Changes

From SME Server
Jump to navigationJump to search

Email - Setting up E-mail clients for SME 8.0 (view source)

Revision as of 19:29, 13 February 2016

3,966 bytes added ,  19:29, 13 February 2016
m
→‎Start the Certificate Import Wizard
Line 151: Line 151:  
Click it and you will see a very similar certificate installation routine to the one described in '''Section 6.1,''' ''''What to do about your Security Certificate,''''
 
Click it and you will see a very similar certificate installation routine to the one described in '''Section 6.1,''' ''''What to do about your Security Certificate,''''
 
above - the dialogues look a little different but they follow exactly the same sequence.
 
above - the dialogues look a little different but they follow exactly the same sequence.
 +
 +
===Windows 10 and Self-Signed Certificates===
 +
 +
Windows 10 Mail gives this error connecting to a SME server using a self-signed certificate:
 +
 +
Security Certificate on the server is not valid. Error 0x80072F0D
 +
 +
Additionaly, Internet Explorer, Edge, and Chrome will require users to bypass a security warning every time they browse to your server.
 +
 +
To eliminate these errors you must install your server's certificate into each workstation's 'Trusted Root Certification Authorities' certificate store.  Even then, users will continue to receive security warnings if they access your server using a name or address that differs from the CommonName used in the certificate itself.
 +
 +
To install a certificate in Windows 10:
 +
 +
====Start the Certificate Import Wizard====
 +
* Open Internet Explorer (Edge does not offer the option to install certificates)
 +
* Browse to any secure url on your SME server - eg <nowiki>https://your.smeserver.tld/webmail</nowiki>
 +
* Select '''Continue to this website (not recommended)'''
 +
* Click on '''Certificate error''' in the Internet Explorer address bar and select 'View certificates'
 +
* Click '''Install Certificate'''
 +
 +
 +
'''IMPORTANT''': <br>
 +
''My stand-alone Windows 10 workstation required the extra steps below.  My domain-connected Windows 10 workstation did not.''
 +
 +
If '''Install Certificate''' is not available, close Internet Explorer and restart the process using '''Run as administrator'''
 +
* Click the Windows Button
 +
* Type '''iexplore''' (don't press enter!)
 +
* Right-click on '''Internet Explorer''' in the search results and select '''Run as administrator'''
 +
 +
====Certificate Import Wizard====
 +
** Select '''Local Machine''' (the default is "Current User") and click '''Next'''
 +
** Select '''Place all certificates in the following store''' (the default is "Automatically select...")
 +
** Click '''Browse''' and select '''Trusted Root Certification Authorities'''
 +
** Click '''Next'''
 +
** Click '''Finish'''
 +
** You will get a Security Warning saying "Windows cannot validate that the certificate is actually from...".  Click '''Yes'''
 +
** You should get a message saying "The import was successful".  Click '''OK'''
 +
** Click '''OK''' to close the Certificate window.
 +
 +
====Certificate name mis-match====
 +
 +
If the server name stored in your certificate (self-signed or otherwise) does not match the name or IP address that your device uses to access the server, you will still get certificate name mis-match errors.
 +
 +
Edge & Internet Explorer will allow users to access the site, but will display a red "Certificate error" message.  Chrome will still require users to click "Advanced", and "Proceed to ... (unsafe)"
 +
 +
Email clients usually require an extra confirmation that it's OK to use the mis-matched certificate:
 +
* Windows 10 Mail
 +
** Click on the error icon (a triangle with an exclamation mark) next to your account name
 +
** Select '''Proceed'''
 +
* Outlook
 +
** Untested. 
 +
** Former Windows/Outlook combinations required you to accept the certificate mis-match every time outlook starts.
 +
 +
====Testing====
 +
If you have successfully imported your certificate and if the the CommonName of your certificate matches the hostname you are using to access your server, users should get a secure connection indicator from software that uses the Windows certificate store:
 +
* Microsoft Internet Explorer: grey padlock at the right of the address bar
 +
* Microsoft Edge: padlock at the left of the address bar
 +
* Chrome: Green padlock + green "https:" at the left of the address bar
 +
* Windows 10 Mail: no error messages
 +
* Windows 10 / Outlook 2010: no warnings or errors
 +
 +
(Firefox uses its own certificate store, and won't accept your certificate until you have added it there, too.)
    
==Other Domains==
 
==Other Domains==
Line 181: Line 243:     
Setting up IMAP accounts in Thunderbird works satisfactorily (as of December 2013), using the following generic procedure:
 
Setting up IMAP accounts in Thunderbird works satisfactorily (as of December 2013), using the following generic procedure:
 +
 +
Configure SME server CommonName setting for Certificate in the form of www.mymaindomainname.com
    
Use manual setup (instead of automatic)
 
Use manual setup (instead of automatic)
Line 190: Line 254:  
Specify authentication method = Normal Password
 
Specify authentication method = Normal Password
   −
At some point accept the server's self-signed certificate.
+
At some point accept the server's self-signed certificate. Make sure you previously configured the CommonName setting for the certificate, see the section "Configure Common Name for self signed Certificate" at start of this article.
       
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Administration]]
 
[[Category:Administration]]
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/29110...30437"

Navigation menu