DOCUMENT:Q198564 16-APR-1999 [exchange] TITLE :Internet Security for POP3, IMAP4, LDAP, SMTP, & NNTP PRODUCT :Microsoft Exchange PROD/VER:winnt:5.0,5.5 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Exchange Server, versions 5.0, 5.5 ------------------------------------------------------------------------------- SYMPTOMS ======== When you try to make a Secure Socket Layer (SSL) connection to an Exchange Server 5.0 or 5.5 computer through POP3, IMAP4, LDAP, SMTP, or NNTP, the following pop-up error message may be displayed on the mail client: The server you are connected to is using a security certificate that does not match its Internet address, do you want to continue using this server? YES or NO CAUSE ===== The client verifies that the server certificate is from a certifying authority and then uses the certificate to send a message to authenticate the server (to verify it is who it claims to be). If the server does not pass the authentication process, the client will typically inform the user the server is not who it claims to be. WORKAROUND ========== To work around this problem, perform the following steps: 1. Check the Internet Mail Server name within the Internet Mail properties of the mail client. 2. Check this name against the mail servers host name that is registered on the Internet. 3. After these two names have been verified and are consistent, type the Key Manager applet on the Exchange server, and then select the certificate assigned to the protocol being used. Notice the Common Name that has been assigned on the right panel. This name MUST match its host name, which in turn, will match its registered name on the Internet and the Internet Mail Server name defined within the mail client's profile. If the two names do not match, then perform the following steps: 1. Start the Key Manager applet. 2. Select the appropriate protocol. 3. Delete the previous certificate. 4. Right-click on protocol, and then click Create New Key. 5. Follow all the menus making certain that the Common Name is consistent between its registered name, host name, and the name being referenced within the mail client, (that is, mail.microsoft.com). 6. After you complete the previous step, select Default as the Server Connection. 7. Select Computers in the upper left-hand corner and Commit Changes Now. MORE INFORMATION ================ When generating a certificate, the user must define a Common Name, which is the fully qualified domain name used for DNS lookups of the server (such as mail1.microsoft.com). This information is used by mail clients to identify an e-mail domain. If you change this name within a DNS server, then a new certificate must be created. For more information on protocol authentication, please see the following Microsoft Knowledge Base article: Q175440 XFOR: Protocol Authentication on Exchange Server ====================================================================== Keywords : Technology : kbExchangeSearch kbExchange500 kbExchange550 kbZNotKeyword2 Version : winnt:5.0,5.5 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1999.