Outlook issue

[GRoston]

In an attempt to make my emails get through on a regular basis, I created a DNS CNAME record that points stmp.mydomain to smtp.server.com. This way, the URL for the SMTP server and the return email address are from the same domain. Seems perfectly reasonable.

However, when I try sending an email, I get a warning window from Outlook that says:

The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect
[View certificate]
Do you want to continue using this server?

This is not an issue, so I clicked on [View certificate] then [Install Certificate], under the assumption that once the certificate is installed, problem resolved. However, I get this warning every time the first time I try sending an email after Outlook has been restarted.

What should I do to resolve this issue?

 

[Alejandro85]

My first impression is, why do you need to change the SMTP address to match the email address? SMTP is only used internally to send mails and end users never point to it directly, only your users when configuring their clients for the first time. That said, it's not entirely unreasonable that you want both to match, so let's try to fix it.

The root problem is that, by using a CNAME, you give an alternative address to the mail server. But the server itself don't knows anything about it, so it continues to serve its previous certificate, in which it identifies itself as "smtp.server.com" (following the OP convention). When you point an email client to smtp.mydomain and it gets such certificate, the domains don't match, hence the error. You may know it's just a wrong certificate caused by a name change, but Outlook has no way to possibly know it, so it treats it as a hacking attempt and blocks the connection, as it should do.

The correct solution is to fix the server certificate. Create a new one with the new domain for the mail server and put it there. Then Outlook will observe it matching the configuration and will allow it. Be also sure to revoke the old certificate if you'll no longer use it.

This is not an issue

Yes, it is, and a severe one in fact. While you know that it's expectable in this particular case it could also means that your connection has been hacked, since the TLS certificate don't match the one expected. The worst thing you can do is to take a certificate issue lightly.

so I clicked on [View certificate] then [Install Certificate], under the assumption that once the certificate is installed, problem resolved

Installing a certificate means that you trust it as a root certificate authority. This could hide issues when you use self-signed certificate (which you must never do), but a name mismatch like the one here is not solved that way. In fact there are very few cases (if any) when installing a certificate is a good option.

 

[GRoston]

I had mistakenly thought that if the domain in my return email address matched to SMTP server's domain, it might improve the odds against anti-spam stuff.