Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 2785 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POP3 email protection set up - outlook always asking about certificate

Jean Thibodeau

I have Sophos UTM 9.7 scanning my emails using Oultook client but whenever I start outlook it complains about the self signed certificate. If I view the certificate it does allow me to install it and I said yes but that doesn't fix the problem

In Sophos I selected the local cert as I don't have one specifically for Outlook (or for anything, actually). If I don't select to scan TLS traffic, nothing gets scanned as all my email accounts use TLS.

What do I need to do to make it is so Outlook doesn't ask me about cert every time I start it?

Any info would be appreciated



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jean,

    Doug's answered your question, but you might also be interested in The Zeroeth Rule in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Great description, Doug. Thanks. Very helpful, especially with the explanation of certs and warning about type of cert.

    It's not working for me so I must have done something wrong. I still get asked if I want to accept the cert every time I start outlook, even after I said yes to use the cert.

    When you said:

    - Go to Webserver... Certificate Management... Certificates and generate a certificate for the remote server name. 

    I did so and created the following: 

    Is that what you meant by remote server name? pop.gmail.com, which is where outlook is looking for email via POP3.. 

    Also I see when I view the cert in outlook the issue is reported that cert can't be verified by a trusted cert authority, which doesn't really surprise me - is that not going to be true for all self signed certs?

    For the record, here's where the cert inserted itself automatically by MMC snap-in:

    Also for the record - to Bob's point - I do have a unique FQDN for my unit and can see it was used in my local 508 cert and webadmin cert.  

  • 0 in reply to Jean Thibodeau

    All of that looks right., but it means that the correct root has not been installed.  Download the pop.gmail.com certificate to a file, then open it (double-click or right-click...properties  - I forget which one.)    Go to the [certificate path] tab.   You can click on each certificate in the chain, and see its properties.    The issuer of the last valid certificate is the one that you need to find and install on your PC.

Reply
  • 0 in reply to Jean Thibodeau

    All of that looks right., but it means that the correct root has not been installed.  Download the pop.gmail.com certificate to a file, then open it (double-click or right-click...properties  - I forget which one.)    Go to the [certificate path] tab.   You can click on each certificate in the chain, and see its properties.    The issuer of the last valid certificate is the one that you need to find and install on your PC.

Children
  • 0 in reply to DouglasFoster

    I'm lost because there's no option to double click or right click a downloaded cert. .PEM is not associated to anything so right clicking or double clicking doesn't do anything. 

    I can go into MMC and import it but I don't I think that's not where I understood pop.gmail.com cert goes - I understood that cert was for selection on POP3 advanced tab on sophos. Did I misunderstand?

    When you say the "current root has not been installed", do you mean Home VPN CA in Trusted Root Certificate, or something else?

    Also when you say  "You can click on each certificate in the chain, and see its properties." do you mean when I'm in MMC Certificate snap-in, which would, for example (below), tells me the Home VPN CA cannot be verified, not unlike the message I'm getting from outlook about the cert...?

    FWIW, I double checked that the certificate chain is the same for Home VPN CA and pop.gmail.com  

    Do I need to force the Home VPN CA cert somewhere else than Trusted Root Certificate Authorities? Do I need to import pop.gmail.com cert in a store? if so, which one?

    Sorry for my confusion. Hopefully I'm asking questions that point to what I missed. Thanks again for your help.

  • 0 in reply to Jean Thibodeau

    Try renaming it from .PEM to .CRT

    Then Windows will be less confused.

  • 0 in reply to DouglasFoster

    ok, that allowed me to right click and install but it didn't fix the problem.

    I can see the first Home Cert is for pop.gmail.com. 

  • 0 in reply to Jean Thibodeau

    Would it fix things if I used a real cert from Let's Encrypt? I could move my no-ip service from dynamic DNS to managed DNS and use my own domain (which I think I read was a condition for using Let;s Enrcypt).

    I guess I'm wondering if using a real cert from a real CA would fix the problem. i.e could it be that Outlook is being strict about something one can't do with self signed stuff? (I'm using Outlook 2013, by the way)

  • 0 in reply to Jean Thibodeau

    hmmm. just realized that won't work because I can't create a cert for pop.gmail.com given I don't own that domain...

    I'd rather get the cert thing working but maybe I should look at standing up a pop3 server instead? are there good free ones? 

Unfiltered HTML