In a Microsoft Exchange Server 2007 Service Pack 1 environment, you install a certificate that contains wildcard characters in the domain name. Then, you try to enable the certificate for the Post Office Protocol (POP) service or for the Internet Message Access Protocol (IMAP) service by using the following cmdlet.
After you do this, the following event errors are logged when the POP service or the IMAP service is started:
Event Type: Error Event Source: MSExchangePOP3 Event Category: General Event ID: 2007 Description: A certificate for the host name "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the POP3 service.
Event Type: Error Event Source: MSExchangeIMAP4 Event Category: General Event ID: 2007 Description: A certificate for the hostname "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the IMAP service.
Event Type: Error Event Source: MSExchangePOP3 Event Category: General Event ID: 1102 Description: The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.
In this case, a POP3 client or an IMAP client cannot use Secure Sockets Layer (SSL) to access the mailbox.
This problem occurs because the Exchange server cannot find a matching certificate when it creates a Transport Layer Security (TLS) session with a client. The Enable-ExchangeCertificate cmdlet automatically configures the X509CertificateName parameter in the POP settings and in the IMAP settings by using the domain name in the certificate. The Exchange server searches for compatible certificates when the Exchange server creates a TLS session with a client. However, the Exchange server cannot find a matching certificate because there is no specific fully qualified domain name (FQDN).
To resolve this problem, download Update Rollup 4 for Exchange 2007 Service Pack 1. For more information about Update Rollup 4 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
After you apply this software update, the Enable-ExchangeCertificate cmdlet and the New-ExchangeCertificate cmdlet will not set the X509CertificateNameparameter. The X509CertificateNameparameter is set by removing POP and IMAP as valid values from the -Services parameter.
To help administrators, the cmdlet displays a warning that resembles the following:
POP3 and/or IMAP4 access might not work since this command does not set the X509CertificateName for the POP3 and IMAP4 services. Please complete the configuration for each service by running "set-POPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>" for the POP3 service and “set-IMAPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>” for the IMAP4 service.
Additionally, the Set-IMAPSettings cmdlet and the X509CertificateName parameter for the Set-POPSetings cmdlet do not accept wildcard characters.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
A wildcard character domain name is a special kind of domain name that represents multiple sub-domains. Wildcard character domain names can be simplify certificates because a single wildcard domain name represents all the sub-domains for that domain. Wildcard character domain names are represented by an asterisk character (*) on the DNS node.
For example, *.contoso.com represents contoso.com and all the sub-domains for contoso.com. When you use a wildcard character to create a certificate or to create a certificate request for all accepted domains, you can simplify the request significantly.
For more information about certificate use in Exchange Server 2007, visit the following Microsoft Web site: