IMAP+SSL+CN name not matching


#1

Hi,

This is just a general, random thought :slight_smile:

I have been trying to enable SSL with my IMAP connections and everything seems to work quite ok with some of the clients. But generally there are at least one problem, which I want to share in this post for general ideas.

If I use mail.mydomain.com as my IMAP server and enable IMAP then some of the clients will warn me always about mismatch between certificate CN name and actual hostname (IMAP server mail.mydomain.com uses certificate, which has CN name issued for mail.dreamhost.com). Eudora is actually so secure that it will not connect (I have already changed Dreamhost certificate status to trusted but it will still complain about mismatch between names).

I wonder would it be possible to have a following setup:

Dreamhost root certificate (self-signed, users will need to import this as a trusted root certificate)
|- mail.somedomain1.com certificate (CN=mail.somedomain1.com)
|- mail.somedomain2.com certificate (CN=mail.somedomain2.com)

In my opinion this would solve the mismatch between CN name and actual server name.

I am not sure if Dreamhost’s IMAP server actually would support this and how difficult this would be to implement.

Just an idea … trying always to use the most secure way to access my resources (Eudora not useful, Outlook complains only one time per session, my mobile phone does not complain at all)

BR,

  • miikka

#2

Right, but the IMAP server can’t present a different certificate for each domain, even if we wanted to go to the trouble to generate one for each, the certificate still wouldn’t match the name listed. We could generate each certificate for a cluster of machines and have users reference mail.[somecluster].dreamhost.com and have that name match the certs… but that makes our lives a lot more difficult. Also, having users reference something other than “mail.example.com” in their configuration makes troubleshooting more difficult, and would cause problems if users were moved to a new cluster of machines.

Personally, I think Eudora’s paranoia is misplaced here. I would hope that they will issue a fix in the future… in the meantime, you might want to check out some of the other clients mentioned in this kbase article:
https://panel.dreamhost.com/kbase/index.cgi?area=2903 and see if any of them meet your needs.

Of course, if you’re using telnet, ftp, SMTP auth for outgoing mail, or any other unencrypted protocols to connect to your account, you may want to just skip SSL POP / IMAP entirely for now.


#3

Thanks for the quick answer, there was indeed a hole in my theory :slight_smile:

Btw, is there any plans for SSL support with SMTP?

  • miikka

#4

One of these days. The version of Postfix we’re running actually already has been built with the TLS patches; the problems with implementation are more practical. Dealing with the logistics of the certificates, additional configuration parameters, and dealing with client-specific bugs are all time-consuming. Also, it would mean having one more service to monitor and keep running, and one more thing that support needs to be able to help people with… I’ve found in the past that it’s not worth adding a feature unless you’re willing to support it and keep it working.

So this is something we’re considering, but it’s not a high priority at the moment… we haven’t had a whole lot of requests for this service.


#5

Hi,

Actually I would really like to see secure SMTP from Dreamhost. With TLS support on IMAP (Opera email client will let you by pass the certificate problem that Eudora won’t). Now if DH will support TLS on SMTP, on top of the port 567, then all the email user id/password will be encrypted.


#6

Yes pkshiu! :smiley:

willscorner.net


#7

BTW, one alternative (if you’re concerned about sending the password in cleartext) is to see if you can send through your ISP’s mail server without authentication and (if so) just use that.