Avoid Warning When Checking Secure Email
I finally found time to write this entry about how to get rid of the security warning when using SSL/TLS for your email. Sorry about the delay.
SSL has two purposes: security and authentication. Even if the authentication fails, the security still works and all the traffic will be encrypted. If you’re as annoyed as me about the warning, you can go trough these extra steps in order to get rid of the message, but it will not make the security any better (or worse).
Let’s just recap the problem. When using SSL/TLS to secure your communication, you’ll get an annoying warning, either because the SSL certificate isn’t issued by a “trust provider”, or because the certificate is issued to mail.dreamhost.com and not to mail.yourdomain.com.
Outlook Express’s warning is not very helpful, and gives you no other options than accepting the problem or aborting. But if you open https://mail.yourdomain.com:995/ in your browser you’ll get a clearer picture. The browser will most likely show your communication with the mail server, which isn’t worth much since we’re not submitting any parameters, but we get a chance to view the security alert.
Mozilla Thunderbird is a bit more helpful (no surprise), and lets you examine the certificate and possible accept is directly from the alert message.
Trust the certifying authority
The first warning is because the certificate was not issued by a trusted Certification Authority like Thawte or VeriSign, but by DreamHost themselves. More info about Certification Authorities in the Knowledge Base.
If you click “View Certificate”, you get the possibility to “Install Certificate…”.
You will then start the “Welcome to the Certificate Import Wizard”. Just step through the wizard, and select the standard option for all choices.
If you connect to https://mail.yourdomain.com:995/ again, you’ll see that there is now one warning less.
Match name of site
The other warning states that there’s a mismatch of the domain you’re connecting to and the domain the certificate was issued to. This is because you’re connection to mail.yourdomain.com and the certificate is issued to mail.dreamhost.com.
We can get around this warning by creating a local alias for mail.yourdomain.com called mail.dreamhost.com.
Find out the IP address of mail.yourdomain.com by pinging the server. I’m on Randy, which has the IP 66.33.205.175. Put the following line in your hosts file (C:\Windows\System32\Drivers\etc\hosts on Windows XP, /etc/hosts on OS X and Linux):
# alias for mail.yourdomain.com
66.33.205.125 mail.dreamhost.com
Now update your email client to connect to mail.dreamhost.com instead of mail.yourdomain.com. Hopefully it will now connect to your mail server and fetch your mail without any warnings.
Please notice that the IP addresses of the mail servers are not necessary static, so you might have to update the IP in your hosts from time to time.
Your Mileage May Vary: Please let me know in the comments, if this works for you.
March 8th, 2006 at 18:36
That may work for Outlook, but it won’t necessarily work in all clients. However, if you added all the domain names that could be associated with the certificate to the “Subject Alternative Name extension” field, then clients that support certificates fully wouldn’t show the warning.
See section 4.2.1.7 of RFC 3280 for details.
March 8th, 2006 at 22:12
This doesn’t seem to work for Mail on Mac OS X. I have followed the instructions here:
http://docs.info.apple.com/article.html?artnum=25593
And I’ve added my mail server’s IP to /etc/hosts as you described, but Mail still gives me a warning every time it starts up and checks for mail.
Luckily, for any subsequent checks the warning is suppressed, so I can live with it, but still…you’d think there would be a way to turn off all self-signed certificate warnings in Mail, even during startup.
March 9th, 2006 at 09:36
Yeah, it would be really nice if there were a way to fix this on OS X, but I’ve been trying to for more than a year now with no success.
March 9th, 2006 at 13:32
I got this working in OS X.
Accepting a certificate is not the most intuitive process in Mail:
To permanently accept a self-signed SSL certificate:
1. Click the Show Certificate button in the error message.
2. The certificate appears with a certificate icon in the upper-left corner.
3. Hold down the Option key and drag the certificate icon to the desktop.
4. Double-click the certificate icon on the desktop, and choose X.509 Anchors from the pop-up menu. Click Add.
5. The certificate is permanently accepted.
You’ll have the edit the hosts file as described above (remember to change permissions back – I’d recommend using batchmod over the finder if you want a GUI method)
March 9th, 2006 at 13:58
Tim – How do you edit the certificate? Can you do this as an user, or would DreamHost have to do this?
Trevor – Did you change the POP/IMAP server in Mail to mail.dreamhost.com?
Daniel – Maybe Andrew’s comment can help, or Medlar’s comment at http://blog.dreamhosters.com/kbase/index.cgi?area=658. Best of luck…
March 9th, 2006 at 15:34
C: Dreamhost would have to do it.
March 9th, 2006 at 19:10
Just a moment … that will work for a day or so, but the mail server’s IP address is round-robin, isn’t it?
bento:~ dmd$ host mail.3e.org
mail.3e.org has address 66.33.205.127
mail.3e.org has address 66.33.205.175
mail.3e.org has address 66.33.205.124
mail.3e.org has address 66.33.205.125
mail.3e.org has address 66.33.205.126
March 9th, 2006 at 19:12
Oh. Never mind. I wasn’t understanding what you were meant to do. I get it now.
March 9th, 2006 at 19:18
It works! Thanks!
March 10th, 2006 at 03:52
Tim – They would have to add all customer’s domains (more than 200.000), right? Or at least all mail servers, and would then have to update the certificate every time they add a mail server? I guess this is not flexible enough for them?!
Daniel – Great! On which system/client?
March 10th, 2006 at 05:17
C: Yes and prehaps. But it’s a pain still.
PS: Sorry, I was a bit confused about which Dreamhost blog I was reading. The “you” in my original post should read “Dreamhost”.
April 24th, 2006 at 11:55
If you’re using Mozilla Thunderbird, Andrew Lucking created a very handy extension to “remember” mismatched domains. It works perfectly for me and you can get it at http://www.andrewlucking.com/archives/category/remember-mismatched-domains/
April 24th, 2006 at 19:02
There is a problem with this because by changing the IP that you computer thinks is mail.dreamhost.com you could run into issues later on if you ever actually need to reach the server mail.dreamhosts.com
July 30th, 2006 at 04:13
Apparently installing mismatched certificates is no longer possible in Windows Vista.
I checked with Dreamhost whether there was a possibility to use your own certificate, but that was not possible (because all the mail servers are on the “same” box)
September 5th, 2006 at 13:34
Worked great with Windows 2000 and Outlook 2000, THANK YOU SO MUCH for this howto!
Slight additions:
To install the certificate from a browser, I think you need to use IE. I tried the same operation with Firefox and it didn’t seem to do the right thing (I may have not been pushing the right buttons though).
For Windows 2000, the path to the “hosts” file is: C:\WINNT\System32\Drivers\etc\hosts
Best, -Mike.
September 23rd, 2006 at 16:50
Hey all, I’m use Mail on OS X 10.4, and for a good year or so I’ve occasionally tried to dive back into it & get rid of the damn warning. Today I found this & thought I finally had it working, as I no longer get the warning, but turns out I can’t check email using mail.dreamhost.com w/ SSL because it’s saying port 993 times out. I can check email over port 993 fine w/ mail.mydomain.com (but get the cert warning), just not dreamhost.
Is there something I’m missing or doing wrong? Is my u/p the same with either dreamhost or mydomain?
Any suggestions would be GREATLY appreciated.
~ Willo
November 18th, 2006 at 20:08
For installing the Certificate, IE7 doesn’t like it. Best bet is to install the certificate using IE6 or whatever, if you have another machine with the certificate installed you can export and import using IE7.
Personally I would prefer not to use IE at all, but then the company requires Outlook to be running.
One thing you could do if the Mail servers change is create a logon script that replaces the hosts file on logon or startup. Replace it with the backup, get the ip address off mail.yourdomain.com and then create the hosts record for mail.dreamhost.com to that ip address. Then if it goes down people just need to restart their machines or logoff/logon.
Cheers, Chris.
November 18th, 2006 at 20:40
As per my previous comment, here is a batch script that does exactly that:
type c:\windows\system32\drivers\etc\hosts.|find “mail.dreamhost.com” /v>c:\windows\system32\drivers\etc\hosts.tmp
for /f “skip=2 tokens=3 delims=: ” %%A in (’ping mail.yourdomain.com’) DO (
call:write “%%A”
goto:cleanup)
:write
ECHO %~1 mail.dreamhost.com>>c:\windows\system32\drivers\etc\hosts.tmp
goto:eof
:cleanup
type c:\windows\system32\drivers\etc\hosts.tmp>c:\windows\system32\drivers\etc\hosts.
del c:\windows\system32\drivers\etc\hosts.tmp
pause
:eof
Cheers, Chris.