Ssl – IMAP over SSL – Exchange 2003 Configuration

exchangeexchange-2003sslwindows-server-2003

Tried to configure my Exchange 2003 IMAP4 Virtual Server to accept SSL (993) connections (installed on Windows 2003 Standard R2 server).

I can send/receive using the normal IMAP (143) port.
While trying to connect my Outlook 2007 client, it throws an error: "Outlook cannot synchronize subscribed…: connect to server failed.."

Maybe I didn't configure my Exchange server in the right way…

I assume that the problem is related to the Ceriticates Service.
Following are the steps have been taken to configure the IMAP/SSL service:

  1. Install Certificate Service using the Add/Remove Windows Components in Control Panel.
  2. While installing the Certificate Service, I created a new certificate (used the default parameters)
  3. Exchanged System Manager –> Created a Default IMAP4 Virtual Server –> Opened the Properties of this Virtual Server –> Clicked the "Access" tab
  4. Clicked "Authentication" button and checked all 3 check-boxes: "Basic Authentication..", "Requires SSL/TLS…" and "Simple Authentication…" –> clicked OK to save
  5. Clicked the "Certificate" button –> "Assign an existing certificate"–> and chose the Certificate name that I have just created while installing the service.
  6. Clicked the "Communication" button and checked the "Requires Secure…"

Clicked OK and saved all changes. Restarted the IMAP service. Restarted the Outlook. The error appeared.
By the way, I have another certificate created by my MCAffee server, if I choose this certificate, I can connect to the IMAP via SSL using Outlook, but Outlook popup a warning that certificate cannot being verified.

Please let me know if you have any idea how to solve this?

thx

Best Answer

(I'll leave the question of why you're using Outlook with an Exchange Server and the IMAP protocol instead of just using MAPI aside and just assume you're trying to test IMAP with Outlook and that you'll be using other non-Outlook IMAP clients later.)

The certificate created during installation of Certificate Services is a certificate authority (CA) certificate. (You may want to read up a bit on how a PKI works. It's dead simple math and logic, and it's a good thing to know about in general. Have a look at http://www.tbs-sct.gc.ca/pki-icp/beginners/faq/faq-eng.asp for a nice beginner's guide.) That certificate is not suitable for use by the IMAP server.

Be aware that by installing your own CA you're going to be creating certificates that won't be trusted by clients by default (since the clients have never heard of your CA). If you intend to turn this server loose on clients on the Internet at-large you're going to need to get a certificate from a trusted public certification authority.

Instead of choosing the CA's certificate when you're configuring SSL for your IMAP Virtual Server, create a new certificate and submit the request to your certificate server service via the "Send the request immediately to an online certification authority" radio-button in the IIS Certificate Wizard. This will cause a certificate and public/private keys to be created by IIS, submitted to the CA for signing, and a certificate to be issued and installed.

After you've done all that, verify that you can TELNET to port 993 on the Exchange Server computer from a client and that you do get a successful open TCP connection (to make sure communication between the client and server on TCP port 993 isn't being firewalled anywhere). Once you've got that, connect your test IMAP client to it.

You're not really thinking of using IMAP and Outlook to talk to Exchange, are you?

Related Topic