dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3383
share rss forum feed

threexk

join:2009-01-13

[Cable HSI] Unverified e-mail certificates

Click for full size
Click for full size
I use Mozilla Thunderbird for my Mediacom e-mail and recently it started popping up errors about being "Unable to verify the identity of mail.mchsi.com as a trusted site."

It looks like Mediacom updated their certificate on 1/6/2009, and the problem is Thunderbird doesn't recognize the certificate authority being used for the new certificate. The certificate itself has the appearance of legitimacy.

I am wondering if anyone else has noticed this problem? Can anyone give me some assurance I'm not talking to a fake Mediacom site? (I suppose I could test this by seeing whether Outlook or something recognizes the cert.)

I tried e-mailing Mediacom support, but the person that replied doesn't seem to grasp certificates. They told me to click "Accept this certificate permanently", which will surely get rid of the errors, but is actually ignoring the problem.


Anonymous
Premium
join:2004-06-01
IA
kudos:2

I use thunderbird too with default mediacom email settings (in network) and have no problems at all.


threexk

join:2009-01-13
reply to threexk

Should've said before: You'll only see this problem if you're using SSL. I'm using SSL to connect for two reasons:
1. It's required to use SMTP remotely (outside network).
2. Without some sort of encryption, your e-mail login and password are sent in plaintext. It is, as I understand, insecure to use anything but SSL for this reason. (Don't think Mediacom's mail servers support TLS.)



Mad_

@mchsi.com
reply to threexk

Just use TLS. Mediacom's servers do support TLS as this is what I am using now and it works.


openbox9
Premium
join:2004-01-26
Germany
kudos:2
reply to threexk

You can try verifying the cert with VeriSign.

»knowledge.verisign.com/support/s···tchecker

Do you have the latest VeriSign CAs loaded?


DSM_Sparky

join:2009-01-16
West Des Moines, IA
reply to threexk

Registered to post this--I've seen certificate errors on both incoming and outgoing email. What I've observed:

Incoming email
- POP
- Port 995, SSL
- Error is a certificate expiration (expired January 16)
- Issue started today

Outgoing email
- SMTP
- Port is either 465 or 587 (can't tell since I can't successfully send right now), SSL
- Error is the certificate is signed by an unknown authority ("VeriSign Class 3 Secure Server CA").
- Issue started earlier this week
- Email sometimes refuses to send. One attempt will send successfully, but five minutes later it will not send

Using Mac OS X Mail, fully patched and updated Mac OS X 10.5.6.

The incoming error could be fixed by renewing the certificate. My best guess at the latter (via Google) is that there is an intermediate VeriSign certificate that's missing on Mediacom's servers creating a missing link in the chain of trust for the certificate.


pabster

join:2001-12-09
Waterloo, IA
reply to threexk

Also seeing this error on my Macs. Expired certificate...


threexk

join:2009-01-13
reply to threexk

Got an e-mail two hours ago from Internet Support saying it was a known issue and was being worked. However, I'd only reported the unverified certificates on outgoing, not the expired certificate on incoming. I haven't seen those errors because another e-mail account automatically checks my Mediacom e-mail for me (surprised that it still works.)

The support rep recommended switching to the default, encrypted ports of 25 and 110, which is no good for the reasons I mentioned in my previous post.



Mad_

@mchsi.com
reply to threexk

Uh, now I am getting certificate expired on TLS



polythemus

join:2005-01-11
Hendersonville, NC

My Mac mail client reports an expired certificate.


IowaMan
Premium
join:2008-08-21
Grinnell, IA
reply to threexk

It errors for me too
Mac OS X 10.4
Any one have a fix?


openbox9
Premium
join:2004-01-26
Germany
kudos:2

said by IowaMan:

Any one have a fix?
- Disable secure connection to the mail server.
- Use webmail.
- Wait for Mediacom/AT&T to supply new SSL certs.

pabster

join:2001-12-09
Waterloo, IA
reply to threexk

I must say, this is pretty bad. Should have been fixed by now.

Disable SSL...yeah, that's the key. Nothing wrong with sending your password in the open.


pabster

join:2001-12-09
Waterloo, IA
reply to threexk

...And the problem persists.



Anonymous
Premium
join:2004-06-01
IA
kudos:2
reply to pabster

Considering it only affects 0.0X% it's not a huge issue.


WhatHappened

join:2004-08-06
Waseca, MN
kudos:2

said by Anonymous:

Considering it only affects 0.0X% it's not a huge issue.
Where did you get that number from? I am sure quite a few of us affected are not posting.

I have been dealing with this issues for over a week now. Basic issues like this, really makes Mediacom looks like a joke. In any large companies IS dept. somebody would get fired/reprimanded over dropping the ball on this kind of thing.

threexk

join:2009-01-13

1 edit

He or she may be right on the numbers. Most people either use webmail or unencrypted POP/SMTP. I do agree it is pretty bad that this hasn't been fixed yet.



Anonymous
Premium
join:2004-06-01
IA
kudos:2

Most people never get @mchsi.com email account, they stick with whatever email service they had (yahoo, live etc).

Of those that do VERY FEW require SSL (checking mail from outside the network).


DSM_Sparky

join:2009-01-16
West Des Moines, IA
reply to threexk

I received an email from Mediacom support indicating "[they] are aware that there is also an SSL issue with sending mail and it has been escalated."

SSL is important since it encrypts the communication between the email program and mail.mchsi.com. POP and SMTP are unencrypted by nature. A sample POP session:

$ telnet mail.mchsi.com 110
Trying 204.127.203.151...
Connected to mail.mchsi.com.
Escape character is '^]'.
+OK (sccqpxc94) Maillennium POP3/PROXY server #31
user mymediacomusername    
+OK
pass myverysecretpassword
+OK ready
uidl
+OK 2 messages (811059)
1 20081219174624q9200igvlue00030p
2 20081219190039q94006vkiee00030q
retr 1
X-Mailer: YahooMailWebService/0.7.260.1
Date: Fri, 19 Dec 2008 09:46:23 -0800 (PST)
From: Skip McGee <skipmcgee@yahoo.com>
Subject: How is babby formed?
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <12345.12345.qm@web51301.mail.re2.yahoo.com>
How is babby formed?  how girl get pragnent?
.
quit
+OK asp.att.net
Connection closed by foreign host.
 

Anyone who can access your network could sniff your password or the contents of your incoming mail during a standard POP session and could sniff your password (if you're using password authenticated SMTP) or the contents of your outgoing mail during a standard SMTP session.

While few users require SSL, it definitely is desirable. Some mail clients (i.e. OS X Mail, maybe Thunderbird as mentioned above) will attempt to determine the capabilities of the email server and use SSL and SMTP authentication if available. Plus, if SSL and SMTP authentication are initially set up you're covered when you take your computer with you on a trip and want to continue using your email program normally.

openbox9
Premium
join:2004-01-26
Germany
kudos:2

said by DSM_Sparky:

the contents of your outgoing mail during a standard SMTP session.
And anyone on the Internet can sniff the contents of your message as it transits from MTA to MTA regardless of your Mediacom mail server encrypted session. The only boon for encrypting your e-mail client to server session is to protect your password.
said by DSM_Sparky:

While few users require SSL, it definitely is desirable.
I agree. In fact, it should be the default and we should force entice users towards security, and not just with e-mail.
said by DSM_Sparky:

Plus, if SSL and SMTP authentication are initially set up you're covered when you take your computer with you on a trip and want to continue using your email program normally.
Except that you can't access Mediacom's AT&T's mail server from outside of Mediacom's network?

Turbocpe
Premium
join:2001-12-22
IA

said by openbox9:

Except that you can't access Mediacom's AT&T's mail server from outside of Mediacom's network?
Either I'm missing something or you are? You can, atleast in the past, access your email through pop while off Mediacom's network by using different settings.

DSM_Sparky

join:2009-01-16
West Des Moines, IA

1 edit

said by Turbocpe:

said by openbox9:

Except that you can't access Mediacom's AT&T's mail server from outside of Mediacom's network?
Either I'm missing something or you are? You can, atleast in the past, access your email through pop while off Mediacom's network by using different settings.
Usually POP is available while outside an ISP's network since, even as insecure as it is, it still is password authenticated.

Edit: Corrected spelling of "usually".

Turbocpe
Premium
join:2001-12-22
IA

2 edits

said by DSM_Sparky:

said by Turbocpe:

said by openbox9:

Except that you can't access Mediacom's AT&T's mail server from outside of Mediacom's network?
Either I'm missing something or you are? You can, atleast in the past, access your email through pop while off Mediacom's network by using different settings.
Usuaully POP is available while outside an ISP's network since, even as insecure as it is, it still is password authenticated.
»www.mchsi.com/help/read/publishe···01-28.01

quote:
If you are off the Mediacom Online network you can still access your e-mail using your e-mail client. However, you will need to configure your e-mail program to connect to our secure e-mail server via SSL.

DSM_Sparky

join:2009-01-16
West Des Moines, IA
reply to openbox9

said by openbox9:

And anyone on the Internet can sniff the contents of your message as it transits from MTA to MTA regardless of your Mediacom mail server encrypted session. The only boon for encrypting your e-mail client to server session is to protect your password.
Absolutely. You may trust your postman bunches, but the truck driver that moves your mail down the Interstate could swipe your mail.

said by openbox9:

Except that you can't access Mediacom's AT&T's mail server from outside of Mediacom's network?
IIRC, the last few trips I've had success with POP and SMTP when off of Mediacom's network.

openbox9
Premium
join:2004-01-26
Germany
kudos:2

1 edit
reply to Turbocpe

said by Turbocpe:

You can, atleast in the past, access your email through pop while off Mediacom's network by using different settings.
I should have clarified. You can't access SMTP or POP unencrypted from outside of Mediacom's network.
telnet mail.mchsi.com 110
Trying 204.127.203.151...
telnet: connect to address 204.127.203.151: Connection timed out
telnet: Unable to connect to remote host: Connection timed out
 
telnet mail.mchsi.com 25
Trying 204.127.203.151...
telnet: connect to address 204.127.203.151: Connection timed out
telnet: Unable to connect to remote host: Connection timed out
 
telnet mail.mchsi.com 995
Trying 204.127.203.151...
Connected to mail.mchsi.com (204.127.203.151).
 
telnet mail.mchsi.com 465
Trying 204.127.203.151...
Connected to mail.mchsi.com (204.127.203.151).
 

reply to threexk

SSL to SMTP server at Mediacom (AT&T) continues to be unavailable.
First the DNS became unreliable and now email.
I solved the DNS issues by moving to OpenDNS and it looks like GMail is going to be my new email provider.



BAINCH
Premium,VIP,MVM
join:2003-04-02
Blooming Grove, NY
kudos:11
reply to threexk

The SSL cert issue should be resolved now.


openbox9
Premium
join:2004-01-26
Germany
kudos:2

Nope


BAINCH
Premium,VIP,MVM
join:2003-04-02
Blooming Grove, NY
kudos:11

I'm told the cert was renewed. Don't know if this kind of thing takes time to update or not. Let me check.


openbox9
Premium
join:2004-01-26
Germany
kudos:2

Looks like somebody is doing something with the cert.