Exchange 2010 iOS 13 issues

My domain is: vseal.co.uk

Hi, we are running Exchange 2010 on our box and recently when colleagues have replaced phones or reset settings, we cannot get email due to the requirements of iOS 13 due to the self signed certificate not being trusted.

I’ve never worked with SSL Certificates or installed them before, could someone please point me in the right direction of how to create/install a certificate from here onto our Exchange Server so our iPhones can retrieve exchange email?

Kindest regards

Craig

is TLS 1.2 enabled on your server?

give us the address, so we can test it.

Hi @9peppe thank you for the response.

the address used for connecting email is remote.vseal.co.uk :slight_smile:

Apologies for my utter lack of knowledge in this area. I will learn it but a lot of the jargon is above me at the moment so i’m not sure of the correct question to ask.

Hi @insomnius

start with some basics to learn how Letsencrypt works.

Then select a client.

this is strange. I don’t see a self signed cert, I see no cert at all.

% openssl s_client -bugs -connect remote.vseal.co.uk:25 -showcerts
CONNECTED(00000003)
140305870451968:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 517 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

and yet:

% nmap -A --script ssl-cert,ssl-enum-ciphers,sslv2 remote.vseal.co.uk -p25
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 10:27 CET
Nmap scan report for remote.vseal.co.uk (92.27.107.209)
Host is up (0.062s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Microsoft Exchange smtpd
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Ciphersuite uses MD5 for message integrity
|       Forward Secrecy not supported by any cipher
|       Weak certificate signature: SHA1
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|       Weak certificate signature: SHA1
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     cipher preference error: Network error
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|       Weak certificate signature: SHA1
|_  least strength: C
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.75 seconds

I’m going to be honest. I haven’t got a clue what any of that means. We have set up self signed certificates previously by clicking on ‘fix my network’ within the SBS Console, and we have been previously able to get emails from our on-premise exchange server, just now the certificate is ‘not trusted’ and stops us from going further.

Obviously something isn’t right as, well, you’ve tested it at your end.

How do I start to fix this?

In have no idea. I don’t even know if it is fixable, on such old software.

Try searching this community for similar problems: https://community.letsencrypt.org/search?q=exchange%202010

Hi @9peppe

port 25 requires another command.

-starttls and smtp

openssl s_client -connect remote.vseal.co.uk:25 -starttls smtp

shows a self signed

-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIKIHJGiwABAAAAFTANBgkqhkiG9w0BAQUFADAdMRswGQYD
VQQDExJ2c2VhbC1TQlNTRVJWRVItQ0EwHhcNMTkwMzI1MTE0MDQ3WhcNMjEwMzI0
MTE0MDQ3WjAdMRswGQYDVQQDExJyZW1vdGUudnNlYWwuY28udWswggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjb4fxUoDnizrX9hhExn2wPiIFs5WPnGxs
Ab0GN0NWHWbvH/5OVKRkMwiZCLlH31Fnyq83pF3GumzVDa85NxUkyYed6rt5heVj
emRxP29SyVnvOntewxXKJwPpijCgpCGrwAgA45gXbZCHySueVTO7yAqRq/UBu5E5
1ySR6i4b/8wemX/kGU2LVZNZhMIfGPWiMXPoUAswc6EunmQaTeIPSIqcuv267XGX
132DReH4nERZ5EHueBxtK3BJc7rye0FcJDoKrJW2uxgLjqlwsop3WunScvu2KydB
M1+TOEn++1nxuG6hLktSnKngS+SrB1/PeK7DfQcwvj/kpK11vxcvAgMBAAGjggJu
MIICajAdBgNVHQ4EFgQUZt9+Qk6vnAbeHRH8P63f0RfZnsMwDgYDVR0PAQH/BAQD
AgWgMEEGA1UdEQQ6MDiCC3ZzZWFsLmNvLnVrghJyZW1vdGUudnNlYWwuY28udWuC
FVNCU1NFUlZFUi52c2VhbC5sb2NhbDAfBgNVHSMEGDAWgBSfjPzzCJs2B9+IHWKZ
reLSmSz8FTCB1QYDVR0fBIHNMIHKMIHHoIHEoIHBhoG+bGRhcDovLy9DTj12c2Vh
bC1TQlNTRVJWRVItQ0EoMSksQ049U0JTU0VSVkVSLENOPUNEUCxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PXZzZWFsLERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBxAYIKwYBBQUHAQEEgbcw
gbQwgbEGCCsGAQUFBzAChoGkbGRhcDovLy9DTj12c2VhbC1TQlNTRVJWRVItQ0Es
Q049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9dnNlYWwsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwIQYJKwYBBAGC
NxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjATBgNVHSUEDDAKBggrBgEFBQcDATAN
BgkqhkiG9w0BAQUFAAOCAQEAJB2PWBLW40Nw2yGYxe5TtuslLh8z70Tr6+Kkl9GJ
f3xvbSQdOjhSmsJZg1CRPE5/iprOOICb+OGOtnIiz9KpOYQB+ScXLyAN6wq2CNdh
PkwGq5qB84xyaTrvCPd9TulIk92NTqyZOe0ORrKQRMgnDe2AVfcAYClMDgtvlztw
9KqCEq6EvIDwlEhRQUFa4VZffgdhG30xcdpLLfiIb0+JfRZ/8WHyOmG2azrL1WfK
DmAYAlpyyEwSu8dUaOXj8VmsvuJfVFWu4LDs2Jky2YF1xDz9ufTGcXfntReIjfmu
/j73R4B1QJL97IMR0ZJu1qu4h09TKy2QE6rMfAuTSpctaw==
-----END CERTIFICATE-----

1 Like

Apologies i’m not being clear. As you have tested there and said there is no certificate, I am wondering how to use let’s encrypt to begin making one. Is there a simple to follow tutorial guide that can get me on the right track?

I can see that certificate if I use OpenSSL 1.1.1 11 Sep 2018, with OpenSSL 1.1.1d 10 Sep 2019 on another machine I still see nothing. Protocol/cipher support, maybe?

@insomnius I know exactly nothing about windows servers, sorry.

@JuergenAuer Thanks for the second look, I knew I had gone through the process per other instructions previously it’s just not good enough, and recently I’ve got a fail on another test for compliance.

This is new to me.

I am going through the process via CertifyTheWeb and while the Test is passing with the challenge working, Requesting a certificate fails due to a time-out…

Any pointers are welcome!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.