SSL Certificate for webmail access

[waterman34]

Hi

We'v have a customer who is increasingly not able to access her webmail from internet cafes/work etc due to the problems with the built-in ssl certificate, internet explorer for example brings this up:

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website has expired or is not yet valid.
The security certificate presented by this website was issued for a different website's address.

What options have we got around this? neither the ip address to the webmail or sub-domain of http://webmail.domain.com works so I'm trying to find a solution around it, any ideas?

[Code Crafters]

The certificate should have the same common name as the domain you access from to work. However, you should note that this is a self-signed certificate which means that it must be installed on the remote client computer to be trusted by the browser. Obviously, with Internet cafes etc. this isn't possible but usually you can simply choose to continue anyway ignoring the warning since you know it is secure.

The only way for a certificate to be trusted from any location is for you to purchase a certificate signed by a trusted Certifcate Authority (CA) such as Verisign or Thwaite. The certificate must be an RSA MD5 encrypted certificate / key pair.

[waterman34]

So if I got a certificate bought and issued for say http://webmail.domain.com, it would work okay?

Im confused how this would all be setup in IIS

[Code Crafters]

You need to purchase an RSA MD5 encyrypted certificate / key pair from a trusted CA with webmail.domain.com as the common name. You then add the certificate / key pair to the SSL Certificate settings of Ability Mail Server via the Import button then set the WebMail service to use this certificate. Then you simply access via https://webmail.domain.com. IIS is not involved in this process at all.

[waterman34]

You need to purchase an RSA MD5 encyrypted certificate / key pair from a trusted CA with webmail.domain.com as the common name. You then add the certificate / key pair to the SSL Certificate settings of Ability Mail Server via the Import button then set the WebMail service to use this certificate. Then you simply access via https://webmail.domain.com. IIS is not involved in this process at all.

Ah so by doing it this way then the built-in ability certificate isn't being used no longer?

That would cause issues for all the other customers who access their webmail via sub-domains of their domain so that's not viable then.

[Code Crafters]

The same issue is present with the self-signed certificate as the CA issued certificate: the common name must match the domain used to access. You can obviously allow access via normal http:// without SSL as well as an SSL WebMail access port of course.