687
edits
Changes
From SME Server
Jump to navigationJump to searchEmail - Setting up E-mail clients for SME 8.0 (view source)
Revision as of 19:29, 13 February 2016
, 19:29, 13 February 2016→Start the Certificate Import Wizard
===Make sure the Fully Qualified Server Name is used===
===Make sure the Fully Qualified Server Name is used===
This is necessary because the SME Server's self-issued security certificate uses this name. Servers described by IP addresses will cause Outlook to require that the certificate be accepted again every time the program is restarted and will play havoc with automatic email use.
Make sure you change the Common Name setting for the Certificate (as detailed above). This is necessary so that the SME Server's self-signed security certificate uses a name that is legitimate for both internal clients & external clients (LAN & WAN). Servers described by IP addresses will cause Outlook to require that the certificate be accepted again every time the program is restarted and will play havoc with automatic email use. The FQDN should be the publicly accessible domain name for your server eg www.domain.com.
Click ''''File'''' then ''''Account Settings'''' and then the drop-down ''''Account Settings'''' button.
Click ''''File'''' then ''''Account Settings'''' and then the drop-down ''''Account Settings'''' button.
[[File:Account Settings.jpg]]
[[File:Account Settings.jpg]]
In the first page of the dialogue that results, make sure that both incoming and outgoing servers are entered as the fully qualified name of your server. This will take the form - ''''server_machine_name.domain_name.com'''' [ or .co.uk, .org etc.] and will be as shown in the top left hand corner of the Server Manager screen with the username ''''admin'''' in front. Use the part after ''''admin@'''' - In my case this is ''''mini-itx.theformsonline.com,'''' as shown below.
In the first page of the dialogue that results, make sure that both incoming and outgoing servers are entered as the fully qualified name of your server. Recommended good practice is to use the form - ''''www.mymaindomainname.com'''' [ or .co.uk, .org etc.] and will be as shown in the Server Manager Review Configuration screen, towards the bottom of server manager. It is no longer recommended to use servername.domain.com, as that causes problems on clients used externally, whereas www.domain.com will work satisfactorily in all cases.
The Change Account dialogue is shown below with the fully qualified server name in both incoming and outgoing server settings. The Incoming & Outgoing server settings shown in the following screen image, should be changed to www.theformsonline.com. When a new image is available this document will be updated.
The Change Account dialogue is shown below with the fully qualified server name in both incoming and outgoing server settings.
[[File:Change Account.jpg]]
[[File:Change Account.jpg]]
[[File:Outgoing Server.jpg]]
[[File:Outgoing Server.jpg]]
Now click the Advanced tab and change the settings for the Outgoing Server to those shown below - ie. Port 25 and Auto encryption - and save the settings with ''''OK,'''' ''''Next,'''' ''''Finish'''' and ''''Close.'''' Then shut Outlook down.
Current recommended good practice is to use secure connections eg typically on port 465 (secure SMTP), port 993 (secure IMAP) & port 995 (secure POP), although some situations & protocols require different ports eg 587. Current recommended good practice is to configure email clients to use secure SMTP & secure IMAP, so that users can access their mail from any device (mobile phone, tablet, notebook, desktop etc), anywhere (LAN or WAN), & all changes made on one device will update the mail server, so when using another device the same changes are seen. Use of the POP mail protocol has severely declined with the advent of mobile devices.
Now click the Advanced tab and change the settings for the Outgoing Server to those shown below - ie Incoming server (POP3) Port 995, Outgoing server Port 465, & if IMAP is being used Incoming server (IMAPS) Port 993, and Auto encryption - and save the settings with ''''OK,'''' ''''Next,'''' ''''Finish'''' and ''''Close.'''' Then shut Outlook down. When a new screen image is available this document will be updated.
[[File:Advanced.jpg]]
[[File:Advanced.jpg]]
===Encryption Settings in Older versions of Outlook===
===Encryption Settings in Older versions of Outlook===
Versions of Microsoft Outlook from 2003 and earlier do not have the multiple-choice dropdown for encryption type; instead they have a single tick-box labelled ''''This server requires a secure connection (SSL),'''' Put a tick in the box, as shown below, and it will work perfectly.
Versions of Microsoft Outlook from 2003 and earlier do not have the multiple-choice dropdown for encryption type; instead they have a single tick-box labelled ''''This server requires a secure connection (SSL),'''' Put a tick in the box, as shown below, and it will work perfectly. The following screen image is to be updated to show secure ports, when a new image is available.
==A Question of Security==
==A Question of Security==
===What to do about your Security Certificate===
===What to do about your Security Certificate===
A workaround to enter the self signed security certifcate onto your client, is to open a browser, in this case as the email client Outlook is a Microsoft product, then open Microsoft Internet Explorer (or equivalent MS browser) & go to https://www.yourmaindomainname.com & accept the certificate for the first time. The certificate is entered into the trusted store & during further use you will not be challenged for an untrusted certificate. There are a lot of changes currently happening with Microsoft operating systems etc, & browsers are changing, so this workaround may no longer apply on newer systems. Obviously when using other mail clients eg Thunderbird, then follow appropriate instructions.
For Outlook, use the following instructions where necessary.
The next time you start Outlook, compose a new email and run 'Send and Receive,' Outlook will ask you whether you are happy to use the server: the dialogue is shown below...
The next time you start Outlook, compose a new email and run 'Send and Receive,' Outlook will ask you whether you are happy to use the server: the dialogue is shown below...
Click ''''View Certificate'''' and a Window like this will appear...
Click ''''View Certificate'''' and a Window like this will appear... Note that the screen image to be updated, should show www.theformsonline.com
[[File:Cert.jpg]]
[[File:Cert.jpg]]
Click ''''Finish'''' to go to this result...
Click ''''Finish'''' to go to this result... Note that the screen image to be updated, should show www.theformsonline.com
===Older versions of Outlook and Certificates===
===Older versions of Outlook and Certificates===
Older versions of Microsoft Outlook - 2003 and earlier - do not have the ability to install certificates, so you will only see a ''''Do you want to use this server'''' query and would have to answer it every time you try to send email after restarting the program. To get round this you need to install the certificate directly into Internet Explorer because it is the certificate routine from IE that is used by Outlook. To do this: open Internet Explorer and type in the URL for your server manager - http://fully_qualified_server_name/server-manager [in my case http://mini-itx.theformsonline.com/server-manager]. This will give a security challenge screen...
Older versions of Microsoft Outlook - 2003 and earlier - do not have the ability to install certificates, so you will only see a ''''Do you want to use this server'''' query and would have to answer it every time you try to send email after restarting the program. To get round this you need to install the certificate directly into Internet Explorer because it is the certificate routine from IE that is used by Outlook. To do this: open Internet Explorer and type in the URL for your server manager - https://www.mymaindomainname.com/server-manager [in this case https://www.theformsonline.com/server-manager]. This will give a security challenge screen...
Click it and you will see a very similar certificate installation routine to the one described in '''Section 6.1,''' ''''What to do about your Security Certificate,''''
Click it and you will see a very similar certificate installation routine to the one described in '''Section 6.1,''' ''''What to do about your Security Certificate,''''
above - the dialogues look a little different but they follow exactly the same sequence.
above - the dialogues look a little different but they follow exactly the same sequence.
===Windows 10 and Self-Signed Certificates===
Windows 10 Mail gives this error connecting to a SME server using a self-signed certificate:
Security Certificate on the server is not valid. Error 0x80072F0D
Additionaly, Internet Explorer, Edge, and Chrome will require users to bypass a security warning every time they browse to your server.
To eliminate these errors you must install your server's certificate into each workstation's 'Trusted Root Certification Authorities' certificate store. Even then, users will continue to receive security warnings if they access your server using a name or address that differs from the CommonName used in the certificate itself.
To install a certificate in Windows 10:
====Start the Certificate Import Wizard====
* Open Internet Explorer (Edge does not offer the option to install certificates)
* Browse to any secure url on your SME server - eg <nowiki>https://your.smeserver.tld/webmail</nowiki>
* Select '''Continue to this website (not recommended)'''
* Click on '''Certificate error''' in the Internet Explorer address bar and select 'View certificates'
* Click '''Install Certificate'''
'''IMPORTANT''': <br>
''My stand-alone Windows 10 workstation required the extra steps below. My domain-connected Windows 10 workstation did not.''
If '''Install Certificate''' is not available, close Internet Explorer and restart the process using '''Run as administrator'''
* Click the Windows Button
* Type '''iexplore''' (don't press enter!)
* Right-click on '''Internet Explorer''' in the search results and select '''Run as administrator'''
====Certificate Import Wizard====
** Select '''Local Machine''' (the default is "Current User") and click '''Next'''
** Select '''Place all certificates in the following store''' (the default is "Automatically select...")
** Click '''Browse''' and select '''Trusted Root Certification Authorities'''
** Click '''Next'''
** Click '''Finish'''
** You will get a Security Warning saying "Windows cannot validate that the certificate is actually from...". Click '''Yes'''
** You should get a message saying "The import was successful". Click '''OK'''
** Click '''OK''' to close the Certificate window.
====Certificate name mis-match====
If the server name stored in your certificate (self-signed or otherwise) does not match the name or IP address that your device uses to access the server, you will still get certificate name mis-match errors.
Edge & Internet Explorer will allow users to access the site, but will display a red "Certificate error" message. Chrome will still require users to click "Advanced", and "Proceed to ... (unsafe)"
Email clients usually require an extra confirmation that it's OK to use the mis-matched certificate:
* Windows 10 Mail
** Click on the error icon (a triangle with an exclamation mark) next to your account name
** Select '''Proceed'''
* Outlook
** Untested.
** Former Windows/Outlook combinations required you to accept the certificate mis-match every time outlook starts.
====Testing====
If you have successfully imported your certificate and if the the CommonName of your certificate matches the hostname you are using to access your server, users should get a secure connection indicator from software that uses the Windows certificate store:
* Microsoft Internet Explorer: grey padlock at the right of the address bar
* Microsoft Edge: padlock at the left of the address bar
* Chrome: Green padlock + green "https:" at the left of the address bar
* Windows 10 Mail: no error messages
* Windows 10 / Outlook 2010: no warnings or errors
(Firefox uses its own certificate store, and won't accept your certificate until you have added it there, too.)
==Other Domains==
==Other Domains==
Setting up IMAP accounts in Thunderbird works satisfactorily (as of December 2013), using the following generic procedure:
Setting up IMAP accounts in Thunderbird works satisfactorily (as of December 2013), using the following generic procedure:
Configure SME server CommonName setting for Certificate in the form of www.mymaindomainname.com
Use manual setup (instead of automatic)
Use manual setup (instead of automatic)
Specify authentication method = Normal Password
Specify authentication method = Normal Password
At some point accept the server's self-signed certificate.
At some point accept the server's self-signed certificate. Make sure you previously configured the CommonName setting for the certificate, see the section "Configure Common Name for self signed Certificate" at start of this article.
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration]]
[[Category:Administration]]
