About 3 weeks ago one of our techs purchased and installed a new SSL certificate for our exchange server. Everything was and is working fine on IMAP internally and externally, and OWA. The problem is with our POP3 SSL clients. Seemingly after the new certs were installed our POP users would get intermittent authentication errors when establishing a session. In an effort to troubleshoot the problem, I enabled POP3 logging and restarted the POP3 service of Exchange 2007. That was 3 days ago. Now, no POP3 users are able to connect at all. I stopped the logging, and no difference.
I came to find out later that when the upgraded certs were installed 3 weeks ago, the Exchange server was never not. Possibly when I restarted the POP3 service for logging, that did something?
To throw more confusion in the mix, about 3 months ago, we switched from a Barracuda firewall appliance to Barracuda spam filter service. Since then, the Event viewer has been logging RED 12014 Transport errors saying Exchange couldn't find a certificate for the Barracuda networks domain. True, because Barracuda was not named on the old cert and actually it's not named on the new cert either (I don't know if it can because we don't own it????) (See attached error file.)
Anyway, since the POP3 stopped working 3 days ago, that's when I started looking at the logs and found the Barracuda / cert error as well as errors saying that the IMAP and POP3 services didn't have certificates associated with them. Unfortunately, I accidently erased the log and don't have the event id's for those errors--I'm sure more will come today and I will let you know what they are if anyone tries to help me.
The plot thickens: Exchange Shell shows that we have 6 certificates installed (see cert_list.txt) All are self-signed except the one CA cert that we got from Godaddy 3 weeks ago. The Godaddy cert says that it is INVALID, yet if you go to SSLShopper.com and use the Cert Tool, it says everything is OK. And, before we installed it, our on-site employees were getting Certificate errors in Outlook, now they are not. Also, OWA, and Exchange mail on my Android cell works without errors.
Question: I want to just get rid of all the certs and re-install the Godaddy cert and one self-signed certificate that has all our domains as well as the Barracuda domain--is that a good idea?
Another thing, I made one self-signed cert last night in installed it. We have the Certificate Service installed on our PDC and used it to self-authenticate? I noticed a couple of things about it. First, it shows that it is NOT self-signed, i.e. IsSelfSigne: FALSE, and that it is only associated with IMAP, POP, and UM. I tried to use the Enable command: Enable-ExchangeCertificate
-Thumbprint xxxx -Services "POP, IMAP, UM, IIS, SMTP" but I keep getting an error about services. The Shell also won't let me remove the the cert.
I know I've described a bunch of problems and maybe it should be broken up into a number of questions, but I wanted to give you the whole confusing picture.
Thanks in advance.