Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, August 4, 2016 7:24 PM
Hi all,
The other day we renewed our 3rd party certificate on our Exchange 2013 server. During the renewal I bound the new cert to the various services (POP, IMAP, IIS, SMTP) and made sure the bindings in IIS were set to point to the new cert.
I've come to find out that since doing this, POP3 SSL connections stopped working. I used the Microsoft Remote Connectivity Analyzer to attempt a connection and it failed. The failure happened when the Microsoft Connectivity Analyzer tried to obtain the certificate. It wasn't able to obtain the remote SSL certificate and spit out this error:
"The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation."
With that said, I've double and triple checked the various settings for the certificate to make sure it's valid and bound to the POP service and the user account is enabled for POP and restarted the POP3 services. I've also made certain that the port (995 in this case) is open and accepting connections from the server in question (it is). Just for kicks, I tried to re-key and re-install the cert again to no avail. I also ran the Get-PopSettings cmdlet and saw that SSL bindings are correct, LoginType is SecureLogin, and the X509CertificateName is set to the right certificate. Yet even after restarting services, this problem persists. Can anyone point me in the right direction to resolving this?
All replies (5)
Friday, August 5, 2016 9:04 PM âś…Answered
Thanks all for the responses. I have discovered the cause of the issue: the proper certificate was bound to the POP service, however there was another certificate on the server in the personal store from our internal CA that had the same friendly name as the 3rd party certificate. Apparently Exchange has some logic in it that forces it use the local CA certificate over the 3rd party certificate for services regardless of bindings. The problem was solved by deleting the local CA certificate, then rebinding the 3rd party certificate to the services (I did the rebinding via a powershell cmdlet). After restarting the POP services, all was well.
By the way, I think this problem was complicated by the fact that the "PopProxy" server component was inactive (Get-ServerComponentState). I activated that along the way at some point while fixing the problem, too.
Thanks!
Thursday, August 4, 2016 7:37 PM
Can you check the TLS certificate on receive connector which you setup for accepting the IMAP/POP connection?
Get-ReceiveConnector -Identity "name of the receive connector" |fl *tls*
Assign the new certificate to the receive connector as well. See below artical for reference.
Thursday, August 4, 2016 8:39 PM | 1 vote
Thank you for the response. I understand what you are referring to. To be clear, my SMTP receive connector is doing fine (it is not a part of the problem in this case as it works fine). The only issue I have is with POP3 authentication for clients who want to check for (not "send out") email using POP3 SSL over port 995. Hope that clears things up.
Friday, August 5, 2016 4:01 AM
Can you please install open SSL client and check the connection status by below command ?
openssl s_client -connect mail.example.com:995 or
openssl s_client -crlf -connect mail.example.com:110 -starttls pop3
and then test the authentication by putting the user name and password in below format.
USER test +OK PASS "password" - if you r using plaintextauthentication as the logintype. +OK Logged in. and see where it gives any error or failure?
Friday, August 5, 2016 10:45 AM
Hi Koby,
Welcome to our forum.
Did you mean you could not configure POP3 account?
If there is an error when you configure POP3 account, we suggest you post the error when you configure POP3 account to us for troubleshooting.
Second, please POP3 log and check if there are any related errors for this specific account, then post the log to us for troubleshooting.
https://technet.microsoft.com/en-us/library/aa997690(v=exchg.150).aspx
To narrow this issue, we suggest you create internal CA, create new certificate for Exchange server and just assign POP3 service to this certificate, then check if the issue persist.
If there are any questions, please be free to let me know.
Best Regard,
Jim Xu
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Jim Xu
TechNet Community Support