IMAP access using MS Outlook 2016

NethServer Version: 7.9.2009
Module: email

Hello altogether,

I try to setup an IMAP connection using MS Outlook from several remote sites to a central nethserver. It works except one thing:

Outlook shows the message “target principal name is incorrect”. I can see the self-signed certificate from the Nethserver, can install it, but it does not help. I always have to confirm twice by clicking on “Yes” to finally get the connection from Outlook to nethserver.

Solution 2 that I tried: setup a record in the hosts file on the client:
hostname.domain.tld
The hostname is exactly the name on the certificate from Nethserver. I can use the FQDN hostname in the Outlook settings to access the mailbox, but the message still appears.
Does not work either.

Solution 3 that I tried: found a registry entry called “SuppressNameChecks”, but that is only for the certificate checking of incoming signed or encrypted e-mail.

Solution 4: Use Thunderbird. That one works fine, I can add an exception and that’s it… the problem is: the customer doesn’t want that. :wink:

Does anyone have a real solution? How can I configure the client with MS Outlook, so that the message does not appear any more?

Thanks in advance and best regards,

Frank

Can’t you assign a let’s encrypt certificate to your Nethserver?
If you have a static public ip and ports 80 and 443 of the Nethserver which are reachable from the internet, you can run the appropriate wizard on the certificates page.

This sounds like your problem–why aren’t you using a trusted certificate?

It did not work to use Let’s Encrypt… but the problem was in your reply, thank you very much. For my Nethserver, only the port 443 was reachable… port 80 was still forwarded to the old machine… now I changed port forwarding for port 80 on the router to the new Nethserver and that was it… I now have a Let’s Encrypt certificate and it seems to work.

Thank you very much, that was really helpful!!!

Thanks and best regards,

Frank

1 Like

Good question :wink: I thought it should also work with a self-signed certificate… but now it works.

Thank you, too, for your answer.

Self-signed certificates have gotten harder and harder to work with over the years, in that many applications have just refused to trust them, or have made it unnecessarily difficult. A better way to go is to set up a local CA (e.g., https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/), and then trust that CA’s certificate. But better yet (and all but mandatory if you’re going to have external users) is to just get a trusted certificate. For machines that you don’t want to be accessible from the outside world, you can use DNS validation; I have a couple of articles in the wiki about that.

1 Like

Hello Dan, that sounds good, I’ll check the wiki, really helpful!

Thank you!