Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » "unable to establish secure connection" warning since upgrade to 7.3
  •  
monkeymissile

Messages: 126
Karma: 1
Send a private message to this user
after upgrading our server to 7.3, each of my Macs (either running Entourage 2008 or Outlook 2011) received a one-time warning at start-up saying, "Unable to establish a secure connection to our domain because the server name or IP address does not match the name or IP address on the server's certificate. if you continue, the information you view and send will be encrypted, but will not be secure."
I haven't ever gotten this message after any other upgrade.
We don't use a third-party certificate like Verisign.

Do I need to worry about this?

thanks.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
monkeymissile wrote on Mon, 21 November 2011 17:27
the information you view and send will be encrypted, but will not be secure.

As long as it's your own server, "encrypted but not secure" (however meaningless such a message is), is not too worrisome. Even less so if you can guarantee that this particular server is the only server you've installed the certificate on. Is the fully qualified host name in the certificate the same as the fully qualified host name you are connecting to, and is the host actually named as in the certificate? They should all be identical for the SSL handshake to go smoothly.

Have you inadvertedly also bound the services to a public IP which doesn't resolve to the certificate hostname? This feature was new (I think) in 7.3.

On a side note; in the global racketeering scheme known as "Public Key Infrastructure", you and your server is the third party, not Verisign. People connecting to your server is trusting Verisign, not you. You're also paying for the privilege. Neat, huh?

[Updated on: Mon, 21 November 2011 18:01]

  •  
monkeymissile

Messages: 126
Karma: 1
Send a private message to this user
[/quote]
Have you inadvertedly also bound the services to a public IP which doesn't resolve to the certificate hostname? This feature was new (I think) in 7.3.
[/quote]

I'm imagining this is the reason, I'll check the records with our ISP.
We only have the one server and it's definitely ours.

thanks!
  •  
john_rothenberg

Messages: 29
Karma: 0
Send a private message to this user
We have the same issue when clients (entourage 2008) are connecting remotely without VPN.
It appears in our case that the program correctly establish ssl 443 on our FQDN mx and then goes straight for the parent domain to find any ssl certificate to look for autodiscover service.

Unfortunately for us our web host is external and they have an ssl cert for their IP listed at our parent address
*.example.com (example domain).They cant remove the listen port on 443 on that public IP.The ssl cert placed on that ip is not installed on our clients and shouldnt be,the result for us is that entourage 2008 fails saying it cannot communicate securely to .example.com (example domain)

Can someone tell me how to disable the autodiscover feature on kerio connect 7.3 or tell me how to create a correct dns record for mac entourage 2008 email client (doesnt support SRV records)... Odd it doesn't have an issue internally on the LAN .. perhaps its not dns its Firewall ports....Definitely has occured after upgrade to 7.3,Such little information on this service

  •  
McIrish

Messages: 236
Karma: 8
Send a private message to this user
We've had the same problem with some Entourage clients getting the warning about the email not being secure. These guys were in house when they saw the message. It happened the first time the started Entourage after configuring it for Kerio. I didn't get any more than one complaint from each user, so maybe it's a one time thing?
  •  
monkeymissile

Messages: 126
Karma: 1
Send a private message to this user
for me it was an expired and incorrect certificate issue. I created a new one, updated the server info and it's been fine. Regardless, it does appear to be a one-time error message.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
john_rothenberg wrote on Tue, 29 November 2011 01:19
We have the same issue when clients (entourage 2008) are connecting remotely without VPN.
It appears in our case that the program correctly establish ssl 443 on our FQDN mx and then goes straight for the parent domain to find any ssl certificate to look for autodiscover service.

Unfortunately for us our web host is external and they have an ssl cert for their IP listed at our parent address
*.example.com (example domain).They cant remove the listen port on 443 on that public IP.The ssl cert placed on that ip is not installed on our clients and shouldnt be,the result for us is that entourage 2008 fails saying it cannot communicate securely to .example.com (example domain)

Can someone tell me how to disable the autodiscover feature on kerio connect 7.3 or tell me how to create a correct dns record for mac entourage 2008 email client (doesnt support SRV records)... Odd it doesn't have an issue internally on the LAN .. perhaps its not dns its Firewall ports....Definitely has occured after upgrade to 7.3,Such little information on this service


Kerio Connect has no Autodiscover feature as such, so you can't really turn it neither on nor off. The scenario you are otherwise describing seems to be how Entourage works with regard to Autodiscover. I.e. it is broken.

If your hosted mail server lives at at e.g. yourserver.hosting.example.com and your mailaddresses are user<_at_>example.org, Entourage will always (first) try to look for the autodiscover SRV records in the example.org zone, not example.com. You'd think Microsoft would have heard the IT mantra "don't assume" by now.

In other words: if you aren't running your own MS Exchange server and don't have a split DNS setup, good luck with getting Autodiscover to work. If you run Entourage, good luck in general Rolling Eyes
  •  
john_rothenberg

Messages: 29
Karma: 0
Send a private message to this user
We dont want or need autodiscover to work, it appears to be more prevalent since the 7.3 upgrade.

Prior to Kerio Connect v7.3 we had no Autodiscover visual issue/warning with entourage 2008 v12.x.x . ie our ssl cert was correctly installed and identified through the DNS this allowed the users to work in or out of the LAN.Split brain we are running, Kerio we are running.

Perfect world living would equate to using a browser only and remove any email client.

The change we have and are getting since the 7.3 upgrade on any entourage clients when connecting outside of the LAN is a warning not having the correct root certificate installed, this is correct for us, there's a separate ssl for example.com ( gasp) and a separate ssl cert for server.example.com (gasp) and a separate ssl cert for mail.example.com.... how unauthodox.

Something changed on the server side to make Kerio Connect, presumably more compatible with Outlook 2011 feature sets

This behaviour wasnt present with our dns/firewall setup LAN or WAN or VPN prior to 7.3.

It appears the program is looking for an A record in name: autodiscover.example.com which we don't have.

In our case heres the fix: due to a different SSL cert being installed for the parent domain example.com ( this is hosted externally on a vhost setup) and entourage now looking for a non existent A record of autodiscover.example.com

the order of lookup that entourage program triggers is:

mail.example.com in A record
mail.example.com in PTR record
autodiscover.example.com -A record
example.com -A record

The first two stages are fine and dandy, they always have been ... the second two required steps = fail with an ssl root cert warning.If you just accept the warning email sends fine and is indeed encrypted, what the program is whinging about is that example.com ssl is not installed on the client (its not ours its our web hosts for their virtual domain, nothing to do with our email be it ssl or not)

This happens EVERY launch of entourage not just once.

For us

we'll route the parent directory to localhost
by adding an entry in
/etc/hosts
127.0.0.1 example.com ( where example.com is our domain)

All that just to stop a visual warning.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Kerio Connect does support autodiscover configuration. However, Entourage 2008 does not ask Kerio Connect server. It looks for HTTPS websites https://youdomain.com and https://autodiscover.yourdomain.com.
This "feature" cannot be disabled in the client. You can find more info here: http://blogs.technet.com/b/amir/archive/2008/07/16/ssl-warni ng-issue-in-entourage-2008.aspx

[Updated on: Thu, 01 December 2011 10:25]

Previous Topic: Kerio 7.2.4 will not shut down when requested
Next Topic: Problem with Public Folder
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 11:31:06 CEST 2017

Total time taken to generate the page: 0.00444 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.