F
Fabio Spelta
Hello,
we have a mail server which offers SMTP, POP, IMAP and webmail services.
The server has a single IP address, but multiple DNS aliases, in this form:
servername.domain.it
smtp.domain.it
pop.domain.it
imap.domain.it
As stated above, they all resolve to the same IP address.
The access to the server for all the protocols is either via TLS or SSL (TLS
is used over SMTP, while SSL is preferred on IMAP, POP and HTTP; read IMAPS,
POPS and HTTPS).
Obviously, the server presents to the clients a X.509 certificate. That
certificate has, as the common name, the one in the form
"servername.domain.it"; while all the others FQDN above are set in the
certificate as "Subject Alternative Names", as defined in RFC 3280.
All of our clients are configured to use the alternative names, i.e
"pop.domain.it" for POP access, and so on.
With this configuration we experienced no problem at all with any mail
clients (of the Outlook/Outlook express family, and others), neither for web
browsers when using the webmail (IE 6, IE7, and other browsers) since the
beginning.
Only Office 2007 which are starting to adopt now seems to ignore the
"Subject Alternative Names" field, and it only seems to search for a match
between the server name configured in the client, and the one presented *into
the Common Name* field of the X.509 certificate. With Outlook 2007, we got a
security warning which states that
"The server you are connected to is using a security certificate that
cannot be verified.
The target principle name is incorrect.
Do you want to continue using this server?"
The error message disappears when we configure Outlook 2007 to use as the
(for example) POP server the name set as Common Name of the certificate;
"servername.domain.it"; only ignoring the "Alternative" names.
We would need to find a way to have Outlook 2007 working with the same
configurations in use now for all the (thousand of) clients, in foresight of
a migration of the client systems to Office 2007. without requiring the users
to change their client settings.
Side note: the problem arises either flagging the "Subject Alt Names" X.509
extension as "non critical" and as "critical".
Thank you so much for any help.
Fabio
we have a mail server which offers SMTP, POP, IMAP and webmail services.
The server has a single IP address, but multiple DNS aliases, in this form:
servername.domain.it
smtp.domain.it
pop.domain.it
imap.domain.it
As stated above, they all resolve to the same IP address.
The access to the server for all the protocols is either via TLS or SSL (TLS
is used over SMTP, while SSL is preferred on IMAP, POP and HTTP; read IMAPS,
POPS and HTTPS).
Obviously, the server presents to the clients a X.509 certificate. That
certificate has, as the common name, the one in the form
"servername.domain.it"; while all the others FQDN above are set in the
certificate as "Subject Alternative Names", as defined in RFC 3280.
All of our clients are configured to use the alternative names, i.e
"pop.domain.it" for POP access, and so on.
With this configuration we experienced no problem at all with any mail
clients (of the Outlook/Outlook express family, and others), neither for web
browsers when using the webmail (IE 6, IE7, and other browsers) since the
beginning.
Only Office 2007 which are starting to adopt now seems to ignore the
"Subject Alternative Names" field, and it only seems to search for a match
between the server name configured in the client, and the one presented *into
the Common Name* field of the X.509 certificate. With Outlook 2007, we got a
security warning which states that
"The server you are connected to is using a security certificate that
cannot be verified.
The target principle name is incorrect.
Do you want to continue using this server?"
The error message disappears when we configure Outlook 2007 to use as the
(for example) POP server the name set as Common Name of the certificate;
"servername.domain.it"; only ignoring the "Alternative" names.
We would need to find a way to have Outlook 2007 working with the same
configurations in use now for all the (thousand of) clients, in foresight of
a migration of the client systems to Office 2007. without requiring the users
to change their client settings.
Side note: the problem arises either flagging the "Subject Alt Names" X.509
extension as "non critical" and as "critical".
Thank you so much for any help.
Fabio