Google (GMail team specifically) randomly decides to enforce strict SSL for external POP3/IMAP accounts

Posted on Posted in linux, system administration, technology

After Google announced it was doing away with personal (or was it trial?) Google Apps accounts, I’m getting the impression they want to get rid of freeloaders (like me). I have a free GMail account, which I’ve setup to retrieve messages using POP3S from my e-mail server at home. This allows me to get better spam and phishing filtering, and also get e-mail addressed to my personal account (@moldvan.com). This was a great setup until…

On December 12th (or around there; the official announcement was vague), the GMail team decided to flip the switch to do strict SSL certificate checking. What this means is if there is any problem with an SSL cert, the connection will be rejected and boom you’ve got no e-mail anymore.

The above was done without any warning, and I just thought things were quiet until I logged into my GMail account Sunday evening and saw “Error synchronizing account (account name)”. Digging through the error, I found that the certificate had expired (I was using the default Dovecot SSL config).

Aaaanyway, special thanks to Sergiy Dzysyak at http://site4fast.blogspot.com/2011/10/dovecot-ssl-how-to.html, who put together a good document on getting the SSL part of DoveCot working okay.

The first mistake I made was adding the ssl_cert_file and ssl_key_file to /etc/dovecot/dovecot.conf, instead of /etc/dovecot/10-ssl.conf. The config in 10-ssl.conf overrode the other one, and I didn’t know I had e-mail sitting lonely on my GX260 at home for a few nights.

I got a free SSL cert a while back from StartSSL.com, but they don’t support subdomains, so mail.moldvan.com wasn’t going to work anymore. I quickly changed my MX records to point to www.moldvan.com (the CN of the SSL cert I got for free), and changed up the config mentioned above, and all was well again.

Leave a Reply

Your email address will not be published. Required fields are marked *