Hi, we are running Exchange 2010 on our box and recently when colleagues have replaced phones or reset settings, we cannot get email due to the requirements of iOS 13 due to the self signed certificate not being trusted.
I’ve never worked with SSL Certificates or installed them before, could someone please point me in the right direction of how to create/install a certificate from here onto our Exchange Server so our iPhones can retrieve exchange email?
Apologies for my utter lack of knowledge in this area. I will learn it but a lot of the jargon is above me at the moment so i’m not sure of the correct question to ask.
this is strange. I don't see a self signed cert, I see no cert at all.
% openssl s_client -bugs -connect remote.vseal.co.uk:25 -showcerts
CONNECTED(00000003)
140305870451968:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 517 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
and yet:
% nmap -A --script ssl-cert,ssl-enum-ciphers,sslv2 remote.vseal.co.uk -p25
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 10:27 CET
Nmap scan report for remote.vseal.co.uk (92.27.107.209)
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| Forward Secrecy not supported by any cipher
| Weak certificate signature: SHA1
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| cipher preference error: Network error
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
|_ least strength: C
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.75 seconds
I’m going to be honest. I haven’t got a clue what any of that means. We have set up self signed certificates previously by clicking on ‘fix my network’ within the SBS Console, and we have been previously able to get emails from our on-premise exchange server, just now the certificate is ‘not trusted’ and stops us from going further.
Obviously something isn’t right as, well, you’ve tested it at your end.
Apologies i’m not being clear. As you have tested there and said there is no certificate, I am wondering how to use let’s encrypt to begin making one. Is there a simple to follow tutorial guide that can get me on the right track?
I can see that certificate if I use OpenSSL 1.1.1 11 Sep 2018, with OpenSSL 1.1.1d 10 Sep 2019 on another machine I still see nothing. Protocol/cipher support, maybe?
@insomnius I know exactly nothing about windows servers, sorry.
@JuergenAuer Thanks for the second look, I knew I had gone through the process per other instructions previously it’s just not good enough, and recently I’ve got a fail on another test for compliance.
This is new to me.
I am going through the process via CertifyTheWeb and while the Test is passing with the challenge working, Requesting a certificate fails due to a time-out…