Solved

Exchange Security Certificates INVALID, All Works Except POP3 SSL

Posted on 2013-05-10
1
324 Views
Last Modified: 2013-09-05
About 3 weeks ago one of our techs purchased and installed a new SSL certificate for our exchange server.  Everything was and is working fine on IMAP internally and externally, and OWA.  The problem is with our POP3 SSL clients.  Seemingly after the new certs were installed our POP users would get intermittent authentication errors when establishing a session.  In an effort to troubleshoot the problem, I enabled POP3 logging and restarted the POP3 service of Exchange 2007.  That was 3 days ago.  Now, no POP3 users are able to connect at all.  I stopped the logging, and no difference.  

I came to find out later that when the upgraded certs were installed 3 weeks ago, the Exchange server was never not.  Possibly when I restarted the POP3 service for logging, that did something?

To throw more confusion in the mix, about 3 months ago, we switched from a Barracuda firewall appliance to Barracuda spam filter service.  Since then, the Event viewer has been logging RED 12014 Transport errors saying Exchange couldn't find a certificate for the Barracuda networks domain.  True, because Barracuda was not named on the old cert and actually it's not named on the new cert either (I don't know if it can because we don't own it????)  (See attached error file.)

Anyway, since the POP3 stopped working 3 days ago, that's when I started looking at the logs and found the Barracuda / cert error as well as errors saying that the IMAP and POP3 services didn't have certificates associated with them.  Unfortunately, I accidently erased the log and don't have the event id's for those errors--I'm sure more will come today and I will let you know what they are if anyone tries to help me.

The plot thickens:  Exchange Shell shows that we have  6 certificates installed (see cert_list.txt)  All are self-signed except the one CA cert that we got from Godaddy 3 weeks ago.  The Godaddy cert says that it is INVALID, yet if you go to SSLShopper.com and use the Cert Tool, it says everything is OK.  And, before we installed it, our on-site employees were getting Certificate errors in Outlook, now they are not.  Also, OWA, and Exchange mail on my Android cell works without errors.

Question: I want to just get rid of all the certs and re-install the Godaddy cert and one self-signed certificate that has all our domains as well as the Barracuda domain--is that a good idea?  

Another thing, I made one self-signed cert last night in installed it.  We have the Certificate Service installed on our PDC and used it to self-authenticate?  I noticed a couple of things about it.  First, it shows that it is NOT self-signed, i.e. IsSelfSigne: FALSE,  and that it is only associated with IMAP, POP, and UM.  I tried to use the Enable command: Enable-ExchangeCertificate -Thumbprint xxxx  -Services "POP, IMAP, UM, IIS, SMTP"  but I keep getting an error about services.  The Shell also won't let me remove the the cert.

I know I've described a bunch of problems and maybe it should be broken up into a number of questions, but I wanted to give you the whole confusing picture.

Thanks in advance.
Event-12014.txt
cert-list.txt
0
Comment
Question by:basstech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39155728
If you suspect the GoDaddy certificate then you can get it rekeyed. Generate a new request in Exchange and then rekey it through their system. You have 24 hours to replace the certificates after doing that.

The reason the certificate generated by your CA isn't self signed is because it isn't - it wasn't generated by Exchange itself. Therefore if you have publshed the root to the domain and the clients trust it, then it would be fine. However as you have a commercial certificate I wouldn't bother.

Not sure what you are referring to with the Barracuda error. Is it perhaps referring to the FQDN on the send connector?

Simon.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the adminiā€¦

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question