Monday, July 31, 2017

Exchange 2010 (SP3) - troubleshooting POP3 SSL

POP3 is not the most commonly used client access protocol with Exchange but one we could still encounter as an Exchange administrator. I recently had to troubleshoot an application that used POP3 to access an Exchange mailbox with the option to secure the connection with SSL (so port 995 rather than port 110, used for unencrypted connections). In the end, we discovered that the problem had nothing to do with Exchange or the certificate. However, to come to that concluson, we had to demonstrate that connections to port 995 could be made by other methods, notably OpenSSL and Thunderbird (which can function as a POP3 client). In this blog post, I want to present how we established connections from a Windows 7 client with OpenSSL and enabled the logging of these connection on the Exchange side.


***


If you want to reproduce this in a test environment, you may have to enable POP3 and then configure it to use SSL, so:
  1. Enable the POP3 service.
  2. Associate POP3 with a certificate for secure communication with SSL.
I will not present these operations (above) step by step. I would refer you to some other articles by Paul Cunningham (Exchange MVP) here:




The certificate I use in my test network has several subject alternative names ("mail", "autodiscover") but not "pop", so I will use "mail" instead, although in practice we would probably use "pop" for clarity. I notice that when I select the option "Secure Logon" for the POP connection the correct certificate was located automatically.




We can test a POP3 connection without SSL using Telnet (on port 110) but what if we want to test POP3 with SSL (on port 995)?

I downloaded and installed OpenSSL for Windows.

Several download option are presented here:

Open SSL binaries


I then attempt to connect on port 995 with this command:

openssl s_client -crlf -connect mail.mitserv.net:995


As we can see in the screenshots below, the connection is successful (despite the warning "unable to get local issuer certificate"):






If we need to troubleshoot POP3, we can enable logging on the Exchange server with this command:

Set-PopSettings -ProtocolLogEnabled $true



At first, there is no POP3 subfolder in the Logging folder:




We must restart the POP3 service:




Once we attempt to connect, a file is created in the POP3 folder with content similar to this:




It may be useful also to increase the level of logging in the Event Viewer for POP3. We do this in the properties of the Exchange server. The default value is shown below:



We could place the setting at "Expert", for example:



Note the PowerShell equivalent:




In practice, we should be prudent with the logging level because a very high level (like "Expert") could flood the logs with a plethora of events and even have adverse effects on performance.

When finished troubleshooting, we must remember to turn off logging or set it at an acceptable level for our environment. Available disk space would be one aspect to consider.

1 comment:



  1. Its a wonderful post and very helpful, thanks for all this information. You are including better information regarding this topic in an effective way.Thank you so much

    Personal Installment Loans
    Title Car loan
    Cash Advance Loan

    ReplyDelete