Certificate Domain Mismatch Error

From DreamHost
Jump to: navigation, search
MailServerSSLcert.png

Details

You may receive a "domain mismatch" warning or error when making a secure connection to the DreamHost mail servers (using mail.your_domain.com).

This is because DreamHost's mail server certificate (the NDN Certificate) is for the domain *.mail.dreamhost.com. A connection where the specified domain is mail.yourdomain.com will still be secure but mail programs may show a warning about the domains not matching.

In many mail programs you can examine the certificate sent from the server to your mail program, verify the information in it came from the DreamHost mail server, and choose to connect despite the domains not matching. You should only turn off this error if you trust that the server your are connecting to is the correct server.

You can try the solutions below to avoid receiving the "domain mismatch".

Solutions

Direct server

Connect to the mail server using the dreamhost.com server name instead of mail.your_domain.com.

Use these steps to determine what server name to use:

  1. In the DreamHost Control Panel
  2. Click "Account Status" in the upper right hand corner
  3. Look for the "Your Email Culster:" at the bottom of the list.
  4. Find your cluster in the table below.
  5. Use the server name for the incoming server in your mail program.
Email Cluster Server Name
homiemail-sub3 sub3.homie.mail.dreamhost.com
homiemail-sub4 sub4.homie.mail.dreamhost.com
homiemail-sub5 sub5.homie.mail.dreamhost.com
homiemail-master homie.mail.dreamhost.com

Some mail programs will still reject the subX domains as the asterisk (*) in the certificate's *.mail.dreamhost.com should only match one level of subdomain. Edit your hosts file (see below) if this affects you.

Host File Modification

The instructions provided in this article or section are considered advanced.

You are expected to be knowledgeable in the UNIX shell.
Support for these instructions is not available from DreamHost tech support.
Server changes may cause this to break. Be prepared to troubleshoot this yourself if this happens.
We seriously aren't kidding about this.

If you know what a "hosts" file is and have access to edit the one on your computer, you can add the IP of mail.yourdomain.com to your hosts file and point mail.dreamhost.com at it. YMMV if you ever need to access anything that's actually located on mail.dreamhost.com, but I haven't run across anything yet, personally.

Check with your operating system documentation for where the hosts file is located. Some versions of Windows have it stored in C:\windows\system32\drivers\etc\hosts

An example of the line to add to the hosts file is:

123.123.123.123 mail.dreamhost.com

Where 123.123.123.123 would be replaced with the IP address of mail.YourHostName.com. Afterwards, configure your email program to connect to mail.dreamhost.com instead of mail.YourHostName.com. (Be aware that you will not be able to connect to the 'real' mail.dreamhost.com using its hostname

Clients

There are various client-specific solutions, often involving turning off the warning about a domain mismatch.

There are solutions to other clients as well. If you have one, please list it here.

Thunderbird

Thunderbird will prompt you to create an exception. Click OK and it won't bother you again until the mail server is reconfigured.

Evolution

The Evolution e-mail client will not even attempt to communicate with mail.dreamhost.com over IMAP/TLS unless you create aforementioned entry in the /etc/hosts file so that mail.dreamhost.com points to the IP address of mail.YOURDOMAIN.com. Evolution will simply fail to negotiate a SSL connection.

Outlook Express (Windows)

Mail.app (Mac OS X)

  • This comment at the blog post linked above gives solution for Mail.app (Mac OS X) This solution no longer works for Mac OS X 10.5 and above.

Mail.app version 7.2 on Mac OSX 10.9.2 needs a /etc/hosts entry similar to the following (assuming Email Cluster 4 and that sub4.homie.mail.dreamhost.com resolves to 208.97.132.231)

208.97.132.231 homie.mail.dreamhost.com

Make sure Mail's account is configured for the IMAP/SMTP host "homie.mail.dreamhost.com" - If this still doesn't work, make sure the Trust for *.mail.dreamhost.com certificate in Keychain.app is "Always Trust."

See Re-Trust SSL Cert for detailed discussion.

See also