Uff that was tough one … If you decided to make your mail communications more secure you probably switched on SSL option in your mail client for POP3/IMAP/SMTP servers. There is a good chance you will get one of those errors that sound like
The server you are connected to is using a security certificare that could not be verified.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Do you want to continue using this server?
I spent way too much time solving the problem because what was just annoying message in Outlook appeared to be serious problem in MacMail. It was not capable of working correctly with that problem. In addition to that I tried to solve the problem using Plesk 8.2 that was a mistake. It appeared that whatever you do with certificates in Plesk that doesn’t affect the mail. So here is the solution for the problem:
First of all, the error message says the truth – your mail server sends to client some certificate that is not trusted by one of the major trust providers known to your OS. Is you’re using Plesk you possibly tried to fix the problem by manipulating certificates in Server->Certificates menu, but those certificates do not affect mail. It looks like they affect HTTPS access only, though I can”t confirm that.
Here is the step-by-step instruction of how to fix the situation:
- Obtain certificate you will use for your mail server. The certificate should be issued for the server you plan to type into the SMTP/POP3/IMAP server field in your mail client (i.e. mail server).
- If you want to buy one, you can use this post as a reference.
- If you want to generate self-signed cert using Plesk go to Server->Certificates->Add New Certificate, enter all information and click Self-Signed button.
- You can also generate certificate using openssl, but I’ll describe that later in a separate post. If you need it now – just google it.
- Generate .pem file that is a combination of CSR, Private Key, your certificate and root certificate. For self-signed certificates you will need only private key and your certificate to be in the file. To get that file in Plesk click on small blue diskette icon at the rightmost column of your certificates list. You can also create that file in a text editor – just copypaste necessary blocks one after another. Save the .pem file to your local file system. If you bougth the certificate then you can download .pem file from CA website.
- If you purchased your cert from a CA please skip this step. If you’re using self-signed certificate do this:
- Create new .crt file that contains only your certificate. In Pleask click on the certificate name to see its detals and copypaste the certificate block (including parts starting with many dashes) to a new file and save it as <somename>.crt.
- Import that <somename>.crt on every computer you plan to have SSL access to your mail from. Just double click on the .crt file and do whatever import dialog will tell you. In Windows XP it will tell you to import file into “trusted root servers”, so do that.
- Make your POP3/IMAP server use your new certificate. Plesk 8.2/8.3 uses courier-imap, so here are the update procedures for courier.
- Open files /etc/courier-imap/pop3d-ssl
- Find TLS_CERTFILE parameter. It point so a file in some directory. Most probably the dir is /usr/share/courier-imap/
- Upload your .pem file to that directory and modify /etc/courier-imap/pop3d-ssl so TLS_CERTFILE points to that file. You can simply overwrite the original file, just make its backup.
- If you use IMAP do the same with /etc/courier-imap/imapd-ssl. You can use the same file you just uploaded
- Make your SMTP server use your new cert. Plesk 8.2./8.3 uses qmail, so let’s patch it.
- Find where qmail keeps servercert.pem file on your server. Most probably it is /var/qmail/control/servercert.pem
- Backup the original /var/qmail/control/servercert.pem
- Rewrite it with your new .pem file.
- Restart mail system
- /etc/init.d/courier-imap restart
- /etc/init.d/qmail restart
- Test client. Restart your mail client, try to send/receive test email. You should not see that annoying dialog anymore.