signed certificate, however the last two doesn't contain mail.gerardiinsurance.com also not apply for POP services.

Therefore, please try to remove redundancy certificate and renew one.

Thanks

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 10:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics

The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.gerardiinsurance.com on port 995.

The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate

 I have reset bindings, changed the certificate and countless other attempts.  Login type is set to PlainTextLogin.

Any ideas?