SSL Certificate in mail.app


#1

I’m using mail.app on OS X Tiger, and I’ve been trying to find a way to get it to accept dreamhosts’ self-signed SSL certificates. I’ve found plenty of articles that explain how to get mail.app to accept SSL certificates, but the problem is that the certificate dreamhost sends is for mail.dreamhost.com, not for my individual domain. Mail.app does not like that, and thinks my domain is trying to spoof another. I can’t use mail.dreamhost.com as my own mail server; is there any way you guys can send an SSL certificate specific to the domain I’m trying to get my email from?


#2

http://www.whoopis.com/howtos/mail.app-sslcerts.html


#3

yeah, i’ve done that. the certificate shows up as “accepted” but mail.app still complains because of the different domain names.


#4

Here’s your solution (found in the Mail.app’s Help file):

I’m getting a certificate-related error message
If you get an error message with the word “certificate” in it, make a copy of the message and contact your Internet service provider (ISP) or network administrator. The error message may help them diagnose your problem.

If your mail server uses a self-signed Secure Sockets Layer (SSL) certificate, each time you open Mail you’ll see an error message stating that the certificate is not valid. You can continue, but you’ll see the same message every time you open Mail. To stop seeing this message, you can permanently accept the certificate.

To permanently accept a self-signed SSL certificate:
Click the Show Certificate button in the error message.
The certificate appears with a certificate icon in the upper-left corner.

Hold down the Option key and drag the certificate icon to the desktop.
Double-click the certificate icon on the desktop, and choose X.509 Anchors from the pop-up menu. Click Add.
The certificate is permanently accepted.

You must have permission to administer the computer for this procedure to work.


#5

Yeah, I’ve done that. Mail.app shows the certificate as valid and accepted. The problem is, the certificate is for mail.dreamhost.com, and my domain is mail.turnlav.net.
When mail.turnlav.net sends a certificate for mail.dreamhost.com to mail.app, even if the certificate is marked as valid in my keychain, mail.app complains thinking that mail.turnlav.net is trying to spoof as mail.dreamhost.com. This is a reasonable anti-phishing measure (i think), it just means i need a certificate signed by the domain name i’m getting it from – which dreamhost isn’t supplying.


#6

It isn’t anti-phishing, per se (although it does help there as well), but a fundamental part of how SSL works. Simply put, if the host you’re talking to supplies a certificate belonging to a differen’t host, you have no assurance that you’re actually talking to the right server. For example, if you think you’re at Amazon and you get an SSL cert with the hostname l33t.haxx0rz.net, don’t give them your credit card number.

The problem here is that DH is providing SSL for mail, which is good, but there’s no way they can know which hostname you’re using, so they just use their own mail.dreamhost.com certificate. This problem could be remedied by creating certificates for each mail machine and making us use the actual hostname (eg, mail4.dreamhost.com or similar) instead of the mail.your_domain alias.


If you want useful replies, ask smart questions.


#7

OK, sounds like a good plan for DH, but what (if anything) can WE do about this short of abandoning periodic mail checking (which chokes Netscape/Mozilla) or abandoning SSL? This sounds like one for support. Am I missing anything here?

Steve Richfie1d


#8

but what (if anything) can WE do about this short of abandoning periodic mail checking (which chokes Netscape/Mozilla) or abandoning SSL?

I’ve done neither. Apple Mail, at least, only complains once and then accepts the certificate for the length of the session (ie, until it’s close and reopened). Every couple of weeks when I reboot I have to click ‘continue’ again upon first opening Mail, but that’s about the extent of my inconvenience.

This sounds like one for support.

Not really, there’s really nothing they’ll be able to do about it for the reason outlined above.


If you want useful replies, ask smart questions.


#9

I am not sure if this will fix your guys problem, but this seemed to work for making Outlook be quiet about the SSL certificate. Essentially, you need to download DH’s public SSL certificate and import it into your certificate manager. For Windows you need to have cygwin installed with OpenSSL to be able to run this command

openssl s_client -connect mail.dreamhost.com:995 > dreamhost.cer

Right click on the certificate after it has been downloaded and select “Install Certificate”

Here are the Mac OSX instructions:
http://www.macosxhints.com/article.php?story=20040621180245503