Avoid Warning When Checking Secure Email

I finally found time to write this entry about how to get rid of the security warning when using SSL/TLS for your email. Sorry about the delay.

SSL has two purposes: security and authentication. Even if the authentication fails, the security still works and all the traffic will be encrypted. If you’re as annoyed as me about the warning, you can go trough these extra steps in order to get rid of the message, but it will not make the security any better (or worse).

Let’s just recap the problem. When using SSL/TLS to secure your communication, you’ll get an annoying warning, either because the SSL certificate isn’t issued by a “trust provider”, or because the certificate is issued to mail.dreamhost.com and not to mail.yourdomain.com.

Internet Security Warning - 1 src=

Internet Security Warning - 2

Outlook Express’s warning is not very helpful, and gives you no other options than accepting the problem or aborting. But if you open https://mail.yourdomain.com:995/ in your browser you’ll get a clearer picture. The browser will most likely show your communication with the mail server, which isn’t worth much since we’re not submitting any parameters, but we get a chance to view the security alert.

SSL security alert

  • The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority
  • The security certificate date is valid
  • The name on the security certificate is invalid or does not match the name of the site

Mozilla Thunderbird is a bit more helpful (no surprise), and lets you examine the certificate and possible accept is directly from the alert message.

Trust the certifying authority

The first warning is because the certificate was not issued by a trusted Certification Authority like Thawte or VeriSign, but by DreamHost themselves. More info about Certification Authorities in the Knowledge Base.

If you click “View Certificate”, you get the possibility to “Install Certificate…”.

Certificate Information

You will then start the “Welcome to the Certificate Import Wizard”. Just step through the wizard, and select the standard option for all choices.

Certificate Import Wizard

If you connect to https://mail.yourdomain.com:995/ again, you’ll see that there is now one warning less.

Match name of site

The other warning states that there’s a mismatch of the domain you’re connecting to and the domain the certificate was issued to. This is because you’re connection to mail.yourdomain.com and the certificate is issued to mail.dreamhost.com.

We can get around this warning by creating a local alias for mail.yourdomain.com called mail.dreamhost.com.

Find out the IP address of mail.yourdomain.com by pinging the server. I’m on Randy, which has the IP 66.33.205.175. Put the following line in your hosts file (C:\Windows\System32\Drivers\etc\hosts on Windows XP, /etc/hosts on OS X and Linux):

# alias for mail.yourdomain.com
66.33.205.125 mail.dreamhost.com

Hosts file

Now update your email client to connect to mail.dreamhost.com instead of mail.yourdomain.com. Hopefully it will now connect to your mail server and fetch your mail without any warnings.

Email account settings

Please notice that the IP addresses of the mail servers are not necessary static, so you might have to update the IP in your hosts from time to time.

Your Mileage May Vary: Please let me know in the comments, if this works for you.

19 Responses to “Avoid Warning When Checking Secure Email”

  1. Tim Altman says:

    That may work for Outlook, but it won’t necessarily work in all clients. However, if you added all the domain names that could be associated with the certificate to the “Subject Alternative Name extension” field, then clients that support certificates fully wouldn’t show the warning.

    See section 4.2.1.7 of RFC 3280 for details.

  2. Trevor says:

    This doesn’t seem to work for Mail on Mac OS X. I have followed the instructions here:

    http://docs.info.apple.com/article.html?artnum=25593

    And I’ve added my mail server’s IP to /etc/hosts as you described, but Mail still gives me a warning every time it starts up and checks for mail.

    Luckily, for any subsequent checks the warning is suppressed, so I can live with it, but still…you’d think there would be a way to turn off all self-signed certificate warnings in Mail, even during startup.

  3. Daniel Drucker says:

    Yeah, it would be really nice if there were a way to fix this on OS X, but I’ve been trying to for more than a year now with no success.

  4. Andrew Mallis says:

    I got this working in OS X.
    Accepting a certificate is not the most intuitive process in Mail:

    To permanently accept a self-signed SSL certificate:
    1. Click the Show Certificate button in the error message.
    2. The certificate appears with a certificate icon in the upper-left corner.
    3. Hold down the Option key and drag the certificate icon to the desktop.
    4. Double-click the certificate icon on the desktop, and choose X.509 Anchors from the pop-up menu. Click Add.
    5. The certificate is permanently accepted.

    You’ll have the edit the hosts file as described above (remember to change permissions back – I’d recommend using batchmod over the finder if you want a GUI method)

  5. Unofficial DreamHost Blog says:

    Tim – How do you edit the certificate? Can you do this as an user, or would DreamHost have to do this?

    Trevor – Did you change the POP/IMAP server in Mail to mail.dreamhost.com?

    Daniel – Maybe Andrew’s comment can help, or Medlar’s comment at http://blog.dreamhosters.com/kbase/index.cgi?area=658. Best of luck…

  6. Tim Altman says:

    C: Dreamhost would have to do it.

  7. Daniel Drucker says:

    Just a moment … that will work for a day or so, but the mail server’s IP address is round-robin, isn’t it?

    bento:~ dmd$ host mail.3e.org
    mail.3e.org has address 66.33.205.127
    mail.3e.org has address 66.33.205.175
    mail.3e.org has address 66.33.205.124
    mail.3e.org has address 66.33.205.125
    mail.3e.org has address 66.33.205.126

  8. Daniel Drucker says:

    Oh. Never mind. I wasn’t understanding what you were meant to do. I get it now.

  9. Daniel Drucker says:

    It works! Thanks!

  10. Unofficial DreamHost Blog says:

    Tim – They would have to add all customer’s domains (more than 200.000), right? Or at least all mail servers, and would then have to update the certificate every time they add a mail server? I guess this is not flexible enough for them?!

    Daniel – Great! On which system/client?

  11. Tim Altman says:

    C: Yes and prehaps. But it’s a pain still. :(

    PS: Sorry, I was a bit confused about which Dreamhost blog I was reading. The “you” in my original post should read “Dreamhost”. ;)

  12. Dave Reid says:

    If you’re using Mozilla Thunderbird, Andrew Lucking created a very handy extension to “remember” mismatched domains. It works perfectly for me and you can get it at http://www.andrewlucking.com/archives/category/remember-mismatched-domains/

  13. Benjamin says:

    There is a problem with this because by changing the IP that you computer thinks is mail.dreamhost.com you could run into issues later on if you ever actually need to reach the server mail.dreamhosts.com

  14. Gert Van Gool says:

    Apparently installing mismatched certificates is no longer possible in Windows Vista.

    I checked with Dreamhost whether there was a possibility to use your own certificate, but that was not possible (because all the mail servers are on the “same” box)

  15. Mike says:

    Worked great with Windows 2000 and Outlook 2000, THANK YOU SO MUCH for this howto!

    Slight additions:

    To install the certificate from a browser, I think you need to use IE. I tried the same operation with Firefox and it didn’t seem to do the right thing (I may have not been pushing the right buttons though).

    For Windows 2000, the path to the “hosts” file is: C:\WINNT\System32\Drivers\etc\hosts

    Best, -Mike.

  16. willo says:

    Hey all, I’m use Mail on OS X 10.4, and for a good year or so I’ve occasionally tried to dive back into it & get rid of the damn warning. Today I found this & thought I finally had it working, as I no longer get the warning, but turns out I can’t check email using mail.dreamhost.com w/ SSL because it’s saying port 993 times out. I can check email over port 993 fine w/ mail.mydomain.com (but get the cert warning), just not dreamhost.

    Is there something I’m missing or doing wrong? Is my u/p the same with either dreamhost or mydomain?

    Any suggestions would be GREATLY appreciated.
    ~ Willo

  17. Linked from: The Unofficial DreamHost Blog 1 Year
  18. Chris says:

    For installing the Certificate, IE7 doesn’t like it. Best bet is to install the certificate using IE6 or whatever, if you have another machine with the certificate installed you can export and import using IE7.

    Personally I would prefer not to use IE at all, but then the company requires Outlook to be running.

    One thing you could do if the Mail servers change is create a logon script that replaces the hosts file on logon or startup. Replace it with the backup, get the ip address off mail.yourdomain.com and then create the hosts record for mail.dreamhost.com to that ip address. Then if it goes down people just need to restart their machines or logoff/logon.

    Cheers, Chris.

  19. Chris says:

    As per my previous comment, here is a batch script that does exactly that:

    type c:\windows\system32\drivers\etc\hosts.|find “mail.dreamhost.com” /v>c:\windows\system32\drivers\etc\hosts.tmp
    for /f “skip=2 tokens=3 delims=: ” %%A in (’ping mail.yourdomain.com’) DO (
    call:write “%%A”
    goto:cleanup)
    :write
    ECHO %~1 mail.dreamhost.com>>c:\windows\system32\drivers\etc\hosts.tmp
    goto:eof
    :cleanup
    type c:\windows\system32\drivers\etc\hosts.tmp>c:\windows\system32\drivers\etc\hosts.
    del c:\windows\system32\drivers\etc\hosts.tmp
    pause
    :eof

    Cheers, Chris.