Certificate domain mismatch error when connecting to a DreamHost mail server

Cert mismatch error

You may receive a "domain mismatch" warning or an error when making a secure connection to the DreamHost mail servers when you use your DreamHost mail server subdomain. For example:

mail.example.com

Why does this happen?

This happens because DreamHost's mail server certificate is assigned to *.mail.dreamhost.com, and not your specific domain. A connection where the specified domain is mail.example.com is still secure, but mail programs may show a warning about the domains not matching.

Here is an example when viewing the certificate for mail.websitehelp.support:

02 Domain Mismatch.fw.png

You should only turn off this warning if you have verified that you are connecting to DreamHost’s mail servers.

The following sections provide information that helps you prevent this common warning message.

Connecting directly to your DreamHost mail server

Instead of using mail.example.com, you can use the name of your specific DreamHost mail server instead.

To determine which server name to use:

  1. Log into your DreamHost Panel.
  2. Navigate to the (Panel > 'Support' > 'Data Centers') page. 04 mail servernames.png
  3. Under the 'Mail service' section you'll see your mail server to the right of any domain. In this example it’s homiemail-sub4.
  4. Use the matching server name in the table below for the incoming AND outgoing server in your mail program.
    Email ClusterServer Name
    homiemail-sub3 sub3.mail.dreamhost.com
    homiemail-sub4 sub4.mail.dreamhost.com
    homiemail-sub5 sub5.mail.dreamhost.com
    homiemail-master homie.mail.dreamhost.com
    • This example shows homiemail-sub4. So you’d enter sub4.mail.dreamhost.com into your client to connect.

Some mail programs will still reject these hostnames as the asterisk (*) in the certificate's *.mail.dreamhost.com should ideally only match one level of subdomain.

Email client solutions

There are various client-specific solutions, which most often involve simply turning off the warning about a domain mismatch.

Below are some of the more common examples.

Thunderbird

Thunderbird prompts you to create an exception. Click the OK button in the warning dialog box and it won't bother you again until the mail server is reconfigured.

Mail.app (Mac OS X)

You must add an /etc/hosts entry for Mail.app version 7.2 on Mac OSX 10.9.2.

To add:

  1. Open Mac’s terminal and open the hosts file. View the SSH article for instructions on how to open your terminal.
  2. After you open terminal, find the IP by running the following command on your hostname:
    [macbook]$ dig +short sub4.mail.dreamhost.com 
    69.163.253.135
  3. Run the following command to open the host file in order to edit it:
    [macbook]$ sudo nano /private/etc/hosts
  4. In the host file, enter the IP address of the server followed by the servername.
    If you are on homiemail-sub4, insert the following:
    69.163.253.135 sub4.mail.dreamhost.com
    • If this still doesn't work, make sure the Trust for *.mail.dreamhost.com certificate in Keychain.app is set to "Always Trust."
  • If you make changes to your system, DreamHost support cannot provide assistance for any errors that may occur as you are responsible for any changes that you make.
  • The IP assigned to your cluster can change, which will prevent you from connecting. Please only make this change as a last resort or for a temporarily solution.

Trusting the certificate in Mail.app

For Mail.app version 8.1 on Mac OS X 10.10.1 and above, select “always trust” for the certificate, as shown below:

03 Domain Mismatch.fw.png

See Re-Trust SSL Cert for further details.

See also