Exchange 2010 POP3/IMAP4/Transport services complaining that they can't find SSL certificate after blue screen
Go to Services, and look at the "Log On As" column for these 3 services:
- Microsoft Exchange IMAP4
- Microsoft Exchange POP3
- Microsoft Exchange Transport
By default, they will all use "Network Service".
Then run mmc.exe elevated and add the Certificates snap-in for the local computer. Right-click the relevant certificate (e.g. mail.example.com) and click "Manage Private Keys..." in the pop-up menu. Ensure that the relevant account (e.g. NETWORK SERVICE) has Read permission; it doesn't need Full Control, so that won't affect this issue whether it's ticked or not, but I recommend only giving Read access (principle of least privilege).
Then restart the relevant services for this change to take effect.
Related videos on Youtube
ThatGraemeGuy
I'm a sysadmin by day & husband/dad by night and on weekends. I'm experienced with: MS Windows, including: Active Directory Exchange Server ISA Server SQL Server Linux, mostly Ubuntu currently but also Gentoo in the past and Slackware before that. FreeBSD, but that was probably too long ago to be useful now. Me @ Twitter
Updated on September 18, 2022Comments
-
ThatGraemeGuy over 1 year
We have a single-server Exchange 2010 setup. In the early hours of this morning the server had a blue screen and rebooted. After coming back up the POP3/IMAP4 and Transport services are complaining that they cannot find the correct SSL certificate for mail.example.com.
POP3:
Log Name: Application Source: MSExchangePOP3 Date: 2012/04/23 11:45:15 AM Event ID: 2007 Task Category: (1) Level: Error Keywords: Classic User: N/A Computer: exch01.domain.local Description: A certificate for the host name "mail.example.com" couldn't be found. SSL or TLS encryption can't be made to the POP3 service.
IMAP4:
Log Name: Application Source: MSExchangeIMAP4 Date: 2012/04/23 08:30:44 AM Event ID: 2007 Task Category: (1) Level: Error Keywords: Classic User: N/A Computer: exch01.domain.local Description: A certificate for the host name "mail.example.com" couldn't be found. Neither SSL or TLS encryption can be made to the IMAP service.
Transport:
Log Name: Application Source: MSExchangeTransport Date: 2012/04/23 08:32:27 AM Event ID: 12014 Task Category: TransportService Level: Error Keywords: Classic User: N/A Computer: exch01.domain.local Description: Microsoft Exchange could not find a certificate that contains the domain name mail.example.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCH01 with a FQDN parameter of mail.example.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
The odd part is that Get-ExchangeCertificate show the cert as enabled for all the relevant services, and OWA is working flawlessly using this certificate.
[PS] C:\Users\graeme\Desktop>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ....S. CN=exch01 YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY ....S. CN=exch01 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ IP.WS. CN=mail.example.com, OU=Domain Control Validated, O=mail.exa...
Here's the certificate in the computer account's personal cert store:
Does anyone have any pointers for getting POP3/IMAP4/SMTP to use the cert again?
-
Chris McKeown about 12 yearsDoes the certificate appear in the Certificates MMC snapin?
-
ThatGraemeGuy about 12 years@ChrisMcKeown: yes, added screenshot.
-
Chris McKeown about 12 yearsIs the SSL cert a wildcard certificate, or specifically for your mail.example.com address?
-
ThatGraemeGuy about 12 yearsNo it's the exact name. It's been set up and working for months, its just suddenly started complaining after this box rebooted in the early hours of the morning. If I haven't found the answer by this evening I'm going to give it a reboot and see if its one of those weird inexplicable things that tend to happen.
-
David about 10 yearsRemove and re-add the cert?
-
ThatGraemeGuy about 10 yearsMmmm no idea. This question is so old that the organisation moved to Google Apps and I've left since that. Don't even work with Windows anymore. :-)
-
-
ThatGraemeGuy about 12 yearsRan Enable-ExchangeCertificate and restarted the services, made no difference. Assuming the "CA" in #2 refers to the client access server, then yes this is done, it's a single-server setup.
-
Alex H about 12 yearsPlease check if you have the following services running : HTTPFilter ,Security accounts service , and the ports for : POP3 (110), IMAP(143),SMTP(25), SSMTP (465),IMAP SSL(585/993),SECURE pop3 - 995, openned. See for what purposes the certificate is enabled.
-
ThatGraemeGuy about 12 years"Security Accounts Manager" is running. I see no service called HTTPFilter. There is no local firewall that would prevent traffic to/from these ports. The certificate is enabled for POP/IMAP/SMTP/IIS, as per the original question.
-
Alex H about 12 yearsI am taking a wild guess , but have you seen if you are sending the correct DNS record like exch01.domain.local points to mycompany.blabla.com (you company DNS A entry / MX record ) ? Please see if you don't have other errors in event log that could help you solve the issue .
-
ThatGraemeGuy about 12 yearsNo, the DNS is fine. It's been configured and working 100% for months. The only thing that happened is that the box had a blue screen and rebooted in the middle of the night. Since that happened the only thing that seems to be able to use the cert is OWA.