I am trying to get TLS to work with Outlook 2007 and I've hit a small problem. Whenever I start it up, I get this error: "The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect." (yes/no choice of trusting) I first tried with a wildcard cert (*.elisand.com), and then tried with mail.elisand.com - both certs are from cacert.org and the root CA certs are installed and functioning properly on my system (so the certs should be trusted). I've searched all over Google and such trying to find out why Outlook would give me this error from an IMAP/TLS connection (closest I could find was Exchange related info), and I know this is by no means an Outlook mailing list... though I'm just wondering if anyone else on here has ever encountered this problem before and could point me in the right direction to getting the SSL cert working with Outlook. Thanks in advance!
You could try the old import trick - do https://mail.elisan.com:993 and accept the cert in IE. Outlook should then just accept it. Rick On Thu, 2007-10-25 at 10:08 -0400, Eli wrote:> I am trying to get TLS to work with Outlook 2007 and I've hit a small > problem. Whenever I start it up, I get this error: > > "The server you are connected to is using a security certificate that cannot > be verified. > The target principal name is incorrect." (yes/no choice of trusting) > > I first tried with a wildcard cert (*.elisand.com), and then tried with > mail.elisand.com - both certs are from cacert.org and the root CA certs are > installed and functioning properly on my system (so the certs should be > trusted). > > I've searched all over Google and such trying to find out why Outlook would > give me this error from an IMAP/TLS connection (closest I could find was > Exchange related info), and I know this is by no means an Outlook mailing > list... though I'm just wondering if anyone else on here has ever > encountered this problem before and could point me in the right direction to > getting the SSL cert working with Outlook. > > Thanks in advance! >
Anyone have any solution to this? I also getting a "The target principal name is incorrect." in Outlook 2007 Is this a problem with dovecot?
Agree with Hugo most root CA have intermidate certificates which should supplied with your server certificate. Otherwise chain won't work and any client don't trust it. - original message - Subject: Re: [Dovecot] SSL/TLS with Outlook client From: Hugo Monteiro <hugo.monteiro at fct.unl.pt> Date: 14/11/2007 00:14 Eli Sand wrote:> Hugo Monteiro wrote: > >> Ah ... wildcard certs .. from what i recall, certs issued like >> *.example.com were not very well accepted by M$ clients. You should >> test against non wildcard certs and see how it behaves. >> > > Already have and no luck :( My domain is elisand.com and I have tried > *.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if > not, whatever it is is what I tried) and mail.elisand.com which is the > smtp/imap server name I use in Outlook. All three yield the same result :( > > Eli. > > >I have taken the liberty to connect to your server, using openssl, i've seen the following: $ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ -connect mail.elisand.com:993 CONNECTED(00000003) depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org verify return:1 depth=0 /CN=*.elisand.com verify return:1 --- Certificate chain 0 s:/CN=*.elisand.com i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org --- i believe you should change two things. If the name you wish to use on your clients is mail.alisand.com, then the certificate should read CN=mail.elisand.com. Furthermore, it's always a good idea to provide the chaining certificate path on dovecots side. Try using the ssl_ca_file directive on dovecot's configuration. Regards, Hugo Monteiro. -- ci.fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro at fct.unl.pt Telefone : +351 212948300 Ext.15307 Centro de Inform?tica Faculdade de Ci?ncias e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.ci.fct.unl.pt apoio at fct.unl.pt ci.fct.unl.pt:~# _
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 14 Nov 2007, Nikolay Shopik wrote:>>> The IMAP spec does not contain an identification of the client application >>> to the server. There is no "HELO" as in SMTP. >> And HELO in SMTP is entirely unreliable, unverifiable, and on many servers >> completely skippable. > RFC says you SHOULD use FQDN for HELO nothing more. But still you can add SPF > record for your HELO so nobody can foged your server HELO, thats it.Well, I brought up HELO as an example just to say that the IMAP protocol has no concept at all that a client can say to the server which kind of client, e.g. "MS Outlook" vs. "Thunderbird", it is. Maybe, the user agent string in HTTP would fit better. Also: unreliable, user-settable, I know. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRzv1sC9SORjhbDpvAQKfIwf/TnzcxJfJdncQRMK+rviHISvVSJxT6tYs MLFgYBMGfrHEJLKAxHx27fINS9e7Zm0ne6SZuAmIBzY7SO5fYo9uraU9qX2Iw5Lr ygzZaGfwCzqWXyX8tZ6+cYRGlJNF66FcN4hpqnFbLUalpKWJzN69GOuAi5hV6zMR 3sJlC3WMant6zp5T3Lg1vmH4zXLC3PmJfevYskFNcQvzBN1OSDUEtQ0NOQjAFdt4 YUBOOX95oIXspN4+3iN/ddxZazUCpPFiVhAVadTYR0/ys2n235eI8fTD4/EAXjph xL0+kl5wYSGGzwJ2b0jJLJ4Xr+3iNMJlp2+KcoR4rwRQp4alxEKfsg==wTS3 -----END PGP SIGNATURE-----