3 Replies Latest reply: Sep 25, 2013 4:13 AM by robfoster34
robfoster34 Level 1 (10 points)


Im using 10.6 server with kerio mailserver for email.


I have self signed certificated in both 10.6 server admin ands kerio mailserver, which used to come up correctly when i added a mail account on a clients machine.


When i add a mail account to a clients computer now (10.8.5 Mountain Lion) the certificate that comes up is nothing to do with my company, it is a certificate through Geotrust, Rapid ssl and then shows a expired certificate for neuhaus-chocolates, which is nothing to do with us, could it be that weve been hacked? and has anyone got any suggestions as to what i can do to fix it, as im at a loss.



Xserve, Mac OS X (10.6.8)
  • MrHoffman Level 6 (14,849 points)

    It's not clear (to me) where in the client's computer you're seeing this.


    In general, delete that certificate from the Keychain, and add your certificate(s) into the Keychain.  (Safest to add these certs via a trusted access path, too.)


    Also check the client's view of the local DNS services and the associated IP addresses here, and make sure you're not getting to a different server.  In this case, to the chocolate folks.  (You've obfuscated the target domain, so I can't check this case.)


    If you want to follow through with the "have I been hacked?" discussion, that can take a day or two (and potentially longer) of digging around to determine what's happened and how and whether there are any obvious back-doors left around, and (for most cases, with most clients) it's usually easier to preemptively wipe the client system and install from distro, roll the user's own files in from backup, change all the passwords and all the local private keys, and otherwise lock down the client system.  (There are exceptions, of course.   For hacked servers and for some clients, figuring out how the attack has happened can be more useful.  But it's more involved.)


    FWIW, if you're running your own public key chain here, then load your root cert public key into the server and into the clients, and use CSRs from the various clients to set up the key-pairs for the various servers and clients involved.  (I'd guess you're not implementing this private CA approach though, based on your "certificated" phrasing; I'm going to assume that was intended to be "certificates", and that you have two seperate self-signed certs here.) 

  • robfoster34 Level 1 (10 points)

    Thanks for the reply

    That screenshot comes up after i enter the email address and password in add account in mac mail. the strange thing is that i cant find that certificate in the keychain anywhere on the servers keychain to allow me to delete it.


    The dns settings on the client machines (ive tested on a number of client machines) are definately pointing to our server , i blurred out the target domain as i didnt want to add any chance of more problems, but i could put it on here if you think that would help,


    As for the hacking, we have been compromised recently when the anti virus on the server stopped working and a number of trojans, got onto the pc's on trhe network, thats all been fixed but you can see why im wondering whats going on,


    You are correct, that should have been certificates, i have 2 self signed certificates, one in server admin, and one in kerio mailserver.

  • robfoster34 Level 1 (10 points)

    As it turns out, the people who do our website, moved it and forgot to remove the certificate of the company that used to be hosted at that ip, so theyve now removed it and the problem has gone, not best pleased that i spent the best part of a day trying to work that out, or that our website was allowed to go live with an invalid non connected certificate, but at least we havent been hacked.