Context.IO can only support email accounts from servers with a valid SSL certificate.
There are a couple instances where a SSL certificate may be considered invalid for Context.IO:
- A certificate is not signed by a known party: This typically means the certificate is self-signed. In most cases, we cannot support such certificates, as certificates should be signed by a known third party.
- The certificate has been signed for X domain, but not Y: This is mostly common for “white labeled” email services provided by companies like Dreamhost, Hostgator, or others. If a certificate is signed by “Dreamhost” but the IMAP server we’re trying to connect to is “IMAP.MY-AWESOME-WEBMAIL.com” that is considered a mismatch. An end-user would need to contact their email admin or mailbox provider and get them to fix the TLS certificate.
Why is Context.IO doing this?
We perform this security check in order to prevent potential security vulnerabilities and Man in the Middle attacks. We do this first and foremost for our users' protection.
How can I tell if a certificate is troublesome?
It is hard on our end to accurately report on the status of certificates via the API at this moment (but we are working on better identifying and labeling these accounts).
At this moment, signs there may be an issue with a SSL certificate include:
- Is the account “Generic IMAP”? (i.e. not from a known provider like Gmail, Outlook, Yahoo, Aol, etc).
- Is the account on “OK” status? (i.e. not marked as “DISABLED” in the API).
If you answered yes to both of these questions, there is likely a certificate issue. Here is how you can verify:
- Open a Command Line / Terminal
- Run the following command
openssl s_client -connect SERVER:PORT
(i.e. openssl s_client -connect imap.mail.com:993, the IMAP server is whatever server you used to add the account to Context.IO).
Once you run that command, you should be able to inspect the certificate. Things to look for:
Under “END CERTIFICATE” you should be able to see who issued it, and what names are on the certificate.
- “No client certificate CA names sent” means a CA name should be added to the certificate (and it should match the IMAP server you are trying to connect to)
- Under “issuer” you should see a known third party issuer
- If under “subject” you see a different “Wildcard/CN” than the IMAP server you’re trying to connect to, this is likely a mismatch