This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POP3 email protection set up - outlook always asking about certificate

I have Sophos UTM 9.7 scanning my emails using Oultook client but whenever I start outlook it complains about the self signed certificate. If I view the certificate it does allow me to install it and I said yes but that doesn't fix the problem

In Sophos I selected the local cert as I don't have one specifically for Outlook (or for anything, actually). If I don't select to scan TLS traffic, nothing gets scanned as all my email accounts use TLS.

What do I need to do to make it is so Outlook doesn't ask me about cert every time I start it?

Any info would be appreciated



This thread was automatically locked due to age.
Parents Reply Children
  • Great description, Doug. Thanks. Very helpful, especially with the explanation of certs and warning about type of cert.

    It's not working for me so I must have done something wrong. I still get asked if I want to accept the cert every time I start outlook, even after I said yes to use the cert.

    When you said:

    - Go to Webserver... Certificate Management... Certificates and generate a certificate for the remote server name. 

    I did so and created the following: 

    Is that what you meant by remote server name? pop.gmail.com, which is where outlook is looking for email via POP3.. 

    Also I see when I view the cert in outlook the issue is reported that cert can't be verified by a trusted cert authority, which doesn't really surprise me - is that not going to be true for all self signed certs?

    For the record, here's where the cert inserted itself automatically by MMC snap-in:

    Also for the record - to Bob's point - I do have a unique FQDN for my unit and can see it was used in my local 508 cert and webadmin cert.  

  • All of that looks right., but it means that the correct root has not been installed.  Download the pop.gmail.com certificate to a file, then open it (double-click or right-click...properties  - I forget which one.)    Go to the [certificate path] tab.   You can click on each certificate in the chain, and see its properties.    The issuer of the last valid certificate is the one that you need to find and install on your PC.

  • I'm lost because there's no option to double click or right click a downloaded cert. .PEM is not associated to anything so right clicking or double clicking doesn't do anything. 

    I can go into MMC and import it but I don't I think that's not where I understood pop.gmail.com cert goes - I understood that cert was for selection on POP3 advanced tab on sophos. Did I misunderstand?

    When you say the "current root has not been installed", do you mean Home VPN CA in Trusted Root Certificate, or something else?

    Also when you say  "You can click on each certificate in the chain, and see its properties." do you mean when I'm in MMC Certificate snap-in, which would, for example (below), tells me the Home VPN CA cannot be verified, not unlike the message I'm getting from outlook about the cert...?

    FWIW, I double checked that the certificate chain is the same for Home VPN CA and pop.gmail.com  

    Do I need to force the Home VPN CA cert somewhere else than Trusted Root Certificate Authorities? Do I need to import pop.gmail.com cert in a store? if so, which one?

    Sorry for my confusion. Hopefully I'm asking questions that point to what I missed. Thanks again for your help.

  • Try renaming it from .PEM to .CRT

    Then Windows will be less confused.

  • ok, that allowed me to right click and install but it didn't fix the problem.

    I can see the first Home Cert is for pop.gmail.com. 

  • Would it fix things if I used a real cert from Let's Encrypt? I could move my no-ip service from dynamic DNS to managed DNS and use my own domain (which I think I read was a condition for using Let;s Enrcypt).

    I guess I'm wondering if using a real cert from a real CA would fix the problem. i.e could it be that Outlook is being strict about something one can't do with self signed stuff? (I'm using Outlook 2013, by the way)

  • hmmm. just realized that won't work because I can't create a cert for pop.gmail.com given I don't own that domain...

    I'd rather get the cert thing working but maybe I should look at standing up a pop3 server instead? are there good free ones?