Solved

Exchange Security Certificates INVALID, All Works Except POP3 SSL

Posted on 2013-05-10
1
323 Views
Last Modified: 2013-09-05
About 3 weeks ago one of our techs purchased and installed a new SSL certificate for our exchange server.  Everything was and is working fine on IMAP internally and externally, and OWA.  The problem is with our POP3 SSL clients.  Seemingly after the new certs were installed our POP users would get intermittent authentication errors when establishing a session.  In an effort to troubleshoot the problem, I enabled POP3 logging and restarted the POP3 service of Exchange 2007.  That was 3 days ago.  Now, no POP3 users are able to connect at all.  I stopped the logging, and no difference.  

I came to find out later that when the upgraded certs were installed 3 weeks ago, the Exchange server was never not.  Possibly when I restarted the POP3 service for logging, that did something?

To throw more confusion in the mix, about 3 months ago, we switched from a Barracuda firewall appliance to Barracuda spam filter service.  Since then, the Event viewer has been logging RED 12014 Transport errors saying Exchange couldn't find a certificate for the Barracuda networks domain.  True, because Barracuda was not named on the old cert and actually it's not named on the new cert either (I don't know if it can because we don't own it????)  (See attached error file.)

Anyway, since the POP3 stopped working 3 days ago, that's when I started looking at the logs and found the Barracuda / cert error as well as errors saying that the IMAP and POP3 services didn't have certificates associated with them.  Unfortunately, I accidently erased the log and don't have the event id's for those errors--I'm sure more will come today and I will let you know what they are if anyone tries to help me.

The plot thickens:  Exchange Shell shows that we have  6 certificates installed (see cert_list.txt)  All are self-signed except the one CA cert that we got from Godaddy 3 weeks ago.  The Godaddy cert says that it is INVALID, yet if you go to SSLShopper.com and use the Cert Tool, it says everything is OK.  And, before we installed it, our on-site employees were getting Certificate errors in Outlook, now they are not.  Also, OWA, and Exchange mail on my Android cell works without errors.

Question: I want to just get rid of all the certs and re-install the Godaddy cert and one self-signed certificate that has all our domains as well as the Barracuda domain--is that a good idea?  

Another thing, I made one self-signed cert last night in installed it.  We have the Certificate Service installed on our PDC and used it to self-authenticate?  I noticed a couple of things about it.  First, it shows that it is NOT self-signed, i.e. IsSelfSigne: FALSE,  and that it is only associated with IMAP, POP, and UM.  I tried to use the Enable command: Enable-ExchangeCertificate -Thumbprint xxxx  -Services "POP, IMAP, UM, IIS, SMTP"  but I keep getting an error about services.  The Shell also won't let me remove the the cert.

I know I've described a bunch of problems and maybe it should be broken up into a number of questions, but I wanted to give you the whole confusing picture.

Thanks in advance.
Event-12014.txt
cert-list.txt
0
Comment
Question by:basstech
1 Comment
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39155728
If you suspect the GoDaddy certificate then you can get it rekeyed. Generate a new request in Exchange and then rekey it through their system. You have 24 hours to replace the certificates after doing that.

The reason the certificate generated by your CA isn't self signed is because it isn't - it wasn't generated by Exchange itself. Therefore if you have publshed the root to the domain and the clients trust it, then it would be fine. However as you have a commercial certificate I wouldn't bother.

Not sure what you are referring to with the Barracuda error. Is it perhaps referring to the FQDN on the send connector?

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question