Davmail calculates the SHA-1 hash for any exchange server that it connects to and places it in its davmail.properties configuration file.
When the exchange server changes the SSL certificate, you have to update it in the davmail.properties file, or else you will face the following exception in any client trying to connect to it:
Connect exception: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: User rejected certificate
To resolve this, you have to calculate the SHA-1 hash of the new certificate.
There are many ways to do this, you could either use the gnutls utility:
sudo apt install -y gnutls-bin && gnutls-cli -p 443 mail.server.url | grep SHA
You should then grab the SHA-1 fingerprint value and place it in the file (will explain that in the next step, cause it needs a small tweak).
The second way is to just use a browser like chrome, visit the url and click the secure icon next to the it, then click the certificate (whether valid or invalid) and copy the SHA-1 Fingerprint value:
Last step would be to do the following (VERY IMPORTANT):
- Convert all characters to capital letters
- Make sure a colon and a preceding backslash are put between each pair
- Remove all zeros
will be converted to
Now finally copy that string and paste it inside your davmail.properties file in davmail.server.certificate.hash, i.e.:
Restart the davmail service, and you’re done!
First get the raw certificate:
echo Q |openssl s_client -connect mail.example.com:443
Copy the lines from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– to a file, say cert.pem, and generate the SHA1 fingerprint using:
openssl x509 -in cert.pem -sha1 -noout -fingerprint
As of davmail version 5.2.0, trimming zeros is not necessary (and doesn’t seem to work).
LikeLiked by 1 person