8

I am using Pony mail to send email messages (because I could never get ActionMailer to work on my local Windows box).

The code in my user_mailer.rb file include this call to the Pony.mail method:

Pony.mail({
  :to => email_address, 
  :from => 'MyChairSales <support@mychairsales.com>', 
  :subject => subject, 
  :body => email_body, 
  :html_body => html_body,
  :via => :smtp,
  :via_options => {
    :address              => 'mail.mychairsales.com',
    :port                 => '25',
    :enable_starttls_auto => true,
    :user_name            => 'mychairs',
    :password             => 'thepassword',
    :domain               => "mychairsales.com" # the HELO domain provided by the client to the server
  } 
 })

This was working (I have received email using this method) but is now failing with the error "hostname does not match the server certificate".

Here is the top of the stack trace:

["/usr/lib64/ruby/1.9.3/openssl/ssl-internal.rb:121:in `post_connection_check'",
"/usr/lib64/ruby/1.9.3/net/smtp.rb:585:in `tlsconnect'", "/usr/lib64/ruby/1.9.3
/net/smtp.rb:560:in `do_start'", "/usr/lib64/ruby/1.9.3/net/smtp.rb:519:in `start'", 
"/home4/mychairs/ruby/gems/gems/mail-2.4.4/lib/mail/network/delivery_methods
/smtp.rb:144:in `deliver!'", "/home4/mychairs/ruby/gems/gems/mail-2.4.4/lib
/mail/message.rb:245:in `deliver!'", "/home4/mychairs/ruby/gems/gems/pony-1.4/lib
/pony.rb:166:in `deliver'", "/home4/mychairs/ruby/gems/gems/pony-1.4/lib
/pony.rb:138:in `mail'", "/home4/mychairs/rails_apps/chairsales/app/mailers
/user_mailer.rb:32:in `send_mail'", "/home4/mychairs/rails_apps/chairsales/app/mailers
/user_mailer.rb:23:in `send_password_reset_email'",...

Any guidance would be greatly appreciated!

vbsql7
  • 684
  • 2
  • 9
  • 17

1 Answers1

21

A bit late but I also encountered this error but with the Ruby Mail gem. If your SMTP server supports TLS, it will attempt to use TLS and authenticate the SSL certificate. If the certificate is issued for a hostname other than the one used or if the certificate cannot be authenticated (for example if it's self-signed and you don't trust the CA), then it will fail with the error "hostname does not match the server certificate".

To get around it, use the :openssl_verify_mode option. This can be set to OpenSSL::SSL::VERIFY_NONE to do no verification of the certificate - it will still encrypt the SMTP session though. Or there are other options available within the OpenSSL library.

Using your example, it would be:

Pony.mail({
  :to => email_address, 
  :from => 'MyChairSales <support@mychairsales.com>', 
  :subject => subject, 
  :body => email_body, 
  :html_body => html_body,
  :via => :smtp,
  :via_options => {
    :openssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, 
    :address              => 'mail.mychairsales.com',
    :port                 => '25',
    :enable_starttls_auto => true,
    :user_name            => 'mychairs',
    :password             => 'thepassword',
    :domain               => "mychairsales.com" # the HELO domain provided by the client to the server
  } 
 })

This also works for the Mail gem as well.

Philippe Green
  • 894
  • 7
  • 10
  • 2
    YES! There are security issues! This allows anyone on the internet who is between you and your server to steal your connection and read your data. You should NEVER do this in a secure application - you should only work with servers that issue valid certificates. – Brad Sep 04 '14 at 23:25
  • 1
    Yes, this is true. If you need to verify the identity of the server you are communicating with to prevent man in the middle attacks then you should not turn off host verification. There may be cases where this is not necessary or possible if you are dealing with a third party that issues "valid" certificates but they do not match the hostname for some reason. Obviously not best practice. – Philippe Green Oct 10 '14 at 16:14
  • For example, if you were sending an email to a third party server without username/password smtp authentication information and your choices were to send via TLS or plain text but the TLS cert is not a trusted cert or doesn't match the hostname. Sending via TLS and not verifying the cert would still be the more secure option. – Philippe Green Oct 10 '14 at 16:21