Certificate Domain Mismatch Error

From DreamHost
Revision as of 23:02, 18 February 2012 by Scraimer (Talk | contribs)

Jump to: navigation, search

One may receive “domain mismatch” warnings or errors in using TLS.

This is because DreamHost’s TLS certificate (the NDN Certificate) is for the domain *.mail.dreamhost.com, so a connection where the specified domain is mail.yourdomain.com will cause a conflict.

Solutions include:

  • logging into the mail.dreamhost.com server directly, if possible
  • logging into your actual email server, like spunky.mail.dreamhost.com
    you can determine the host name by:
    • going to the panel and clicking on “Account Status” in the upper right;
    • going to the panel and looking at the MX records; or
    • using the “host” command, or using a lookup website such as DNS Watch, or getting the IP address of your server and then using Reverse DNS.
    This breaks if your email server changes – see Server Moves – but otherwise works.
  • turning off TLS
    …which loses you the benefits of TLS
  • configuring client to ignore the warnings or not verify the certificate
    …you still have an encrypted connection, but you are assured that the server is in fact DreamHost
    …for the sake of security, this is not recommended.
  • hack your “hosts” file so mail.dreamhost.com redirects to the IP address for mail.yourdomain.com

Details

If you try to use IMAP/SSL to access mail at "mail.yourdomain.com", you will be presented with a "domain mismatch" warning. This is because DreamHost's IMAP SSL Certificate is for mail.dreamhost.com. For some users, setting your IMAP server to mail.dreamhost.com may work to avoid this error. However, not all users can log into the mail.dreamhost.com mailserver. If you cannot log into mail.dreamhost.com, reset your IMAP server to mail.yourdomain.com and look for a way to turn off the error. You should only turn off this error if you trust that the server your are connecting to is the correct server. If you blindly trust unmatching SSL certificates, you can easily be tricked by a malicious certificate.

Solutions

More detailed solutions follow.

Direct server

To find the server name, go to the Dreamhost Control Panel and click on "Account Status" in the upper right corner. If it shows you your email server as "spunky", then it is actually "spunky.mail.dreamhost.com".

However, if it shows your email server as "homiemail-sub4", it is likely this means your server is actually "sub4.homiemail.dreamhost.com". You can find out by going to DNS Watch and putting your domain name (e.g. "example.net") in the box "DNS Lookup / IP lookup" and select "MX" as the "Type". Click on "Resolve", and you'll get a lot of text, including a couple of lines like:

MX record found: 0 mx2.sub4.homie.mail.dreamhost.com.
MX record found: 0 mx1.sub4.homie.mail.dreamhost.com.

So you can use "sub4.homie.mail.dreamhost.com".

hosts

If you know what a "hosts" file is and have access to edit the one on your computer, you can add the IP of mail.yourdomain.com to your hosts file and point mail.dreamhost.com at it. YMMV if you ever need to access anything that's actually located on mail.dreamhost.com, but I haven't run across anything yet, personally.

More details

This isn't a security issue because your mail server (i.e. mail.YourDomain.com) does point to a *.mail.dreamhost.com domain, but many email clients complain. For a discussion of the issue: KBase discussion As per [1], you can find your *.mail.dreamhost.com server and use that as follows:

  1. Log in to your control panel and, once logged in, click on "Account Status" on the upper right. Note the name that is listed under "Your Email Server".
  2. In your email client, change your mail server to EmailServer.mail.dreamhost.com where EmailServer is the name listed under "Your Email Server". If the email server is in the form "homiemail-sub#", just use the sub# part. For example, homiemail-sub4 would result in you using "sub4.mail.dreamhost.com".
    Explanation:
    • It had been suggested that you use a1.balanced.EmailServer.mail.dreamhost.com, but while that may work with some mail clients, it doesn't with those that insist on comparing the server name to the certificate name each time they start, in accordance with the standards. The former server name matches the wildcard certificate which Dreamhost uses for its mail servers, *.mail.dreamhost.com. The asterisk (*) should only match one level of subdomain, according to RFC2459, §4.2.1.11, ¶4 and RFC2818 §3.1, ¶4. This usage is also explained by Thawte, another Thawte page, GeoTrust, Verisign, and Microsoft.
    • Some mail clients and browsers can be convinced to accept the latter server name, but other clients insist on comparing the server name to the certificate name each time.
  3. SSL should now be accessible without a "server name mismatch" error.

Alternatives

Another option is to modify your hosts file (C:\windows\system32\drivers\etc\hosts) so you will be able to connect to mail.YourHostName.com using mail.dreamhost.com. For example:

  • 123.123.123.123 mail.dreamhost.com

Where 123.123.123.123 would be replaced with the IP address of mail.YourHostName.com. Afterwards, configure your email program to connect to mail.dreamhost.com instead of mail.YourHostName.com. (Be aware that you will not be able to connect to the 'real' mail.dreamhost.com using its hostname

Client Specific Solutions

  • Thunderbird (a very elegant solution) May not be needed for Thunderbird 3.0 and later.
  • Outlook Express, and potentially other Windows clients
  • This comment at the blog post linked above gives solution for Mail.app (Mac OS X) This solution no longer works for Mac OS X 10.5 and above.

Clients

In some mail clients, you can turn off the warning about a domain mismatch.

Thunderbird

For Mozilla Thunderbird, check out this extension which adds a box to the warning dialog box to ignore that warning only. May not be needed for Thunderbird 3.0 and later. [Version 1.4.6 — February 17, 2008 — 95 KB, RMD will not be available for Firefox 3 (and Thunderbird 3). The new 'Security Exception' feature included in Firefox 3 means that RMD is no longer required.]

There are solutions to other clients as well. If you have one, please list it here.

Evolution

The Evolution e-mail client will not even attempt to communicate with mail.dreamhost.com over IMAP/TLS unless you create aforementioned entry in the /etc/hosts file so that mail.dreamhost.com points to the IP address of mail.YOURDOMAIN.com. Evolution will simply fail to negotiate a SSL connection.

See also