Agree? Petition:Signed certificates on mailservers

Do you agree with the following suggestion?

I suggest that DreamHost get one or more digital certificates for its mail servers, signed by a trusted CA such as GeoTrust, that bear correct fully-qualified domain name(s) of the server(s).

I have also submitted this as a suggestion via panel.dreamhost.com. If you agree, post your agreement here, and go to https://panel.dreamhost.com/index.cgi?tree=home.sugg& to tell DH!

I spoke with Ralph in DH tech support regarding this suggestion after going back and forth with support for over two weeks. I am a new DH customer. Using mail services over SSL (namely, IMAP/SSL and POP/SSL, but also SMTP/SSL) with domain-mismatched, self-signed certificates creates problems in many e-mail clients and is a big security hole.

I am not suggesting that DreamHost provide certificates for every site using secure e-mail (NOT ssl mail.yourdomain.com), which would be expensive and would waste IP addresses. DreamHost need only get one signed certificate per load-balanced mail server, e.g., for the names spunky.mail.dreamhost.com and looney.mail.dreamhost.com, OR one signed wildcard certificate, e.g., for *.mail.dreamhost.com (or *.dreamhost.com). Customers who wanted to connect securely without warnings or errors would be able to connect to their load-balanced mail server using an alias such as mymailserver.mail.dreamhost.com (or mymailserver.dreamhost.com), JUST AS THEY CAN RIGHT NOW. Try, for example, a1.balanced.spunky.mail.dreamhost.com, or whatever your mail server's CNAME or IP address is.

Connecting securely to mail services is a big priority for me--a make-or-break deal whether I stay with DreamHost--and I believe that many other customers likewise feel strongly about this problem.

Currently customers who want to use SSL-encrypted e-mail are forced to accept the self-signed mail.dreamhost.com certificate and constantly dismiss "domain-name mismatch" dialog boxes in their mail clients. These misconfigurations on the part of DreamHost do not comport with standard Internet security precautions. A hacker can more easily masquerade as the mail host because users must blindly accept the certificate that the server reports, without relying on a third-party certificate authority to verify the DNS record. Many mail clients do not support automatic dismissal of the domain-name mismatch for the good reasons enumerated above. At least one (Outlook 2003) is prone to hang on a mismatched domain name in an SSL certificate. The mismatched domain name creates another weak point for a hacker to exploit.

Almost all other hosting providers I have found that provide IMAP/SSL service also provide proper certificates, and require access via a single hostname such as secure.runbox.com to correspond to the common name in the SSL certificate. DH can comply with this kind of scheme at virtually cost to them, given DH's huge customer base.

For the foregoing reasons, DreamHost should get properly signed certificates with matched names for its mail servers. Who is with me on this?

Sean

I do agree and I have submitted a suggestion for this but it has not yet appeared...

We highly recommend you vote for this option under the Suggestions section of your panel!

Sabrejack, what is the title of this suggestion? I have looked through them multiple times and see nothing that pertains to this issue. Thanks.

I'm currently using this work-around: Avoid Warning When Checking Secure Email, but a "real" solution with a third-party certificate that matches the mail server domain name would be really nice...


I would vote for this suggestion in the panel, but I can't currently find it...

So what is the deal here, is this ever gonna show up under the suggestions?
This is my number one issue with Dreamhost by far and is keeping me from recommending it to others...

It's there, dated 2006-05-02