Microsoft KB Archive/904983

= You cannot connect to a server that is running Exchange 2000 Server or Exchange Server 2003 to download e-mail messages when you use IMAP4 or POP3 through a Secure Sockets Layer (SSL) connection =

Article ID: 904983

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server

-





SYMPTOMS
When you use Internet Message Access Protocol, version 4rev1 (IMAP4) or Post Office Protocol 3 (POP3) through a Secure Sockets Layer (SSL) connection to connect to a server that is running either Exchange 2000 Server or Exchange Server 2003 to download e-mail messages, you cannot connect to the server. Additionally, you may receive an error message that states that the server has unexpectedly closed the connection.



CAUSE
This problem occurs if the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy is enabled on the client computer or on the server. When this security policy is enabled, the client or the server requires Federal Information Processing Standard (FIPS)-compliant encryption to be negotiated for programs that use cryptographic services. If this security policy is enabled, the SSL participants are limited to a specific set of cipher suites. These cipher suites are called &quot;block ciphers&quot;. Block cipher algorithms include data padding as part of their implementation. This padding is not being correctly handled for the Exchange SSL implementation.



RESOLUTION
To resolve this problem, disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy on the client or on the server if this security policy is not required.

If the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy is enabled in Local Security Policy, follow these steps.
 * 1) Click Start, click Run, type secpol.msc, and then click OK.
 * 2) Expand Local Policies, click Security Options, and then double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing in the right pane.
 * 3) Click Disabled, and then click OK.

If the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy is enabled as part of Group Policy, contact the administrator for help.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

811833 The effects of enabling the &quot;System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing&quot; security setting in Windows XP and later versions

Keywords: kbexchpopimapnntp kbprb KB904983

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.