Evolution client imports the wrong ssl certificate

Posted on 2009-05-05
Last Modified: 2013-11-22
I am trying to download email via courier imap to a client pop3 account with a valid self-signed ssl certificate.  I have followed instructions at for the browser certificate and for the mail certificate.

The EvolutionSMTP.p12 file that I import into my client email account shows all the wrong information!  When I try to download email, the certificate warning tells me the signature is bad - it's an automatically generated issue from NY that expires in 2019.  The certificate I generated expires in 2014 and it's from my state (not NY;  I should probably reduce it from 1825 days to expire in 365 but it's not working anyway).

I copied EvolutionSMTP.p12 from /etc/postfix/ssl where I  generated it to my home folder on the server, scp'd the file to my laptop and then imported it into my email client, after clearing the client-generated db files in .evolution.  However the certificate that appears in my Evolution client doesn't correspond to the certificate I created (wrong issuer and expiration date).  I've tried following the steps in the above urls several times, the latest with a new password that is accepted, but still the email certificate that is displayed is auto-generated.  What to do?
Question by:sara_bellum
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24320663

It is obvious that your system does not look to find the certificate in the folder you've placed it. So please check your pop server config files and find out where does it keep its certificate files. Then copy the certificate to the right folder with the correct name. Restart your pop server and retry. You'll understand that you've one it correctly when you see the cerficate information from your server matches your sel signed certificate. Settin Certificate life has nothing to do with it. So you don't need to try to keep it shorter.

Author Comment

ID: 24352139
Here's what I found in the ubuntu forum:

"Open your web hosting site using https in firefox (I used my https webmail).  //I don't have https
Double-click on the padlock icon in the status bar at the bottom of the window // or a padlock
Click on the security tab, Click view certificate, Click details, Click export.
Save as an X.509 Certificate (first option).
Open Evolution, Edit>Preferences>Certficates, Click Import
Browse to the certificate you just saved, click Open, You're done!"

I have no padlock on my home page, so I'm still stuck...I checked my Wordpress config (wordpress is installed in my doc root) and there's nothing there on ssl that I can associate with this problem :(
I think I need to set up an https site in apache, which I don't need right now but I guess I can set up a bogus one...

Author Comment

ID: 24409740
Sorry that I've been unavailable to work on this enough to report back, but it's an amazingly complex issue!  I've implemented everything from here: and was able to import a certificate, but the one that Evolution looks for is automatically generated.

So I found this: and was able to localize the default settings on the server for automatically generated certificates; I then restarted pop and pop-ssl services.  My Evolution client now reads the correct location and expiration date, so the automatically generated certificate doesn't look as bad as the I'm-in-NY-and-expire-in-10-years certs that I saw before.  However the Evolution client still tells me that the automatically generated cert is bad, and I can't import a certificate to the client to authenticate something that's automatically generated.  There's no setting on the client that allows me to change how it authenticates either :(  
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

LVL 30

Accepted Solution

Kerem ERSOY earned 500 total points
ID: 24409793
Hi in fact since you're generatiing your own servers they are ot valid certificates that could be traced back to known signers and validation be checked by third parties. So if you don't use a certificate from a well-known issuer this is the normal behaviour. however if you don't want it to cause errors on client side what you would do id to get the certificate and include it to your certficates chain so that iit wont cause any errors to the client.

what OS do your clients use ?

Author Comment

ID: 24415403
The OS on the clients is also Ubuntu (Debian) Linux.

Since I can import a cert into the Evolution client that is associated with a stable server key (but not one that is automatically generated) I changed the pop3d.cnf file in /etc/courier to disable the auto-generate-ssl-key and copied all files to /home/user/myCA.  I now have an updated mail certificate in Evolution that has the right location and expiration date which is presumably associated with the correct key, but I can't fetch mail :(

The error in the client says just that: error fetching mail.  I got no errors on the server when restarting pop and pop-ssl.

I'm still working with this page: 
It sure would help to find some errors.

Author Comment

ID: 24425771
Here's where I am now - either the procedures at the latest url are wrong or there's something in my server config that prevents their correct implementation.

# openssl s_server -key server_key.pem -cert mycert.pem -CAfile server_crt.pem -state -Verify 10
verify depth is 10, must return a certificate
Enter pass phrase for server_key.pem:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
22900:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:

Author Comment

ID: 24429316
I gave up and installed Dovecot, and am able to download mail with a bad (default) certificate. Until I can create certs that pass the openssl s_client test, the only authentication method is password, and even so, I have inconsistent results with that:
-Ever since I cleared the password from my client while troubleshooting courier pop3 connections, if I'm prompted for a password, the user password I type in is not accepted.
-If I'm not prompted for a password the mail gets downloaded, but how long that will work remains a mystery, since I can't store a password that isn't accepted.  The email user account name in the client matches the Linux account name on the server, so how password authentication over a LAN connection also fails is as mysterious as the SSL certificate signature failure.

I thought that the simplest thing would be to edit the default SSL Certificate check options that postfix displays (OU = Office for Complication of Otherwise Simple Affairs etc) but I can't find the file where these settings are stored - it doesn't appear to be anywhere in /etc and it doesn't make sense for it to be anywhere else.  Is it perhaps in binary form?  Let me know thanks.

Author Closing Comment

ID: 31578342
Again, a "started to help" question that was left unanswered.

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question