MailStore Server – Error message received when MailStore Client or MailStore Outlook Add-In tries to connect to the server
Summary
With MailStore Server, when using the MailStore Client or MailStore Outlook Add-in trying to connect to the server, a connection can not be established, and an error message is returned:
The SSL/TLS certificate verification failed. The server name was enforced by group policies, but the certificate validation failed.
This issue was reported in (but may not be limited to):
- MailStore Client
- MailStore Outlook Add-in
Cause
The option to whitelist certificate fingerprints via MailStore’s own group policy was removed in MailStore Server 13, which is causing this error message to show. The use of self-signed certificates significantly reduces the complexity and is less error-prone. If an administrator has decided to specify a server name via group policy, these Group Policy Object (GPO) can be changed.
Resolution
If an installation is using a self-signed certificate in MailStore Server that was neither obtained from Let’s Encrypt nor from another trusted root certification authority, please note the following:As soon as you specify the server name via group policy, the MailStore Outlook Add-in and MailStore Client expect that the certificate used by MailStore Server is valid. This means that the server certificate must neither be expired nor have been withdrawn, the server name must be stored in the certificate, and the certificate must have been issued by a trustworthy root certification authority (possibly by its own internal certification authority).The latter is not the case with self-signed certificates. If you do not have the option of using certificates that have been issued by a trustworthy certification authority, you can create a suitable self-signed certificate in the MailStore Server service configuration, save it in a file, and then send it to the clients as “Trusted Root Certification Authority”.In the case of the group guideline for the distribution of login information, please ensure that the specified server name matches the name issued in the certificate.
That means: no different server name or any IP address.