wildcard ssl certificate - exchange 2010 - POP/IMAP problem

Solution 1:

Unfortunately, your best option is to get a UC cert, which means ditching the wildcard and purchasing a new one entirely. See my answer HERE for a similar question.

Solution 2:

Boo, UC certs are a bigger ripoff than normal certificates and only needed mainly because of NAT. When IPv6 becomes widely used and all computers have one-true-address these will be mostly moot as your server won't need to resolve to a different address inside and outside the firewall.

This can be quite easily be handled if you are using a two-faced DNS system that for the same hostname serves private (RFC1918) addresses to internal users and the server's public address to external users. For example mail.example.com from your internal servers returns 10.0.0.11 and from an external server it returns 208.65.70.82. So when connecting to your server internally you would still use mail.example.com.

Take a look at Microsoft KB Article 940726 which explains how to change the internal url for all of the exchange services to be the same as the external URL. It specifically cites this "workaround" for people that "cannot" use a certificate that supports Subject Alternative Names. To be honest I think that this configuration will become default in the next one or two versions of Exchange as IPv6 becomes common place.

We have also found this is really great for mobile users because mail.example.com will resolve to the same server inside the firewall as it does outside, especially nice when they're using a protocol like IMAP with a client that doesn't support "Outlook Anywhere".

For your POP/IMAP issues take a look at Microsoft KB Article 948896. Basically you just set the X509CertificateName to the FQDN that users will be accessing the service from (with Set-ImapSettings -X509CertificateName mail.example.com or through the GUI) and don't specifically assign the certificate to the IMAP service using Enable-ExchangeCertificate command.

Solution 3:

you can indeed use a wildcard for imap and pop. rtfm here: http://technet.microsoft.com/en-us/library/aa997231.aspx

:)