5

We are currently transitioning our site to use HTTPS everywhere, and this includes the emails that we send to customers. On our internal testing environments, we are using IIS with SSL certificates signed by our own company-internal CA. This CA is implicitly trusted by having its cert installed into the Local Computer > Trusted Root Certification Authorities certificate store on all machines.

However, in any email we generate that contains links to images from servers using our self-CA-signed certs, those images show up as the standard missing images/red X in Outlook 2013. If I choose Actions > View in Browser in Outlook, IE opens the message with the images displayed correctly.

We've tried numerous things: the "Do not save encrypted pages to disk" setting, the Group Policy setting for the same, and various other hints and tips I've found via Google - none of which have made any difference.

Basically it seems that Outlook is refusing to trust our cert, even though its CA is trusted - almost as if it's using its own internal list of trusted CAs and not the local machine's. Is this the case and is there any way around this behaviour? If not, why is this happening and what can I do to get around it?

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
Ian Kemp
  • 119
  • 10
  • What happens when using HTTP? Outlook by default doesn't download images, this could very well be unrelated to HTTPS. Also, you should have another button in Outlook to show images (without using an external browser): what happens if you click it? – Massimo Oct 13 '16 at 09:58
  • 1
    @Massimo HTTP images works fine, Outlook's "show images" works fine with HTTP, as soon as he images are served over HTTPS Outlook refuses to show them. – Ian Kemp Oct 13 '16 at 10:46
  • Outlook does not display images in an email by default, it is a security risk and it also leaks information by its very own nature. https://support.office.com/en-us/article/Block-or-unblock-automatic-picture-downloads-in-e-mail-messages-daf2532d-68f7-4e7b-935e-fbec5146f74e – Ricardo C Oct 14 '16 at 15:00
  • 1
    @RicardoC The HTTPS images aren't displayed even if I choose to show the images. – Ian Kemp Oct 14 '16 at 15:34
  • Go to your Internet Options (easy to find inside IE settings) and place the domain for the pictures in the 'trusted zone' inside the security tab. – Ricardo C Oct 14 '16 at 15:52
  • if you look in a browser at the images >> inspect element, are they linked via https or http? if they are linked via http they won't show in a browser (Chrome) will display a key in the right hand side of the address bar that you can click to 'load unsafe scripts' and the images should appear - also check the links in your CSS files as they might be plain http in which case they will also be blocked. – Sum1sAdmin Oct 14 '16 at 15:54
  • 1
    @Sum1sAdmin he can see them in the browser, he is having issues seen them inside the body of the email in Outlook – Ricardo C Oct 14 '16 at 15:55
  • still - exceptions can be made to 'load unsafe scripts' - it's worth confirming there is no mixed content with issues such as this. – Sum1sAdmin Oct 14 '16 at 15:56
  • "HTTP images works fine, Outlook's "show images" works fine with HTTP, as soon as he images are served over HTTPS Outlook refuses to show them" - this sounds like mixed content to me - Outlook is honouring https conection and ignoring un-encrypted elements – Sum1sAdmin Oct 14 '16 at 16:00
  • paste you url into https://www.whynopadlock.com/ or look at the Chrome console – Sum1sAdmin Oct 14 '16 at 16:03
  • 1
    @Sum1sAdmin As stated, these are internal testing environments. They cannot be accessed from the Internet. – Ian Kemp Oct 15 '16 at 12:26
  • post the cert properties including chain please – Jacob Evans Oct 15 '16 at 13:14
  • do you have some steps to reproduce the issue, I have an enterprise pki I can test it against. Do you have the crl published onset http? I'm betting on a revocation issue – Jacob Evans Oct 19 '16 at 03:44
  • @JacobEvans I have similar issue and I believe this is a bug in Outlook. When I "View in Browser" it looks fine, so I guess the resources and servers are set up correctly. – Franklin Yu Oct 08 '18 at 22:19

1 Answers1

-1

Globally valid Comodo certs are $9 from Namecheap. If you work for minimum wage (I'm betting you don't) and you've spent more than hour on this it's not worth your time. You might be able to "fix" your internal clients, but when mailing anyone outside your organization your images will be varying levels of broken.

user96232
  • 1
  • 1
    Actually you don't even have to pay anymore: https://letsencrypt.org/ . It's free, you can fully automate / provision certificates and is supported by all (google / mozilla / facebook / whatever). – Fredi Oct 13 '16 at 15:32
  • 1
    Our production, public-facing websites have Thawte certificates and Outlook works fine with images from those. We can't use third-party certs on our internal environments because they (a) aren't exposed to the internet (b) use a custom (non-IANA) TLD. – Ian Kemp Oct 14 '16 at 06:29
  • @Fredi, I'm aware of Let's Encrypt but I didn't recommend it because he's using IIS. I haven't seen a good way to integrate LE with IIS yet. – user96232 Oct 14 '16 at 12:28
  • do you mean besides using nginx, haproxy, apache, or any other reverse proxy (as you should) – Jacob Evans Oct 15 '16 at 02:03
  • @JacobEvans We're using Microsoft's ARR as a reverse proxy. – Ian Kemp Oct 15 '16 at 12:25