Secure Email with Authorized Certificates in Apple Mail
Posted on May 26th, 2006
Problem: Apple Mail displays a confirmation window when you connect to a server (POP, IMAP, SMTP, or otherwise) that uses a self-signed SSL certificate. It also displays a confirmation window if the name of the server you're connecting to doesn't match the name of the server in the certificate. Dreamhost mail servers are like this.
Telling Apple Mail that it's ok to connect, and that in spite of appearances everything is fine just fine, is annoying. Those confirmation windows need to go away!
Solution: there are two potential problems here, so there will be two distinct solutions.
The first involves persuading Apple Mail to trust a self-signed certificate:
- Click "Show certificate" when Mail asks if you want to accept the certificate.
- Press the Option key while dragging the certificate to the desktop. The certificate's icon appears on the desktop.
- Add the certificate to your keychain by dragging its icon on top of Keychain Access.
- When Keychain Access opens, you may be prompted to select which keychain to import to. If this happens, choose a keychain and also select X509 Anchors.
The second problem involves server names-- the name of the server you're connecting to may not match the name of the server in the certificate. The Unofficial Dreamhost Blog has a post that talks about this. Some of the comments discuss Apple Mail, others mention Thunderbird. The most straightforward solution seems to be tricking your Mac into believing that the IP address of the server mentioned in the SSL certificate (i.e. mail.dreamhost.com) is the same as the address of the host you're trying to connect to.
Apple's article Mac OS X: How to Add Hosts to Local Hosts File covers how to do this. For Mac OS X 10.2 or later though, some of the details are left out. When the article says, "Edit the /private/etc/hosts file," it really means:
- Get the IP address of the server you're trying to connect to by using the host command: "host mail.example.com"
- Edit the private hosts file by using sudo: "sudo vi /private/etc/hosts".
- Add a line at the bottom of the file associating the IP address you got from the host command with the name of the mail server in the SSL certificate.
- Change your account settings in Apple Mail so that you're connecting to the server named in the certificate.
- Restart Apple Mail, and the confirmation windows should be no more.
Technically, this makes it impossible to connect to the "real" server mentioned in the certificate, seeing as how you've just tricked your Mac into thinking it's somewhere other than where it really is. In my case, that's no problem since I don't normally connect to that server in the first place.