Certificate domain mismatch error when connecting to a DreamHost mail server

Cert mismatch error

You may receive a "domain mismatch" warning or an error when making a secure connection to the DreamHost mail servers when you use your DreamHost mail server subdomain. For example:

mail.example.com

On January 19, 2017, DreamHost updated the SSL certificates on all mail servers. Because the SSL certificate was updated, a message appears when you open your mail client. This message propmpts you to accept the new certificate. This certificate is completely safe for you to accept. Once your mail client saves the new certificate, your email client functions normally again. View the following article for futher details:

  • Certificate error when connecting to a server

    Mac Mail users: There have been a few reported issues with Mac Mail not saving the new certificate at first. Try several times to accept the certificate with the 'Continue' button. Some users report that after a few tries, the certificate is saved. If it still cannot connect after these attempts, use your mail cluster for the Mail Server name on your account. For example, sub5.mail.dreamhost.com. You can see which mail cluster your account users in the panel on the (Panel > 'Support > Data Centers') page.

    iPhone (iOS) users: First, try going to 'Settings > Mail > Accounts'. Click the account and address, and then re-enter the hostname. If this doesn't work, try setting up email as a new account. Go to 'Settings > Mail > Accounts > Add Account'. When the message "Cannot Verify Server Identity" appears, click "Details" below that message. Be sure to click the Trust button in the top-right corner:

    iOS_cert_01.png

    Similar to the suggestion above, you may need to repeat this process 2-3 times to take effect permanently. You can also use your mail cluster for the server/host name with this setup.

Why does this happen?

This happens because DreamHost's mail server certificate is assigned to *.mail.dreamhost.com, and not your specific domain. A connection where the specified domain is mail.example.com is still secure, but mail programs may show a warning about the domains not matching.

Here is an example when viewing the certificate for mail.websitehelp.support:

02 Domain Mismatch.fw.png

You should only turn off this warning if you have verified that you are connecting to DreamHost’s mail servers.

The following sections provide information that helps you prevent this common warning message.

Connecting directly to your DreamHost mail server

Instead of using mail.example.com, you can use the name of your specific DreamHost mail server instead.

To determine which server name to use:

  1. Log into your DreamHost Panel.
  2. Navigate to the (Panel > 'Support' > 'Data Centers') page. 04 mail servernames.png
  3. Under the 'Mail service' section you'll see your mail server to the right of any domain. In this example it’s homiemail-sub4.
  4. Use the matching server name in the table below for the incoming AND outgoing server in your mail program.
    Email Cluster Server Name
    homiemail-sub3 sub3.mail.dreamhost.com
    homiemail-sub4 sub4.mail.dreamhost.com
    homiemail-sub5 sub5.mail.dreamhost.com
    homiemail-master homie.mail.dreamhost.com
    • This example shows homiemail-sub4. So you’d enter sub4.mail.dreamhost.com into your client to connect.

Some mail programs will still reject these hostnames as the asterisk (*) in the certificate's *.mail.dreamhost.com should ideally only match one level of subdomain.

Email client solutions

There are various client-specific solutions, which most often involve simply turning off the warning about a domain mismatch.

Below are some of the more common examples.

Thunderbird

Thunderbird prompts you to create an exception. Click the OK button in the warning dialog box and it won't bother you again until the mail server is reconfigured.

Mail.app (Mac OS X)

You must add an /etc/hosts entry for Mail.app version 7.2 on Mac OSX 10.9.2.

To add:

  1. Open Mac’s terminal and open the hosts file. View the SSH article for instructions on how to open your terminal.
  2. After you open terminal, find the IP by running the following command on your hostname:
    [macbook]$ dig +short sub4.mail.dreamhost.com 
    69.163.253.135
  3. Run the following command to open the host file in order to edit it:
    [macbook]$ sudo nano /private/etc/hosts
  4. In the host file, enter the IP address of the server followed by the servername.
    If you are on homiemail-sub4, insert the following:
    69.163.253.135 sub4.mail.dreamhost.com
    • If this still doesn't work, make sure the Trust for *.mail.dreamhost.com certificate in Keychain.app is set to "Always Trust."
  • If you make changes to your system, DreamHost support cannot provide assistance for any errors that may occur as you are responsible for any changes that you make.
  • The IP assigned to your cluster can change, which will prevent you from connecting. Please only make this change as a last resort or for a temporarily solution.

Trusting the certificate in Mail.app

For Mail.app version 8.1 on Mac OS X 10.10.1 and above, select “always trust” for the certificate, as shown below:

03 Domain Mismatch.fw.png

See Re-Trust SSL Cert for further details.

See also