POP3 email protection set up - outlook always asking about certificate

This is not unexpected, but is easily fixed.   The answer starts with an explanation of how certificates work.

On connection, a server returns a certificate asserting its identity.   That certificate is signed by an intermediate certificate, which is signed by a root certificate.   As long as the digital signature can be validated, we know that the certificate is unaltered from when it was created.   But to trust the certificate as a valid assertion of identity, we have to trust the root certificate.    This is implemented by installing the root certificate on your PC.   The presence of the root certificate means that your PC believes that the root certificate will never issue a fraudulent identity certificate.   Therefore, when each certificate in the chain has a valid signature, and a copy of the root certificate is installed on your PC, then the server identity is trusted as accurate.

Next, your PC compares the DNS name used to start the connection with the names returned in the server certificate.   If there is a name match and a valid certificate chain, this proves that you have arrived at your intended network destination.    This validation is more important than https encryption itself, because it does no good to have an encrypted conversation if you are having that conversation with a malicious impersonator.

For UTM to protect your client, it needs to implement a man-in-the-middle interception.    It issues a certificate claiming to be your remote server, issued by a root certificate that is also part of UTM.   Your client connects to UTM using the lookalike certificate chain, then UTM connects to the remote server on your behalf.   The traffic in each direction is decrypted at the UTM, so that UTM can inspect it for safety.

For this to work without certificate errors, UTM needs to present the right certificate name to your PC, and your PC has to install the UTM root certificate as trusted.   

• Go to Webserver... Certificate Management... Certificates and generate a certificate for the remote server name.   
• Next, go to the Certificate Authorities tab, find the VPN signing CA, download it in PEM format (not PKCS!).
• Install the downloaded certificate onto your PC.  On Windows, double-clicking will probably be sufficient.  If not, open MMC.EXE, then add the Snap-In for Certificates...  Computer Account... Local Computer, and do All tasks... Import.   When prompted, choose the option to automatically pick the certificate store.
• Finally, on the POP3... Advanced tab, change the TLS section to use the named certificate that you generated to imitate the actual server.

Test your POP connection to verify that the certificate error has gone away.

Appendix:

Why PEM and not PKCS12 format for the file download?

Every certificate has a private key, which is used for signing other certificates and is used for establishing an encrypted session.    The private key is not used for verifying signatures.    Downloading the root certificate in PKCS#12 format will include the private key in the download.   Then when you install it on your PC, it gains the power to create a certificate which will be trusted by any other machine that has installed the root cerrtificate.   This would be dangerous.    We only want UTM to have the ability to do this.    Downloading the certificate in PEM format gives the certificate without the private key, which gives you everything needed to trust certificates coming from UTM without giving you the ability to create your own certificates using that root.

Hope this helps and does not confuse,

Doug Foster 

Hi Jean,

Doug's answered your question, but you might also be interested in The Zeroeth Rule in Rulz (last updated 2021-02-16).

Cheers - Bob

Great description, Doug. Thanks. Very helpful, especially with the explanation of certs and warning about type of cert.

It's not working for me so I must have done something wrong. I still get asked if I want to accept the cert every time I start outlook, even after I said yes to use the cert.

When you said:

- Go to Webserver... Certificate Management... Certificates and generate a certificate for the remote server name. 

I did so and created the following: 

Is that what you meant by remote server name? pop.gmail.com, which is where outlook is looking for email via POP3.. 

Also I see when I view the cert in outlook the issue is reported that cert can't be verified by a trusted cert authority, which doesn't really surprise me - is that not going to be true for all self signed certs?

For the record, here's where the cert inserted itself automatically by MMC snap-in:

Also for the record - to Bob's point - I do have a unique FQDN for my unit and can see it was used in my local 508 cert and webadmin cert.  

All of that looks right., but it means that the correct root has not been installed.  Download the pop.gmail.com certificate to a file, then open it (double-click or right-click...properties  - I forget which one.)    Go to the [certificate path] tab.   You can click on each certificate in the chain, and see its properties.    The issuer of the last valid certificate is the one that you need to find and install on your PC.

I'm lost because there's no option to double click or right click a downloaded cert. .PEM is not associated to anything so right clicking or double clicking doesn't do anything. 

I can go into MMC and import it but I don't I think that's not where I understood pop.gmail.com cert goes - I understood that cert was for selection on POP3 advanced tab on sophos. Did I misunderstand?

When you say the "current root has not been installed", do you mean Home VPN CA in Trusted Root Certificate, or something else?

Also when you say  "You can click on each certificate in the chain, and see its properties." do you mean when I'm in MMC Certificate snap-in, which would, for example (below), tells me the Home VPN CA cannot be verified, not unlike the message I'm getting from outlook about the cert...?

FWIW, I double checked that the certificate chain is the same for Home VPN CA and pop.gmail.com  

Do I need to force the Home VPN CA cert somewhere else than Trusted Root Certificate Authorities? Do I need to import pop.gmail.com cert in a store? if so, which one?

Sorry for my confusion. Hopefully I'm asking questions that point to what I missed. Thanks again for your help.

Try renaming it from .PEM to .CRT

Then Windows will be less confused.

ok, that allowed me to right click and install but it didn't fix the problem.

I can see the first Home Cert is for pop.gmail.com. 

Would it fix things if I used a real cert from Let's Encrypt? I could move my no-ip service from dynamic DNS to managed DNS and use my own domain (which I think I read was a condition for using Let;s Enrcypt).

I guess I'm wondering if using a real cert from a real CA would fix the problem. i.e could it be that Outlook is being strict about something one can't do with self signed stuff? (I'm using Outlook 2013, by the way)

hmmm. just realized that won't work because I can't create a cert for pop.gmail.com given I don't own that domain...

I'd rather get the cert thing working but maybe I should look at standing up a pop3 server instead? are there good free ones?