我们有一个单服务器 Exchange 2010 设置。今天凌晨,服务器出现蓝屏并重新启动。恢复后,POP3/IMAP4 和传输服务抱怨他们找不到 mail.example.com 的正确 SSL 证书。
POP3:
Log Name: Application
Source: MSExchangePOP3
Date: 2012/04/23 11:45:15 AM
Event ID: 2007
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: exch01.domain.local
Description:
A certificate for the host name "mail.example.com" couldn't be found.
SSL or TLS encryption can't be made to the POP3 service.
IMAP4:
Log Name: Application
Source: MSExchangeIMAP4
Date: 2012/04/23 08:30:44 AM
Event ID: 2007
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: exch01.domain.local
Description:
A certificate for the host name "mail.example.com" couldn't be found.
Neither SSL or TLS encryption can be made to the IMAP service.
运输:
Log Name: Application
Source: MSExchangeTransport
Date: 2012/04/23 08:32:27 AM
Event ID: 12014
Task Category: TransportService
Level: Error
Keywords: Classic
User: N/A
Computer: exch01.domain.local
Description:
Microsoft Exchange could not find a certificate that contains the domain name
mail.example.com in the personal store on the local computer. Therefore, it
is unable to support the STARTTLS SMTP verb for the connector Default EXCH01
with a FQDN parameter of mail.example.com. If the connector's FQDN is not
specified, the computer's FQDN is used. Verify the connector configuration
and the installed certificates to make sure that there is a certificate with
a domain name for that FQDN. If this certificate exists, run
Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft
Exchange Transport service has access to the certificate key.
奇怪的是,Get-ExchangeCertificate 显示该证书已为所有相关服务启用,并且 OWA 使用此证书完美地运行。
[PS] C:\Users\graeme\Desktop>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ....S. CN=exch01
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY ....S. CN=exch01
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ IP.WS. CN=mail.example.com, OU=Domain Control Validated, O=mail.exa...
这是计算机帐户的个人证书存储中的证书:
有没有人能给出一些让 POP3/IMAP4/SMTP 再次使用该证书的指点?
答案1
转到“服务”,然后查看以下 3 个服务的“登录身份”列:
- 微软 Exchange IMAP4
- 微软 Exchange POP3
- Microsoft Exchange 传输
默认情况下,它们都将使用“网络服务”。
然后以提升权限运行 mmc.exe,并为本地计算机添加证书管理单元。右键单击相关证书(例如 mail.example.com),然后在弹出菜单中单击“管理私钥...”。确保相关帐户(例如 NETWORK SERVICE)具有读取权限;它不需要完全控制,因此无论是否勾选都不会影响此问题,但我建议仅授予读取访问权限(最小特权原则)。
然后重新启动相关服务以使此更改生效。
答案2
- 运行 Enable-ExchangeCertificate -Thumbprint -Service POP ,对 IMAP 执行相同操作:)。
- 检查您是否已在 CA 服务器上启用证书
答案3
我仅验证了客户端访问服务器对互联网的访问,并在 Microsoft Exchange 的 EMC 中查看了证书是否已更新且没有任何警告。