blog.rimann.org

Exchange 2007 is nice. Really, I like it. Especially the Exchange Management Shell (EMS) that allows you to fulfill many administrative tasks without using your mouse.

But now I found a point where Exchange 2007 fails: Wildcard certificates for IMAP.

We have a wildcard certificate (*.company.tld) from a CA that we use on our web servers since months. The plan was now to import that certificate into Exchange so that it is used to secure the WebMail (Outlook Web Access, OWA), SMTP and IMAP.

So far everything worked out pretty well: I could install that certificate on the Windows Server that's running Exchange 2007. Webmail worked like a charm. SMTP worked fine. But the IMAP service could not be restarted at all.

Every time I tried to start the IMAP service, it wrote an entry to the event log:

Event ID 2007
"A certificate for the hostname “*.domain.tld” could not be found. SSL or TLS encryption cannot be made to the IMAP service."

A completely wrong error message which is absolutely helpless! And as Ken Johnson writes, it's a very intelligent event id. Did you ever try to search in Google for event id 2007 regarding exchange 2007 - forget it!

After trying to get other certificates from our CA (Thanks Bart for your support!) and failing with this, Stefan found an interesting note on Technet: Certificate Use in Exchange 2007 Server.

Also, in Exchange 2007 RTM, POP3 and IMAP4 do not support wildcard domains on certificates.

<ironic>Well, thanks for that information!</ironic> I spent hours on trying and searching - and this is the answer?

How we solved it (at least for the moment):

As most of our users connect to the Exchange via Outlook (direct connection or Outlook Anyhwere) or Webmail, IMAP is not that important. So we decided to install a self signed certificate on the server.

New-ExchangeCertificate -SubjectName "c=CH, o=Company, ou=IT, cn=ex01.company.tld" -DomainName company.tld -PrivateKeyExportable $true services "IMAP"

That's not the perfect solution at all: Users that connect via IMAP will always be nagged with a SSL warning. But it's a working temporary solution.