cancel
Showing results for 
Search instead for 
Did you mean: 

Outlook - internet Security Warning

dazlicous
Up to speed

Got my NTL email account set up using outlook but when I open outlook I get a security warning 

Internet Security Warning 

The server you are connected to is using a security certificate that cannot be verified 

The target principal name is incorrect 

6 REPLIES 6

Corey_C
Moderator
Moderator

Thanks for your post and for reaching out to the Community Forums, dazlicous,

 

Did you configure this manually or automatically? Do your email server names match the email domain @ntlworld?

 

Cheers,

Corey C

ravenstar68
Very Insightful Person
Very Insightful Person

@Corey_C 

Welcome to the wonderful world of SSL/TLS certificates.

From past experience with other users the error itself is a red herring.

The Target principle name refers to Server Name Authentication (SNI)

SSL certificates carry a CN value and an SAN field.

The CN value used to have to match the server hostname as specified in the email settings.  Indeed one fix suggested for this error (which wouldn't work here) was to change the server hostname to match that in the CN field.

Nowadays certificates also carry an SAN field - here's the field in the certificate recovered from imap.virginmedia.com

  Subject Alternative Name
        DNS Name=email.virginmedia.com
        DNS Name=webmail.virginmedia.com
        DNS Name=mail.virginmedia.com
        DNS Name=mail2.virginmedia.com
        DNS Name=mail3.virginmedia.com
        DNS Name=pop.virginmedia.com
        DNS Name=pop3.virginmedia.com
        DNS Name=imap.virginmedia.com
        DNS Name=imap4.virginmedia.com
        DNS Name=smtp.virginmedia.com
        DNS Name=autoconfig.virginmedia.com
        DNS Name=autodiscover.virginmedia.com

Now provided the Hostname matches one of these values, then the certificate is valid for that host.

There have been suggestions in some answers that this is down to Outlook not liking SAN certificates - BUT this is unlikely, certainly up until my blueyonder emails finally closed I was using the above server quite happily.

Note that the email address itself has NOTHING to do with the server name.  In fact many companies use a number of professional hosts, including Microsoft and Google to host their emails.  I myself host 3 separate domains on one email server.

VM only have one recommended set of email servers which end in virginmedia.com 

https://community.virginmedia.com/t5/Email/Email-settings-change/td-p/3369438

@dazlicous 

Are you able to select view certificate on the error message and post what you are seeing on here, in particular the Certification Path tab.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks


@ravenstar68 wrote:

@Corey_C 

Welcome to the wonderful world of SSL/TLS certificates.

From past experience with other users the error itself is a red herring.

The Target principle name refers to Server Name Authentication (SNI)

SSL certificates carry a CN value and an SAN field.

The CN value used to have to match the server hostname as specified in the email settings.  Indeed one fix suggested for this error (which wouldn't work here) was to change the server hostname to match that in the CN field.

Nowadays certificates also carry an SAN field - here's the field in the certificate recovered from imap.virginmedia.com

 

 

  Subject Alternative Name
        DNS Name=email.virginmedia.com
        DNS Name=webmail.virginmedia.com
        DNS Name=mail.virginmedia.com
        DNS Name=mail2.virginmedia.com
        DNS Name=mail3.virginmedia.com
        DNS Name=pop.virginmedia.com
        DNS Name=pop3.virginmedia.com
        DNS Name=imap.virginmedia.com
        DNS Name=imap4.virginmedia.com
        DNS Name=smtp.virginmedia.com
        DNS Name=autoconfig.virginmedia.com
        DNS Name=autodiscover.virginmedia.com

 

 

Now provided the Hostname matches one of these values, then the certificate is valid for that host.

There have been suggestions in some answers that this is down to Outlook not liking SAN certificates - BUT this is unlikely, certainly up until my blueyonder emails finally closed I was using the above server quite happily.

Note that the email address itself has NOTHING to do with the server name.  In fact many companies use a number of professional hosts, including Microsoft and Google to host their emails.  I myself host 3 separate domains on one email server.

VM only have one recommended set of email servers which end in virginmedia.com 

https://community.virginmedia.com/t5/Email/Email-settings-change/td-p/3369438

@dazlicous 

Are you able to select view certificate on the error message and post what you are seeing on here, in particular the Certification Path tab.

Tim


Thx for your reply

After getting the error and searching the VM forum here. It seem a very popular issue if still running Microsoft Office 2007. 

Bit of a strange one because on my desktop I am running Win 10 and Office 2007 without any issues in outlook and VM emails.

I was setting up a new laptop that thrown the issue up. After reading the Forum and this issue, I have upgraded to Office 2019 which has totally resolved the problem. 

ravenstar68
Very Insightful Person
Very Insightful Person

@dazlicous 

It is a strange one.  All I know is that when one user looked at the certificate she was presented with, she got an invalid certificate error.  Looking at the certificate path at the time, as far as her system was concerned the certificate chain didn't go back to a trusted root certificate.  But when I got her to export the certificate and send it to me, my machine was quite happy with it.

It would have certainly been interesting to take this further, but to be honest Office 2007 reached end of life some time ago and no longer receives any updates from Microsoft.  Switching to Office 2019 is certainly the best option.  Unless you want to consider free alternatives instead..

Glad it's working for you now.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

ravenstar68
Very Insightful Person
Very Insightful Person

For the benefit of everyone involved in this thread I wanted to demonstrate SNI in action.

In this case I've used a non existent domain raventim.co.uk and used my hosts file to direct it to my mail server IP.  I've then tried changing my IMAP server setting to raventim.co.uk - Here's the result - The error looks familiar.

ravenstar68_0-1626959947525.png

If we view the certificate we see this:

ravenstar68_1-1626960043731.png

We see above that the CN for the certificate is box.timothydutton.co.uk - which doesn't match the hostname in the settinggs.

ravenstar68_2-1626960312273.png

More importantly the name raventim.co.uk is not found in the SAN field either.

This is how certificates normally try to protect against DNS redirection attacks.

Note that the certificate is downloaded from the server as part of SSL/TLS negotiation.  What we've found in cases similar to @dazlicous 's is that when we check the certificate - the certificate is all correct, but for some reason when we check the certificate path

ravenstar68_3-1626960712441.png

The root certificate (highlighted above), does not show as being trusted on their systems.

Tim

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

From I can gather is obviously it’s outdated and unsupported software so best better is upgrade to a newer version