Wildcard SSL not working for SMTP and IMAP

[The Saxon]

I am running MailEnable Enterprise 6.01.
My wildcard SSL certificate works for the webmail site in IIS. But it does not work for SMTP and IMAP.
I have followed the SSL configuration instructions in the manual as well as http://www.mailenable.com/kb/Content/Ar ... D=me020479 to no avail.

Here is some output from the SMTP debug log:

Code: Select all

05/18/12 11:16:56	ME-I0082: Service binding to all addresses on port (25) for IPv4 family (2). Requires authentication 0
05/18/12 11:16:56	ME-I0085: Service (Alternate) binding to all IPv4 addresses on port (465). Requires authentication 1
05/18/12 11:16:56	ME-IXXXX: Initalised Recv Message Master Thread
05/18/12 11:16:56	ME-I0076: Listening for connections
05/18/12 11:16:56	ME-I0144: Service Completed Loading Agents
05/18/12 11:16:56	ME-IXXXX: Initalised Recv Message Master Thread
05/18/12 11:16:56	Permissions error opening the certificate store. Inbound SSL will fail unless this service has permissions to the store. See http://www.mailenable.com/kb/Content/Article.asp?ID=me020479
05/18/12 11:16:56	**** Error creating credentials object for SSL session
05/18/12 11:16:56	Unable to locate or bind to certificate with name "*.mydomain.com"
05/18/12 11:16:56	ME-I0076: Listening for connections

The interesting line is Unable to locate or bind to certificate with name "*.mydomain.com"

When trying to connect to SMTP/SSL from gmail, it reports the following server error: Server response: 454 TLS not available due to temporary reason code(454)

Is my wildcard certificate the problem here? Does MailEnable not have the ability to use wildcard certificates for SMTP and IMAP?

In the meantime, I'll retrace the steps for configuring permissions on the certificate in case I've missed something.

Thanks for your help!

[The Saxon]

I have retraced my steps for configuring this and can say it appears that I've missed nothing.

[MailEnable]

Firstly, verify that the certificate works under IIS.


Obviously the SSL error reported at startup is preventing it from working. Presumably if that error is addressed then things should be fine.


The error is most likely that the service executable identity does not have access to the certificate store/ resources. If you are running in debug mode then the service will run as your logged in identity.

To diagnose this, run process mon and monitor the service executable at the time you launch it in debug mode (ie: meimaps.exe -debug).
Once you see the SSL error, stop capture and check for any permission problems/access denied errors.

[The Saxon]

Solved
Andrew, thanks for the reply. I did as you suggested and verified that MESMTPC and MEIMAPS are running as the IME_SYSTEM user. I restarted MESMTPC and got the same "no access to certificate store" error as before. So that prompted me to again go through the SSL instructions (http://www.mailenable.com/kb/Content/Ar ... D=me020479). The last step of those instructions say to give the IME_SYSTEM user full access to the certificate file - which I had already done. What fixed the problem was to give the IME_SYSTEM user full access to the directory that the certificate file is in.

[calfordgreen]

Hi,
I am having exactly the same issue.
Can you tell me how to give permissions to the directory the SSL is in?
Is this through MMC with the certificates snap-in or another way?
Many thanks
Marcus

[MailEnable-Ian]

Hi,

The article http://www.mailenable.com/kb/content/article.asp?ID=ME020479 explains the steps.

[calfordgreen]

Hi Ian,
thanks for the quick response.

Yes that article does cover it, which I had followed for a W2K12 server and a W2K8 server, however, with the W2K8 server I still have the issue of the certificate not being able to be used.

So, are you saying that I should follow the instructions in the article for a W2K3 server to fix this even though I am running a W2K8 server?

thanks
Marcus

[MailEnable-Ian]

Hi,

What version of MailEnable are you running? If you have SMTP configured for TLS it should report SSL certificate problems in the SMTP debug log file.

[calfordgreen]

Hi Ian,
On the W2K8 server that I am having this issue with we are running ME Pro 8.6.1

the errors we received are as follows:

04/27/20 16:08:05 Permissions error opening the certificate store. Inbound SSL will fail unless this service has permissions to the store. See http://www.mailenable.com/kb/Content/Article.asp?ID=me020479
04/27/20 16:08:05 **** Error creating credentials object for SSL session
04/27/20 16:08:05 ME-I0070: (recv) socket [1224] was gracefully closed during [STARTTLS] command by the remote client 209.85.210.65.
04/27/20 16:08:05 ME-I0074: [1224] (Debug) End of conversation


04/27/20 16:08:31 Permissions error opening the certificate store. Inbound SSL will fail unless this service has permissions to the store. See http://www.mailenable.com/kb/Content/Article.asp?ID=me020479
04/27/20 16:08:31 **** Error creating credentials object for SSL session


SSL Certificate is installed and IME_SYSTEM has full control on the certificate.

thanks
Marcus

[MailEnable-Ian]

Hi,

Have you also applied the permissions on the registry branch mentioned in the article?

I.e: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

[calfordgreen]

how did I miss that?

it was set on the w2k12 server but not the w2k8 server
looks like it is working now..

thanks for your help
Marcus