Gmail no longer accepts self signed certs for pop3/ssl


#1

As six of December Gmail has ceased to accept self signed certs for pop3/ssl/tls, the help url offered by them is http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL

"Always use a secure connection (SSL) when retrieving mail

As of December 2012, Gmail uses “strict” SSL1 security. This means that we’ll always enforce that your other provider’s remote server has a valid SSL certificate. We made this change to offer a higher level of security to better protect your information.

What are the SSL certificate authority requirements?

We do not accept self-signed certificates. For a certificate to be valid it needs to chain up to a valid CA, like one in the Mozilla CA list."

So this means effective today I only check for mail on machines that are paying for a signed certificate from a recognized CA Authority meaning at this moment $$ and worse, no small amount, yes, there are some el cheapo providers, but again could happen that Gmail also don’t trust them… I just guessing what is going to do Dreamhost as they also use self signed certs, and by the way this will broke their offer for mail integration, and most probably for a lot of SOHO users… and finally for myself as my set up for reading mail on the web is now totally messed up, maybe is time to return to use IMAP on Thunderbird for on the road reading… as on home I still use Thunderbird/pop3 for archiving and long term storage…

Anyone has other thoughts? or any good solutions?


#2

I have the same problem… seems like Dreamhost needs to start chaining our e-mai server SSL certs up to CA before we can use gmail with Pop/SSL.


#3

Same problem here. Perhaps dreamhost has a mail.dreamhost.com server with a valid SSL cert that we can use? Any help guys?


#4

Same deal here. Pretty dang frustrating for google to change that without a heads up.

Dreamhost? Any solutions, thoughts or suggestions?


#5

We’re aware of the issue, and we do intend to deploy signed SSL certificates on our mail clusters soon. I can’t give any exact targets as to when this will be complete, though.


#6

Thanks for the update, Andrew.


#7

Good to know you’re on it. When the problem is solved, where will the solution be announced?


#8

A $5 cert is as good as a $1k cert, and Google can’t delegate who they trust. They’re already treading a fine line with making this “paid SSL” thing a requirement in the first place. Like that’s gunna inhibit the big spammers? Just big bizz fleecing the peasants spit

TB (portable) like you said or just log in to Google. Their webmail interface has always been quite good.


#9

My problem, is for my pages that I host for hobby on my domains is another $5USD for every domain I currently had 10, add that to hosting, and domain names themselves, and 50 bucks more is not a option for me, specially as I’m not using advertising, and as DH could pay for a expensive cert (wild card) for all their mail.dreamhost.com, also I’m of the same idea of DH that a self signed cert in this case is equally secure [1], I have create and sign my certs for more than a decade, and that these are real certs too [2].

My second problem is on my work, as a teacher I’m not the owner of the college sub domain where three of my machines live, so this way the only solution is to buy a wild card cert and I’m not totally sure as probably they will need some more work and authentication.

My totally personal solution, has been like in the old days, on the road use mutt on whatever terminal I had on hand via ssh, and at home use full Thunderbird, I’m not that friend of portable apps and running on every machine, I don’t trust is not my first choice, not to say unsecured networks and so.

Anyway thanks for taking a moment to read, I hope google add some real option to this mess. I’m in no way understand how this is going to secure and avoid spam, as for sending they accept self signed certs to comply with mail RFC. Well it’s going to be interesting for all schools and colleges that don’t care about this and won’t be willing to pay for a thing that worked for more than twenty years. The main problem is now hosted mail and payed solutions that integrate pop/ssl from older systems my work place buyed that solution to filtrate spam with gmail and receive mail on their own servers, Monday afternoon lot of users are going to be calling support about the warning on failed to retrieve pop.

Regards.

[1] http://wiki.dreamhost.com/Secure_E-mail#Dealing_with_Certificate_Problems
[2] http://wiki.dreamhost.com/NDN_Certificate#Why_not_get_a_REAL_certificate_signed_by_VeriSign.3F


#10

Andrew - any updates on the signed certificates for the mail clusters?
Thanks.


#11

Adrew… any news on this? at least if the testing phase has begun, worked or not worked, anything at all?


#12

There’s currently a signed SSL certificate in limited testing on one of our smaller mail clusters (homiemail-sub1). So, there is progress. It’s slow (holidays have that effect), but it’s there.


#13

Right on. Thanks for the reply, I understand these things take time, I’m just glad to hear the issue hasn’t been lost/forgotten.

Thanks again.


#14

01-29-2013, 01:31 AM Post: #12
Andrew F
DH Code Monkey
Posts: 2,226
Joined: Aug 2008
RE: Gmail no longer accepts self signed certs for pop3/ssl
There’s currently a signed SSL certificate in limited testing on one of our smaller mail clusters (homiemail-sub1). So, there is progress. It’s slow (holidays have that effect), but it’s there.

Any new news on this it is past the holidays and now April. I need this working for my users. Or can homiemail-sub5 be included in the test? :slight_smile:

Thank you.

Jerry G.


#15

I ended doing forwarding on the panel on my accounts to gmail, no imap or pop3 solution from gmail nor DH, I have documented diverse options to keep reading your mail on gmail or via mutt http://blografia.net/vicm3/2013/03/arcane-solution-to-new-problems/

Regards.


#16

I recently switched to Gmail for reading Dreamhost-hosted mail, and ran into this limitation. I would very much like to see proper SSL certificates for POP3 implemented as well.


#17

Is there any news at all about the possibility to use GMAIL Pop3 verification to collect dreamhost emails?

It has been months (years) in fact since you stated that Dreamhost was testing the Secured SSL connection that google demands.

I really need this to work!


#18

I’m sorry but unfortunately I’ve come to believe that the solution to host elsewhere, many hosting companies provide this out of the box.


#19

It’s been years… and this still is a problem. Any update dreamhost?

As a warning, the forwarding thing doesn’t always work. GMail may flag your domain as spam/rate limit you. This week I’ve been seeing 7 hours (NOT A TYPO) delay in receiving mail sent in the morning.

Dreamhost tech support recommended I use the POP method as listed on this page - https://help.dreamhost.com/hc/en-us/articles/214870568-How-to-check-your-DreamHost-email-at-Google - but ironically this page points out the SSL problem and says to disregard the page.

Sheesh.


#20

The solution I believe is for DH to automatically put SSL on every mail domain at the top-level; and to not automatically create email at sub domain level unless a user asks for it. https://discussion.dreamhost.com/thread-147259.html