How can I trust a CA that fraudulently issued certificates that it is not responsible for?

I think you don't need a certificate for a transport-encrypted connection. But if I already pay for a certificate, then it should also be a trustworthy one. The next question would be whether my provider would accept a certificate with a bad reputation or just reject it like a self-signed certificate. The answer to this question doesn't matter to me because I am blacklisted behind a DSL connection. As I wrote earlier, I prefer Stunnel for the secure connection to my provider's smart host. Simply because I miss some configuration options in Mercury (blocking older/insecure ciphers etc) and without documentation... This is my personal opinion. Maybe some thoughts are not fully considered yet.

The limitations of Mercury IMAP (iPhones are having lots of problems downloading messages) and the problem of failed auto-forwards using the FORWARD file (rejections due to DMARC policies) have become serious issues here.  I really need to find a reliable way for our outside people, most with

iPhones, to access email and have seen Roundcube mentioned numerous times on this forum but can't tell whether it is the answer

or even whether I could figure out implementation 

I spent a couple of hours today web surfing in the hopes of understanding implementation and how it would work.  I found a lots of info and videos about Roundcube but little of it made sense to me (way out of my realm of knowledge).  I came across XAMPP but from what I could find it appears that Mercury must be "installed" into the XAMPP directory structure.  This appears to create a problem if wanting to use an existing Mercury installation.  I'm at a loss so would appreciate advice and guidance.

FWIW, I have Mercury running on a dedicated PC (Win10) with the mailboxes on a server (Windows Server 2012R2).  IMAP and SMTP to Mercury are currently the only outside access to anything on our LAN.

Roundcube works fine with your existing installation of Mercury, so don't change that. However, you will need Apache and MySQL as well. A complete package for Windows with those components can be found here: https://bitnami.com/stack/roundcube/installer

Hi Brian,

Roundcube is running fine here with us. No need to change anything on your existing Mercury installation, don't touch it. Our Roundcube is running on another Linux server and is accessing via IMAP to Mercury I and the single local user accounts. When the account is already locked by Pmail, RoundCube is not able to access.

What do you need to improve by using Roundcube? You have to know that you have to maintain another server (hardware/software) and you have to adjust different things for each user again, like subscribing of folders, creating of email signatures for each user account, etc. Further your iPhone users have to access via browser since Roundcube has a webbased frontend. AFAIK there is no Roundcube App available. [edit: now there is an App available in Google Playstore, may be also in Apple Store.]

In the meantime, many of our streetworkers are prefering Thunderbird getting access to Mercury via IMAP. This works great so far so that RoundCube is used more and more rarely. But of course, they use it with their computer and not by phone. For their phones they use an App from our mobile provider and an additional e-mail address where all mails will be automatically copied to.

Our problems are primarily related to IMAP access with the MAIL app on iPhones.  Maybe the solution is a different mail app although research into the problem hasn't revealed suggestions for an alternate app.  I'll change my research approach and see what I can find.

As already said in other threads, we also expierenced problems with the auto forward function of Mercury. That's why I have completely disabled it for all users. Incoming things which have to be permanently copied to additional external addresses are arranged with the ISP where additional "copy to" addressies could be arranged for each user account. Since we do not longer use FORWARD functionality, sending of mails is running without problems.

I spent some time this morning looking into email client apps for iOS.  I was surprised at how many there are.  After reading numerous websites that ranked them I thought Outlook was the highest rated and most appropriate for us.  I was never able to get it to connect.  It sees the certificate (Mercury self-created) as expired and I can't find a way to override that.

I then tried Spark.  It didn't like the certificate either but is more configurable than Outlook allowing selection of STARTTLS instead of SSL.  That allowed me to override the certificate issue.  It looks promising on first play.

Both report an expired certificate which is dated six months ago today.  Is six months a fixed expiration period?

Did you rechecked your selfsigned certificate? I think both applications could not be wrong.

What do you mean by "recheck"? 

The notice from both apps was that the certificate was invalid or expired so perhaps they didn't like that it was self-signed.  It seemed too coincidental that the certificate was exactly 6 months old which is why I asked if they have a set expiration time.

That applications does not like self-signed certificates is nothing new for me.

Do you have your own ca? Do you use something like easy-rsa with the standard openssl.cnf file for creating your ca and all clients? If so then what is the entry for "default_crl_days" in the used *.cnf-file? Could it be 180 days or 6 months?

I ask this because i am using OpenVPN and had an annoying problem with the "default_crl_days" setting. The expiration date for all clients was 365 days but the ca does not accept any valid certificate after 30 days...

Hi Brian,

 You can get a pretty cheap certificate here: 8.95USD/Year

https://comodosslstore.com/positivessl.aspx

Based on the history of the Comodo CA i would not use this anymore. I am experimenting with letsencrypt. I believe that this is the better way than using a cheap CA with bad reputation.

What's the bad reputation? Surely it's better than a self signed certificate....  I looked at LetsEncrypt but it was just too much of a hassle.   I'm not running an eCommerce site that has to be locked up tight but just want an encrypted connection so too be honest don't understand why people using self-signed certificates are penalized so much...