SSL, IMAP, Mail.app and Mac OS X 10.3


#1

After upgrading to Mac OS X 10.3, Mail.app warns me about DH’s self-signed certificates every time I log in. (Connecting to IMAP over SSL.)

Has anyone successfully gotten rid of those warning messages?

(So far, I’ve read the following:

http://docs.info.apple.com/article.html?artnum=25593
http://www.macosxhints.com/article.php?story=20030124064421978&query=self+signed+certificates
http://www.macosxhints.com/article.php?story=20031023144031331&query=certificate )


#2

Nope :frowning:

This is the thing I hate most about panther.

willscorner.net


#3

Just upgraded to Panther and have come across this ‘problem’. I’m starting to look into it. I’ll keep everyone posted if I find anything. If anyone beats me to it, let us know!

  • wil

#4

FWIW I get the error message ‘The root certificate for this server could not be verified.’.

  • wil

#5

Here is an image > click me!

willscorner.net


#6

I thought this would help, but then noticed the notes at the bottom:
http://docs.info.apple.com/article.html?artnum=25593

This article, where I found the link in the first place) has some geekier solutions. We’ll play around with this today - if we can come up with a way to do it, we can possibly make a shell script for customers that would add the certs.


#7

Ugh - well, as the rest of the comments say, this seems to be more difficult than it should be. I was able to successfully import the key, but still get the error.

On a quick check, it seems to work OK if the hostname is the same as the hostname the certificate is issued for (mail.dreamhost.com), but not if they don’t match up.


#8

I got rid of the message. How I did it:

Run the following commands, in the Terminal:

[code]openssl s_client -connect mail.dreamhost.com:imaps > dreamhost.cer < /dev/null

open dreamhost.cer
[/code]Keychain Access will pop up, and ask if you want to import the certificate. Select the keychain “X509 Anchors” and click “OK”.

(Make sure your mail IMAP server is set to mail.dreamhost.com and not mail.yourdomain.com)

tew


#9

That won’t work for all customers, though. It only works if you happen to be in the same group of machines as mail.dreamhost.com.


#10

What if DreamHost created a certificate for each mail server? Or are there too many?


#11

Well it would have to be one certificate for each group (or “cluster”) of mail servers, and then users would have to connect to some virtual hostname. We discussed this, but decided this makes things more confusing and gives us a lot less flexibility.