The remote certificate is invalid according to the validation procedure

If you get “The remote certificate is invalid according to the validation procedure” exception while trying to establish SSL/TLS connection using Mail.dll SMTP, POP3 and IMAP .NET component, most likely your server certificate is self-signed or you are using incorrect host name to connect.

Incorrect host name

Host name must match the name on certificate: for example imap.example.com and example.com may point to the same server, but if the certificate is issued to imap.example.com only, this is the only address you should use.

Double check if the name you pass to Connect or ConnectSSL method is correct and matches the certificate.

Self-signed certificates

You can accept self-signed certificates using Mail.dll SMTP, POP3 and IMAP .net clients.

First you need to subscribe to ServerCertificateValidate event, so you can manually verify the certificate presented by the server.

Then you should create a Validate method, that validates the certificate (ignores name mismatch and certificate chain errors, as self signed certs are not signed by the proper CA).

The sample below focuses on Imap class, but exactly the same steps apply to Pop3 and Smtp clients:

C# code

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
using System.Net.Security;
using System;
using Limilabs.Mail;
using Limilabs.Client.IMAP;
 
internal class Program
{
    private static void Main(string[] args)
    {
        using (Imap client = new Imap())
        {
            // Use custom certificate validation:
            client.ServerCertificateValidate +=
                new ServerCertificateValidateEventHandler(Validate);
 
            // Minimalistic version to accept any certificate:
            //
            // client.ServerCertificateValidate +=
            //    (sender, e) => { e.IsValid = true; };
 
            client.ConnectSSL("server.example.com");
            client.UseBestLogin("user", "password");
 
            foreach (long uid in client.GetAll())
            {
                var eml = client.GetMessageByUID(uid);
                IMail email = new MailBuilder()
                    .CreateFromEml(eml);
 
                Console.WriteLine("subject: {0}", email.Subject);
            }
 
            client.Close();
        }
    }
 
    private static void Validate(
        object sender,
        ServerCertificateValidateEventArgs e)
    {
        const SslPolicyErrors ignoredErrors =
            // self-signed
            SslPolicyErrors.RemoteCertificateChainErrors
            // name mismatch
            |  SslPolicyErrors.RemoteCertificateNameMismatch; 
 
        string nameOnCertificate = e.Certificate.Subject;
 
        if ((e.SslPolicyErrors & ~ignoredErrors)
            == SslPolicyErrors.None)
        {
            e.IsValid = true;
            return;
        }
        e.IsValid = false;
    }
} ;

Visual Basic .NET code

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Imports System.Net.Security
Imports System
Imports Limilabs.Mail
Imports Limilabs.Client.IMAP
 
Public Module Module1
 
  Public Sub Main(ByVal args As String())
    Using client As New Imap()
      ' Use custom certificate validation:
      AddHandler client.ServerCertificateValidate, AddressOf Validate
 
      client.ConnectSSL("server.example.com")
      client.UseBestLogin("user", "password")
 
      For Each uid As Long In client.GetAll()
        Dim email As IMail = New MailBuilder().CreateFromEml( _
          client.GetMessageByUID(uid))
 
        Console.WriteLine("subject: {0}", email.Subject)
      Next
 
      client.Close()
    End Using
  End Sub
 
  Private Sub Validate( _
     ByVal sender As Object, _
     ByVal e As ServerCertificateValidateEventArgs)
 
     Const ignoredErrors As SslPolicyErrors = _
          ' self-signed
          SslPolicyErrors.RemoteCertificateChainErrors _
          ' name mismatch
          Or SslPolicyErrors.RemoteCertificateNameMismatch       
 
     Dim nameOnCertificate As String = e.Certificate.Subject
 
      If (e.SslPolicyErrors And Not ignoredErrors) = SslPolicyErrors.None Then
         e.IsValid = True
         Return
      End If
      e.IsValid = False
  End Sub
 
End Module

Tags:       

Questions?

Consider using our Q&A forum for asking questions.

8 Responses to “The remote certificate is invalid according to the validation procedure”

  1. A connection attempt failed Says:

    […] The remote certificate is invalid according to the validation procedure […]

  2. aroy Says:

    I’m trying to connect to an Exchange Server. I have bypassed the certificate problems by using the “minimalistic” version described above, with the delegate (s, e) => {e.IsValid = true;}. But I keep getting the message, “No connection could be made because the target machine actively refused it.”

    The credentials are definitely correct. Any idea what could be causing the problem?

    Thanks.

  3. Limilabs support Says:

    @aroy,

    It seems you have problem with connection, rather then certificate validation or authentication/authorization.
    If it’s Exchange you most likely forgot to turn IMAP on. Please check this blog post for details on how to resole this issue:
    http://www.limilabs.com/blog/connection-attempt-failed

  4. Use SSL with SMTP | Blog | Limilabs Says:

    […] If you are using self-signed certificates you may encounter this error: The remote certificate is invalid according to the validation procedure. […]

  5. Use SSL with IMAP | Blog | Limilabs Says:

    […] If you are using self-signed certificates you may encounter this error: The remote certificate is invalid according to the validation procedure. […]

  6. Use SSL with POP3 | Blog | Limilabs Says:

    […] If you are using self-signed certificates you may encounter this error: The remote certificate is invalid according to the validation procedure. […]

  7. James Says:

    there is no such event handler in the MailForWindowsStore.dll. How can I stop this error from a windows store application?

  8. Limilabs support Says:

    @James,

    First make sure you are using correct server address (e.g. imap.gmail.com and not mail.gmail.com), most public servers use correct certificates, not self-signed ones.
    I think there is no way to intercept the certificate validation process in Metro apps (StreamSocket class doesn’t allow this). It is possible to workaround this by including the private root and CA certificates in the application, although I haven’t done it personally, so I can’t provide you any details.