SSL certificate renewal for most customers
Our current “mail.dreamhost.com” certificate used by most of you for SSL email is up for renewal on Friday! We will be replacing it with a newer, better certificate with the name:
*.mail.dreamhost.com
It is also signed by an internal certificate authority, “New Dream Network Certificate Authority”. This means two things! First, most of you will get a popup saying “This certificate is new and untrusted! The world is ending!”. If you press CANCEL the connection will not go through, and you will have a chance to install our NDN CA certificate into your email client. This will allow your computer to trust us!
http://wiki.dreamhost.com/NDN_Certificate <----<<< link to installation instructions in our Wiki
https://dreamhost.com/ca/ndn.ca.crt <----<<< link to certificate file data
If you have any problems, please do not hesitate to contact us! This should make your email client not pop up a warning about how the certificate is from an untrusted or unknown certificate authority. This is different from the next (usual) warning about the certificate name not matching the host you are connecting to!
To get rid of the host mis-match error, all you need to do is head on over to https://panel.dreamhost.com/ and log in. In the upper right, click the link that says “Account Status”, then make note of your “email server”. You will want to edit your IMAP, POP, and SMTP servers to be something along the lines of:
a1.balanced.email-server.mail.dreamhost.com
For Example: a1.balanced.spunky.mail.dreamhost.com
Thats it! No more annoying popup windows when using SSL! It is now more secure than previously.
FAQ:
1. Why don’t these instructions work for apple mail?
-It seems there is a bug in apple mail. It does not properly use wildcard certificates. (*.mail.dreamhost.com should match any “word.mail.dreamhost.com”.) We will be contacting them on Monday regarding this issue. Remember, it’s not worse than it was previously!
2. Why not get a REAL certificate signed by VeriSign?
-This is a REAL certificate, and the SSL works just the same.
3. I don’t trust you, I have too many computers to do this on, I can’t expect my clients to install that CA certificate, etc, do I have to install the NDN CA certificate?
-No! Just click to accept the *.mail.dreamhost.com certificate permanently and it shouldn’t bother you until we renew or change the certificate. Installing the CA certificate would allow us to renew the certificate transparently.
4. Why don’t you set the content-type properly on the above link?
-It’s easier to save the file to disk for importing into Thunderbird, etc, if we don’t. Otherwise IE and FireFox both try to process the certificate.
5. What are the vital stats on the new certificate?
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e8:c8:92:78:d0:05:ce:5f
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=New Dream Network, LLC, OU=Security, CN=New Dream Network Certificate Authority/emailAddress=support@dreamhost.com
Validity
Not Before: Apr 12 00:48:57 2007 GMT
Not After : Apr 9 00:48:57 2017 GMT
Subject: C=US, ST=California, L=Brea, O=Dreamhost.com, OU=Security, CN=*.mail.dreamhost.com/emailAddress=support@dreamhost.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus=E84958AF3CBFB6AA1060288E83E1B97CF75312B9EEBC194C71EB1A3A477706746134DFC
AD8539ACAA161284CA27C04E70DE479DB825E0EC1D5E0F479C380315F42D46304BE8D064458073
9A33D853A1B70CEF73C6389B09E31AA286B9031EC9CE68BEFBB8A6846E1F40AA6F34A218B5A72F
62C0A52B7B276998B909E344162FB
Update:
The certificate is installed, now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!
June 17th, 2007 at 7:56 pm
Wow, nobody complained about their services yet… Amazing.
But dreamhost if possible i do have a question is it active yet?
June 17th, 2007 at 8:36 pm
This good news! No more need for host-file rewrites and the “remember mismatched domains” Thunderbird add-on
June 17th, 2007 at 8:46 pm
“then make not of your “email server”.” not -> note
June 17th, 2007 at 9:38 pm
*.mail.dreamhost.com won’t work in most clients that follow the spec. That’s not a bug in Mail.app. If that actually works, the client is broken. The X.509 spec says the * only matches one atom in the domain name. *.mail.dreamhost.com will match word.mail.dreamhost.com but will not match word.word.mail.dreamhost.com.
We went through this with the addons.update.mozilla.org site before it got renamed to just addons.mozilla.org trying to use our *.mozilla.org certificate with it.
June 18th, 2007 at 12:08 am
here’s ok
knight@boxbe.com
June 18th, 2007 at 1:38 am
How about adding a shared Certificate for the Dreamhost websites for clients this would be great too.
June 18th, 2007 at 2:28 am
When adding this certificate to Opera, I just get the error message “The client certificate had no matching private key in the database”. Not sure whether this is Opera’s fault or what. I’ve changed the e-mail server from mail.mydomain.com to a1.balanced.spunky.mail.dreamhost.com, but I still get prompted by Opera to “Accept” the certificate since it doesn’t match the domain name in the certificate.
June 18th, 2007 at 6:53 am
Funny, I’ve been buying multi server SSL certificates from RapidSSL. $600 for 2 years installed on my Cisco CSS load balancers and about 10 other systems around my network…. We thought about self-signed certs, but the cost of answering the same nonsense questions to our customers time after time made the $600 a MUCH better deal!
Dreamhost guys - Think about Rapid SSL wildcard certs - they will save you a LOT of grief - and they are owned by Equifax.
June 18th, 2007 at 9:27 am
Dave Miller: Well, shoot. Amusingly enough, Gecko based email clients are the ones which do work. We’re working around so many SSL limitations here, I assumed a wildcard used standard globbing.
Asbjørn Ulsberg: It sounds like Opera is trying to import this as a “Client identification certificate” which required both the public and private key. I will check on Opera when I get into the office and update the Wiki! You want to import a “Certificate Authority” certificate.
Pete: We specialize in nonsense!
June 18th, 2007 at 10:25 am
While a good step in the right direction I don’t think this issue is solved. It is indeed the spec that you only get one atom for a wildcard. You should try something like domaintld.dreamhostmail.com and use your wild card there. That way you could still do the dns how ever you like and we’d still get proper ssl’d mail.
And Seriously self signed? For internal use this is 100% A OK, but dreamhost status doesn’t even have ssl, there’s no chain of trust here. Which is why we have our certificate authorities. Cost obviously isn’t the issue, so what is it?
Maybe you guys should go bid to be a certificate authority yourselves :-p
June 18th, 2007 at 10:31 am
Now that you have your own CA cert, provide each hosted domain with a free wildcard cert signed by your CA. This will cause warnings in browsers, but would allow https, which is better for everyone.
(See similar suggestion under Goodies - Secure Server)
If this becomes popular, you can promote DreamHost by convincing browser distributors to include the DreamHost CA cert in their browsers. Then, you can break into the amazing business of certificate signing (amazing because people will actually pay money for math). … and hire me, please.
June 18th, 2007 at 10:42 am
Francis: Please note the link to the CA Certificate is SSL: https://dreamhost.com/ca/ndn.ca.crt . It is a weak chain of trust, but one exists there!
June 18th, 2007 at 12:33 pm
In some ways, the chain of trust is much stronger. After all, you can check and check again what the fingerprint is. Not many companies publish the fingerprint, they rely on microsoft or mozilla’s stamp of approval on the root certificates that are shipped with the browsers. And lord knows it doesn’t take much to get additional crap installed in your browser.
On the other hand: what Pete said.
June 18th, 2007 at 2:21 pm
In my professional opinion, wouter is correct. By personally downloading and inspecting the fingerprint of a certificate, you have much higher assurance it is from the source you think it’s from (which is all an X.509 certificate chain of trust verifies). This is why the Public Key Infrastructure (PKI) trust model doesn’t really work (just like wouter said, why should you trust certs found in your browser).
This is all academic anyway, because 99% of end users will just click “OK” when warned about an unknown certificate.
For the tech savvy (us), let’s get it right! Thanks for the improvement DreamHost.
June 18th, 2007 at 4:30 pm
Internal server errors on all my sites.. WTF?
June 18th, 2007 at 5:07 pm
Hi. I’ve been using SSL for email using mail.mydomainname.com port 995 for receiving mail and it’s been working fine (other than the certificate warning). Just tried changing to suggested format and it does not work - invalid password.. confused. For outgoing I’m using my ISP’s SMTP - I previously used ‘mail.mydomainname.com’ for outgoing until I found my IP ended up on one of the spam sites as a result, and now others’ filters have been blocking my mail as a result, for which I am severely fucked off.
June 18th, 2007 at 7:39 pm
Am I the only one who can’t get the host mis-match error to go away? I’m using Thunderbird 2.0.0.4 and I’ve followed the instructions to the letter:
1. I downloaded the NDN CA certificate and installed it.
2. I changed my server names for each email account to “a1.balanced.randy.mail.dreamhost.com” (as you can see, my email server is randy).
3. I still get the “mis-match” warning dialog when checking my email.
There must be something I’m missing here, right? I know there’s an extension to prevent this warning from popping up, but I’d rather not resort to that (I was hoping this would allow me to things the “right” way). Anyone got any ideas?
June 19th, 2007 at 7:53 am
Jonah, I have _not_ yet tried to fix this, but see comments above regarding wildcard certificates (which DreamHost is trying to use). According to the X.509 wildcard certificate specification, what DreamHost is trying to do will not really work “right.”
Specifically, a correctly implemented email client should _not_ accept their “*.mail.dreamhost.com” cert for “a1.balanced.randy.mail.dreamhost.com” because the wildcard only works for one level (not “a1.balanced.randy”).
I’d have to review the spec, but maybe they should get a new wildcard cert for “a1.balanced.*.mail.dreamhost.com” (but I’m not sure a wildcard in the middle of a CN is allowed).
June 19th, 2007 at 7:58 am
Re: Angry Dog
Can others tell me if this a common problem with DreamHost hosted email? That is, does DreamHost SMTP-sent mail get blocked by spam filters? I know this isn’t really the place to ask, but you brought it up, and I was about to start using DreamHost’s SMTP… should I avoid that??
June 19th, 2007 at 9:23 am
Call me a noob, but I’m confused. Does this mean that using “mail.mydomain.com” will no longer work in outlook, etc? Or is this really just as simple as making sure everyone clicks ‘OK’ or ‘Accept’ or whatever when the popup about the cert comes up? Please tell me I’m not going to have to explain how to install new certs to all my customers… most of them are gardeners, etc, and will be far more confused than I am…
June 19th, 2007 at 9:56 am
Kelly: yeah, it worked with Firefox, so we didn’t think anything of it, then we started getting complaints from Internet Explorer and Safari users about the domain mismatch errors…
And when we started investigating the spec, turns out it was Gecko’s implimentation that was broken for accepting it.
June 19th, 2007 at 10:06 am
@Confused (aka noob): Seriously, PKI and public key cryptography are rather complex issues. I have the benefit of many years of direct industry experience (…anyone looking for a cryptography/security consultant?).
I have _not_ attempted to use Outlook (yech), but at worse, it should only be as bad as it was before. That is, clicking OK to a warning should be fine.
In an ideal world, a security-conscious application would never give the end user the power to ignore such a (potential) breach of security, but these things are really hard to set up properly in the real world. Much credit goes to DreamHost for going down the correct path. Unfortunately, more security usually (always?) means more overhead and complexity. Hopefully they can keep the complexity on their side (and admin side), and avoid end-user frustration.
June 19th, 2007 at 10:15 am
Nyhm: Thats what we’re going for! Less dialog boxes for our users. If that indirectly means more instances of Gecko based clients in the wild, the world is a better place! Phooey on the X.509 specification. Some of this stuff isn’t unreasonable to expect from an SSL cert.
Dave Miller: Please, for the love of all things holy/unholy/metal/whatever, do not “fix” that without implementing bug #228684 so it doesn’t require a third party plugin!
Jonah: I should have made this more clear, the certificate is going in on Thursday! I’m giving everyone time to read this and warn their users of the impending dialog boxes. It sounds like everything is in there correctly for the switchover.
June 19th, 2007 at 10:52 am
@Kelly: With all due respect for your efforts, saying “Phooey” to the specification and suggesting that software should remain broken to meet the needs of your particular implementation is totally wrong. Yes, your wildcard interpretation is probably reasonable, but that’s not the point.
Security specifications and software is a very difficult field to get right. As convoluted as the PKI / X.509 specs may be, many experts considered these designs, and the spec is the accepted standard to which all software must adapt. To do otherwise is to go the way of Microsoft: Interpreting the spec in the way most convenient for you (and to lock out compatible implementations with your market share).
June 19th, 2007 at 11:20 am
Nyhm: More of an expression of frustration than me actually being a scoff-law to the spec.
June 19th, 2007 at 11:23 am
I don’t know the spec’s that well, but if *.dreamhost.com can only match that one level of subdomain, i.e. mail.dreamhost.com … is it possible to have a certificate that is something like *.*.*.*.dreamhost.com? Would that help match up the 4 levels of subdomains as listed in: a1.balanced.email-server.mail.dreamhost.com? I have no idea if that would then also match things like mail.dreamhost.com with only one level of subdomain? I glanced at a spec that may or may not have any bearing on the situation, RFC 4592 - and at the end of 2.2.1 there is at least an example that shows *.*.example.com - so if may be possible … just wondering …
June 19th, 2007 at 11:35 am
@Kelly: I completely understand. Thank you for this exceptional effort.
June 19th, 2007 at 2:26 pm
Kelly: Thanks for clearing that up. I’ll check it again on Thursday to make sure things work as intended. DreamHost continues to rock!
June 20th, 2007 at 3:07 am
Your site is a refreshing change from the majority of sites I have visited. When I first started visiting web sites I was excited by the potential of the internet as a resource and was very disappointed initially. You have restored my enthusiasm and I thank you for your efforts to share your insights and help the world become a better place.
June 20th, 2007 at 12:15 pm
Unfortunately, I’ll be buried under the spam comments but the thought occurred to me… can’t DreamHost just create hostnames for each of the clusters *without* the balanced stuff prefixing it? IE, create maybe a round-robin DNS entry for mymailserver.mail.dreamhost.com. Have folks use that instead and the wildcard should work.
June 20th, 2007 at 12:26 pm
LeighK, that actually sounds like a good idea. I wonder what DreamHost thinks about it. Too late for them to change their plan this year, perhaps, but maybe they can do something along those lines next year (or whenever the certificate they instantiate now expires)?
June 20th, 2007 at 1:31 pm
@Asbjørn
They haven’t updated the cert yet. Plus, this plan is specific to changing DNS, not the cert. That can be done any time. It’ll require another change to the clients, but how hard is that really (especially if they implement it soon, before more people do it anyway)?
June 21st, 2007 at 12:54 am
This is fantastic!
I wish I had known how to do this before. Now all my IMAP accounts are accessible through TSL connections with SPA with no warning dialog boxes. And now that I’m not using mail.mydomian.com it seems a scrillion (yes one scrillion) times faster. Has “a1.balanced.spunky.mail.dreamhost.com” always been available? I never saw anything in the wiki or the old help files refer to anything other than mail.mydomain.com
June 21st, 2007 at 1:33 am
Ah, I spoke to soon.
Access to my IMAP accounts still seems faster but I discovered after I closed and reopened Outlook I get the following dialog box: http://www.nothingunrealexists.com/IMAP.error.png
I have followed the directions given here: http://wiki.dreamhost.com/NDN_Certificate to install the certificate in both Firefox and IE. Only after disabling both SPA and TSL/SSL am I able to open Outlook without getting the dialog box.
I know this isn’t a tech support forum and I’ll continue to just click yes; just wanted to post a little FYI.
June 21st, 2007 at 2:58 am
@LeighK: Right-o. Let’s hope they see your comment, implement this and update the wiki before it’s too late then!
June 21st, 2007 at 6:47 pm
Well, this whole change over is SNAFU. Things were working just fine with a little /etc/hosts management and mail.dreamhost.com, but the instructions FAIL on both Win XP Outlook and OS X Entourage. I installed the cert in Windows and OS X Keychain Access, but that doesn’t do a whiff of good.
On what OS/mail application combo is this supposedly working for people?
“It’s broken, but we’re not going to fix it.” That’s great. Just great.
June 21st, 2007 at 7:01 pm
Back again!
For those of you who own OS’s/MUAs which actually adhere to specifications, add this to /etc/hosts:
foo.mail.dreamhost.com
and use foo.mail.dreamhost.com as your IMAP/POP/SMTP/BDSM server.
June 21st, 2007 at 7:10 pm
The first half of the third line of text above was removed; it should be the IP of your mail server, separated from foo.mail.dreamhost.com by whitespace.
And my users are going to looooooooooooove the errors, and me having to come around and change everything…
June 22nd, 2007 at 12:53 am
What ever happened to testing?
This change might have benefited much of your user base but it really pissed others off. (like me).
Now I need another /etc/hosts hack to get around annoying behavior in Mail.app. grrrrr!
~N
June 22nd, 2007 at 4:09 am
Why, when inspecting the certificate that I just downloaded in OS X Keychain Access, does it not match most of the details of the cert listed above? The valid to/from dates and serial number are different. And I can’t find anything that matches the ‘Modulus’ entry listed above (what is that?).
Should I trust the cert I downloaded? I’m inclined not to…
June 22nd, 2007 at 4:13 am
Doh…ignore my previous comment. I just realised that the listed details are for the mail certificate, not ndn.ca.crt.
June 22nd, 2007 at 8:55 am
Sigh…. so what /etc/hosts hack do I have to perform now to get this to work in OS X Mail.app without giving me the “unable to verify identity” error now?
And while I’m normally very supportive of Dreamhost…
“[...]some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users[...]”
Are you kidding? To me, “subset” implies “this seems to work for some people, and not most.”
June 22nd, 2007 at 9:31 am
Conigs: From what I understand, it shouldn’t have gotten any worse for anyone? The same host mis-match errors as previously should be popping up for standards compliant email clients. The certificate had to be updated, anyways, since the old one was expiring. You should be able to tell your browser or email client to trust your certificate issuer.
June 22nd, 2007 at 9:45 am
conigs: If you were using the mail.dreamhost.com hack in /etc/hosts before, see my above post. Basically, change
34.54.63.112 mail.dreamhost.com
to
34.54.63.112 foo.mail.dreamhost.com
(of course that IP isn’t exact; use what you were using), install the NDN cert auth, and change your POP/IMAP/SMTP servers from mail.dreamhost.com to foo.mail.dreamhost.com.
June 22nd, 2007 at 5:13 pm
I’ve put in a ticket for this, but it looks like this new certificate only holds true for full SSL connections, the TLS over IMAP/POP still are using the old certificate(s) (localhost and mail.dreamhost.com).
Also I’d like to also chime in that having the simple CNAME for something like balanced-spunky.mail.dreamhost.com (if not just spunky.mail.dreamhost.com) in dns could solve most of this subdomain problem.
June 22nd, 2007 at 10:07 pm
Hmm. I am skeptical of this fix. I had foo@thunder-monkey.com working well with the /etc/hosts trick for Apple mail.
It is not clear to me how to make this work (even when they get Apple to fix (good luck! Wait until Leopard they’ll say).
Once the folks at Dreamhost get it noodled out, I’d really like to see a HOWTO to make it work with the Mac.
June 24th, 2007 at 1:06 am
Hi! Nice site you got there!
June 24th, 2007 at 12:04 pm
Congratulations on finally setting up your site. I am sure the website will become a internet legend
June 25th, 2007 at 10:50 am
I’m going to second OnyxRaven’s request to see cnames setup so that we don’t have to play games with our machines: “I’d like to also chime in that having the simple CNAME for something like balanced-spunky.mail.dreamhost.com (if not just spunky.mail.dreamhost.com) in dns could solve most of this subdomain problem”
I doubt contacting Apple is going to get you very far as they are simply following a spec. I’d recommend you change the names to comply with the spec rather than pointing fingers at a vendor.
June 25th, 2007 at 12:29 pm
I wouldn’t want to sound too AOLish, but regarding OnyxRaven’s proposal and bubba’s seconding, I too would like to have plain spunky.mail.dreamhost.com names… Hey! if you don’t have to pay for the certificates, it’s just a name server entry+’openssl req’+'openssl ca’ for every cluster… you can script that also
June 25th, 2007 at 7:59 pm
Ditto to what others have said. It was working fine before, why change it? To quote: “posting in the comments here IS NOT an official way to contact DreamHost”. Ergo, I have submitted an official support request.
June 25th, 2007 at 11:53 pm
Monday has come and gone, what’s up with the Apple Mail?
June 26th, 2007 at 2:09 pm
Kim: Apple is simply following the spec — it is not their problem.
Follow these instructions to update your Apple mail config.
http://wiki.dreamhost.com/Mac_OS_X_Mail_10.4#Instructions
June 26th, 2007 at 11:23 pm
I’ve noticed a problem with the CERT file. It’s served with the “text/plain” MIME type, while it should be served with “application/x-x509-ca-cert”. If served with the correct HTTP Content-Type header, browsers (like Opera) should recognize it as a certificate when requested and ask the user to install it. Since its Content-Type is “text/plain”, the browser only shows its data to the user as plain text. Please fix this!
June 27th, 2007 at 10:40 am
Hi everyone A big thank you for this wonderful site, it has helped me immensely
June 27th, 2007 at 10:42 am
Hi! very amused by the website .
June 27th, 2007 at 3:56 pm
Thank you for the great web site - a true resource, and one many people clearly enjoy
June 29th, 2007 at 6:28 am
You have a great website. Keep up the good work.
June 29th, 2007 at 11:18 am
I suggested a fix for this issue 3 years ago: http://discussion.dreamhost.com/showflat.pl?Cat=&Board=forum_troubleshooting&Number=9313&page=5&view=collapsed&sb=5&%20%20o=31&part=.
June 29th, 2007 at 11:29 am
Our site is cool, but also yours is very nice too
June 30th, 2007 at 10:10 am
Thank you. You have helped someone more than you could know.
July 1st, 2007 at 4:07 pm
Lovely, informative site, thanks
July 1st, 2007 at 4:09 pm
I just surfed in and found your site, I really enjoyed the visit and hope to come back soon. nice Site!
July 2nd, 2007 at 12:30 am
Hi! very amused by the website .
July 2nd, 2007 at 5:48 pm
I happened upon this site while following the links from another site. Your site is wonderful and i bookmarked it. Thank your for the hard work you must have put in to create this wonderful facility. Keep up the excellent work
July 2nd, 2007 at 5:48 pm
best site of its kind
July 5th, 2007 at 3:18 am
This is such a wonderful and informative way to reach others. I Will be more than glad to share this site
July 5th, 2007 at 12:17 pm
Nice! We rather appreciated the website
July 6th, 2007 at 2:50 am
Logging into this website should be a requirement for anyone knowledgeable on earth these days…
July 7th, 2007 at 5:24 am
It’s a great website of yours. I surfed by and found it very informative. Bookmarked and check you back in a while
July 7th, 2007 at 10:41 am
This site is put together well!
July 10th, 2007 at 3:25 am
I send you and your visitors my best greetings.
July 10th, 2007 at 3:06 pm
Informative professional site, whatmore can i say!!
July 11th, 2007 at 1:55 am
Informative professional site, whatmore can i say!!
July 11th, 2007 at 7:08 am
Cocktails
July 11th, 2007 at 10:46 pm
I can find many things that I look for here! Thank you very much!
July 12th, 2007 at 1:47 pm
This was a great site. I needed to find something for my Homework and This site helped me out so much! Thanx alot!!!!
July 13th, 2007 at 10:47 am
This site is truly a great resource thanks for all your hard work
July 14th, 2007 at 12:47 am
Nice! We truly liked this work .
July 14th, 2007 at 8:05 pm
Super site darlings. Thanks awfully
July 14th, 2007 at 8:06 pm
Super Informationen verpackt in einem tollen Design.
July 15th, 2007 at 7:34 pm
Thank you. You have helped someone more than you could know.
July 15th, 2007 at 8:18 pm
If you’re having any trouble with the “Internet Security Warning” issue, I’ve just updated the Wiki post.. perhaps you can find some help there..
July 17th, 2007 at 1:23 pm
de, - Sunday, February 22, 2004 at 11:47:29 (PST)
July 17th, 2007 at 1:24 pm
Good-looking site. Congratulations.
July 19th, 2007 at 12:38 pm
Your site is a much needed addition to my life. THANK YOU!
July 22nd, 2007 at 5:06 pm
I’ve tried all the instructutions in this post including http://wiki.dreamhost.com/Mac_OS_X_Mail_10.4#Instructions and I’m still getting the pop up each time I open Mail.app. It’s quite annoying. Any word on how to resolve this?
August 4th, 2007 at 5:12 pm
Im too drunk at this point so say anything despite: “So?”.
August 7th, 2007 at 5:17 pm
After talking with the dreamhost folks, who I have to say were very patient with me, we came to the mutual conclusion that they were not really interested in fixing this problem. Luckily, it’s pretty easy to have your email hosted by AOL for free featuring secure SSL IMAP and SMTP with no editing /etc/hosts, no manually installing certificates, works with all email clients, no difficult configuration, and full “it just works” support for the iPhone.
To use it, go to this page, choose the “Bring Your Own Domain” tab and follow the process they describe (it’s quick and easy):
https://domains.aol.com/personaldomain/app/domainMainSearch
At some point in the process, they will ask you to go to your host and change the mx records. You do this in the dreamhost panel under email/custom mx records.
They will give you a list of 4 mx records, BUT DON’T USE THESE. Instead if you go to AOL’s faq (links on the right) question #37 tells you to use: ASPMX.DOMAINS.AOL.COM in the first mx record field on dreamhosts configuration page and that’s it, which is easier anyway.
You wait for this to propagate (doesn’t take long) and click button on the web page they give you and you’re up and running. It’s beautiful.
I hear great things about dreamhost, but maybe their core competency isn’t hosting secure email. That’s OK, they’re good at other things and AOL is great at hosting email. Plus you get aol’s webmail interface, which is much better.
Your website will, of course, still be hosted by dreamhost.
October 4th, 2007 at 3:35 pm
ASPMX.DOMAINS.AOL.COM doesn’t work. In fact no server exists at this IP.
October 28th, 2007 at 5:59 am
I can’t do most of this. There is no where to import the certificate and no settings I can find. Any tips using outlook 2007?
April 12th, 2008 at 9:18 am
What a great web site…
April 13th, 2008 at 5:23 pm
I can find many things that I look for here! Thank you very much!