Do you agree with the following suggestion?
I suggest that DreamHost get one or more digital certificates for its mail servers, signed by a trusted CA such as GeoTrust, that bear correct fully-qualified domain name(s) of the server(s).
I have also submitted this as a suggestion via panel.dreamhost.com. If you agree, post your agreement here, and go to https://panel.dreamhost.com/index.cgi?tree=home.sugg& to tell DH!
I spoke with Ralph in DH tech support regarding this suggestion after going back and forth with support for over two weeks. I am a new DH customer. Using mail services over SSL (namely, IMAP/SSL and POP/SSL, but also SMTP/SSL) with domain-mismatched, self-signed certificates creates problems in many e-mail clients and is a big security hole.
I am not suggesting that DreamHost provide certificates for every site using secure e-mail (NOT ssl mail.yourdomain.com), which would be expensive and would waste IP addresses. DreamHost need only get one signed certificate per load-balanced mail server, e.g., for the names spunky.mail.dreamhost.com and looney.mail.dreamhost.com, OR one signed wildcard certificate, e.g., for *.mail.dreamhost.com (or *.dreamhost.com). Customers who wanted to connect securely without warnings or errors would be able to connect to their load-balanced mail server using an alias such as mymailserver.mail.dreamhost.com (or mymailserver.dreamhost.com), JUST AS THEY CAN RIGHT NOW. Try, for example, a1.balanced.spunky.mail.dreamhost.com, or whatever your mail server’s CNAME or IP address is.
Connecting securely to mail services is a big priority for me–a make-or-break deal whether I stay with DreamHost–and I believe that many other customers likewise feel strongly about this problem.
Currently customers who want to use SSL-encrypted e-mail are forced to accept the self-signed mail.dreamhost.com certificate and constantly dismiss “domain-name mismatch” dialog boxes in their mail clients. These misconfigurations on the part of DreamHost do not comport with standard Internet security precautions. A hacker can more easily masquerade as the mail host because users must blindly accept the certificate that the server reports, without relying on a third-party certificate authority to verify the DNS record. Many mail clients do not support automatic dismissal of the domain-name mismatch for the good reasons enumerated above. At least one (Outlook 2003) is prone to hang on a mismatched domain name in an SSL certificate. The mismatched domain name creates another weak point for a hacker to exploit.
Almost all other hosting providers I have found that provide IMAP/SSL service also provide proper certificates, and require access via a single hostname such as secure.runbox.com to correspond to the common name in the SSL certificate. DH can comply with this kind of scheme at virtually cost to them, given DH’s huge customer base.
For the foregoing reasons, DreamHost should get properly signed certificates with matched names for its mail servers. Who is with me on this?