I finally found time to write this entry about how to get rid of the security warning when using SSL/TLS for your email. Sorry about the delay.
SSL has two purposes: security and authentication. Even if the authentication fails, the security still works and all the traffic will be encrypted. If you’re as annoyed as me about the warning, you can go trough these extra steps in order to get rid of the message, but it will not make the security any better (or worse).
Let’s just recap the problem. When using SSL/TLS to secure your communication, you’ll get an annoying warning, either because the SSL certificate isn’t issued by a “trust provider”, or because the certificate is issued to mail.dreamhost.com and not to mail.yourdomain.com.
Outlook Express’s warning is not very helpful, and gives you no other options than accepting the problem or aborting. But if you open https://mail.yourdomain.com:995/ in your browser you’ll get a clearer picture. The browser will most likely show your communication with the mail server, which isn’t worth much since we’re not submitting any parameters, but we get a chance to view the security alert.
Mozilla Thunderbird is a bit more helpful (no surprise), and lets you examine the certificate and possible accept is directly from the alert message.
Trust the certifying authority
The first warning is because the certificate was not issued by a trusted Certification Authority like Thawte or VeriSign, but by DreamHost themselves. More info about Certification Authorities in the Knowledge Base.
If you click “View Certificate”, you get the possibility to “Install Certificate…”.
You will then start the “Welcome to the Certificate Import Wizard”. Just step through the wizard, and select the standard option for all choices.
If you connect to https://mail.yourdomain.com:995/ again, you’ll see that there is now one warning less.
Match name of site
The other warning states that there’s a mismatch of the domain you’re connecting to and the domain the certificate was issued to. This is because you’re connection to mail.yourdomain.com and the certificate is issued to mail.dreamhost.com.
We can get around this warning by creating a local alias for mail.yourdomain.com called mail.dreamhost.com.
Find out the IP address of mail.yourdomain.com by pinging the server. I’m on Randy, which has the IP 184.108.40.206. Put the following line in your hosts file (C:\Windows\System32\Drivers\etc\hosts on Windows XP, /etc/hosts on OS X and Linux):
# alias for mail.yourdomain.com
Now update your email client to connect to mail.dreamhost.com instead of mail.yourdomain.com. Hopefully it will now connect to your mail server and fetch your mail without any warnings.
Please notice that the IP addresses of the mail servers are not necessary static, so you might have to update the IP in your hosts from time to time.
Your Mileage May Vary: Please let me know in the comments, if this works for you.