55

When trying to deliver an email via console I receive this error:

OpenSSL::SSL::SSLError: hostname was not match with the server certificate

The thing is I really don't know much about certificates and such, or really how to get started troubleshooting this, I tried to do some investigation with openssl and here is the certificate that is returned.

I don't know if its a problem with Postfix which is running on the server, or my rails app, any help or clues is really appreciated.

~% openssl s_client -connect mail.myhostname.com:25 -starttls smtp
CONNECTED(00000003)
depth=0 /CN=myhostname
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=myhostname
verify return:1
---
Certificate chain
 0 s:/CN=myhostname
   i:/CN=myhostname
---
Server certificate
-----BEGIN CERTIFICATE-----
[...redacted...]
-----END CERTIFICATE-----
subject=/CN=myhostname
issuer=/CN=myhostname
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 360 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1AA4B8BFAAA85DA9ED4755194C50311670E57C35B8C51F9C2749936DA11918E4
    Session-ID-ctx: 
    Master-Key: 9B432F1DE9F3580DCC6208C76F96631DC5A4BC517BDBADD5F514414DCF34AC526C30687B96C5C4742E9583555A118232
    Key-Arg   : None
    Start Time: 1292985376
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN
Lizz
  • 1,442
  • 5
  • 25
  • 51
JP Silvashy
  • 46,977
  • 48
  • 149
  • 227

4 Answers4

136

An infinitely better solution (in terms of security that is) than the accepted answer would be:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "addy@foo.com",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  :openssl_verify_mode  => 'none'
}

This way you'll still be using encryption, but the validation of the certificate would be disabled (and you won't be getting any errors).

Bozhidar Batsov
  • 55,802
  • 13
  • 100
  • 117
  • 3
    Obviously, Bozhidar's solution not only enables encryption (smiley face!, +1), but also narrows down the problem to certificate verification. Great job! – Lizz Nov 08 '12 at 20:45
  • 1
    Apparently this option hadn't quite made it into the docs when this question was answered. This is a far better solution! – user208769 Nov 09 '12 at 16:36
  • 1
    +1 Clean way of enabling TLS on hosts where you have no control over the (possibly self signed) SSL certificate (but which you trust) though of course you would never do that with an authority you don't trust. Much safer than accepted answer. – Peter Host Nov 20 '12 at 20:12
  • 1
    Thank you bozhidar. Also for dreamhost, I just want to put a little note for other may encounter the same problem as mine, user_name should be username@domain.com (in complete form) instead of username only. – datnt Jan 25 '13 at 07:48
  • Glad to be of service, Zheni :-) – Bozhidar Batsov Feb 25 '13 at 14:48
  • Dreamhost people: In case you missed it, there's now a better way, you might want to update your config - see answer below https://stackoverflow.com/a/48505842/208769 – user208769 Jan 29 '18 at 16:32
25

EDIT: This answer is no longer the best solution, and may no longer work. See this answer which is more secure.

The name on certificate should match with the url on which you are running your application

Not useful... I get this error with dreamhost, where I have no option to change the ssl certificate. (well, I do, but it costs.)

One option is to disable tls. Hopefully you have something like this in your initializers:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "addy@foo.com",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true
}

Change the enable starttls auto option to false (or add it in if it isn't present).

Warning: this will disable encryption, meaning your username an password will traverse the internet in plain text

I can't see a better way of doing this, so would be interested in any answers.

Community
  • 1
  • 1
user208769
  • 2,216
  • 1
  • 18
  • 27
1

If you are using the ruby mail library as I do,here is the setting for pop

pop = Net::POP3.new(mail_server, mail_port)
pop.enable_ssl(0) #(default is on, if you want turn it off set it to 0 )
pop.start(mail_username, mail_pwd)
CharlesC
  • 1,310
  • 14
  • 26
0

As many people discussing this question have mentioned dreamhost, there is a better dreamhost-specific answer to this question.

Your email software, in recent years, has probably started getting more belligerent at you for using incorrect servernames on your certificates. As a response, Dreamhost now recommends using their domain name rather than your own when setting up your email account.

You need to find out which mail cluster your account is assigned to, then your config will be as follows:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "subX.mail.dreamhost.com" # instead of "foo.com",
  :user_name            => "addy@foo.com",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  # :openssl_verify_mode  => 'none' # hopefully, no longer needed
}

where subX is the subdomain your email cluster is on. Currently this can be found on your Dreamhost panel at Panel > Support > Data Centers

More details can be found on their email client configuration page: https://help.dreamhost.com/hc/en-us/articles/214918038-Email-client-configuration-overview

user208769
  • 2,216
  • 1
  • 18
  • 27