This could be a stupid Microsoft problem, but all of a sudden I’m getting calls due to Outlook stopped working. It seems that over the last few months, something has gone wrong. The clients are calling in at the point just after the old cert expired. On the server, clearly the new cert is updated and installed, verified by file dates. The same clients with iPhones are not having trouble on their phones.
Goolging is just giving me a hodgepodge of any error ever. I’m not finding anything new on this. Does anyone here have an idea about how to fix this… aside from dump Outlook. Customers are set in their ways.
I doubt Outlook would cache certs. That would be a security risk.
I think you probably just have one service that isn’t getting the new cert (Postfix or Dovecot). Not sure why the association would get broken if it worked in the past. Maybe if the certs got renewed manually using certbot directly rather than via Virtualmin.
It’s also maybe possible that something isn’t being restarted when certs update that maybe need to be. I’m not sure. You might look to see when the postfix and dovecot services were last restarted and if it’s before the certs changed, try restarting.
I would recommend you setup Outlook yourself locally so you can see this problem directly. Relying on user reports is very prone to nonsense. Users have no idea what’s happening, are often fuzzy about the timing of things, often don’t send all the information needed to isolate the problem. So, if you’re able to kick off a fetch/send cycle and watch the mail server logs or jounal for the relevant services, you can see all the errors.
After restarting Dovecot and Postfix services to no avail, I rebooted the server. There have been several secure services updates lately. As this issue could have began anytime over the last month, I worried that maybe other services may have needed a restart.
I expect Outlook at least caches some of the cert info. I know at one point, some years ago, Thunderbird showed a cert notice every time a cert renewed.
I’m having trouble believing it could be a problem on this end as Apple Mail updated the cert just fine without any notice to the customer, as usual.
Yes, these clients have been with us for a long time. The certification has worked fine up until now.
Joe… when you mention a manual cert renewal, should I assume you mean from command line? I always use Virtualmin’s interface to set up certs. I often times do new certs when perhaps a new Apache alias is needed.
You can manually request a renewal from the interface. Let’s Encrypt isn’t good at recognizing and removing old certs if you request new so make sure you use renew.
What connection are they having problems with? Logging into Dovecot/IMAP or is it during Submission sending out emails?
You might be able to catch the errors in mail.log complaining about authentication.
Do a search in your logs for dovecot: imap-login: or pop-login
Submission would be postfix/smtpd
I use Windows so little I was thinking browser. Opps. Still, unless they changed something recently you’d think this problem would be more commonly reported.
just incase, outlook caches certificates and things like that per session, so try restarting outlook the app, and also try rebooting your PC. Apologies if you have already done this.
Also sometimes AV installs a Certificate authority so it can do a MITM and scan your encrypted emails.
I have a few of thes apps where the certificates done get updated or the mechanism stops working. So you could try uninstalling any anti-virus software you have. Disabling the scanners does not work.
Lets Encrypt is obviously verifying to DNS/Domain and issuing the new cert. Something is interfering or actually caching the old cert. SSL worked fine up until the last cert actually expired.
Port 993 is open. My other existing accounts on that system are working fine and actually Outlook picked them up when I reinstalled. Email coming in fine to those.
Only domains with old certs expiring seem to be the issue. And I’m not sure why my new account there is throwing this error as many other users are having no issues as of yet.
I rebooted the system Sat morning in case something was getting cached.
Hmm… A browser gives you the option of checking the cert. No such love from Outlook?
As long as we are clutching at straws and this doesn’t seem to be even remotely the case, on the first cert page are all services set to use it? Not sure how some clients would work and not others, but a straw is a straw…
This is a sub server so cert is kinda not needed for all.
This is the date from the old cert. You can see by my list of files that all the certs were rewritten when I renewed the certs via Virtualmin. I have checked the date/time on the server. System time and hardware time is correct. How can it be looking at or even finding an old cert?
Also, I double checked DNS and all nameservers are reporting the same info.
And, the same account set up perfectly in Thunderbird. Reports from clients are saying their iPhones are not having issues, but there could be old exceptions in some of those.
What the heck??? Straw is too strong of an item to relate to Outlook, after all, Microsoft has no Insite.
This is interesting. Virtualmin on the system with the two accounts with issues does not show “Apache SSL Website Enabled” but only “Apache Website Enabled” as an option. I reran the recheck configuration and it completed successfully. Websites and other services are using SSL.
Any idea why the Apache SSL option is not showing up?
Apache SSL enabled is showing for a domain on that server which does not use SSL and is unchecked. I’ve not found another with that showing. I suspect they all have SSL enabled. I was going to disable SSL for the problem domains and re-enable it, but… no option there.
I wonder what I need to do to make it show again. It is turned on in Features and Plugins.
This issue seems to be on only one of our servers. When I go to Edit Virtual Server and pull down Enabled Features, on only this server, Apache SSL Website does not show except for domains which do not have it enabled. How do I get that back? I have not been doing any hacking on that system.
Next… For on of the accounts having the issue, Thunderbird connects securely, no problem. Firefox connects securely via https. Outlook is saying the cert has expired and is showing the correct dates for the expired cert. The certs clearly updated. Where can Outlook be finding the old cert information?
I really pray I can get this fixed today as this is having a very negative effect on some clients. I don’t want to lose them.
