Eudora and SSL Certificate Failures

September 9, 2015 – I’ve revised this article, simplifying and shortening the steps involved!

See the revised article here.


Eudora rocks.

I’ve used this old and outdated Windows mail client since it was kind of new, more than 25 years ago. I chose it when I was moving my message store from a shell account to a PC, right around when PCs started to get reliable enough such work. Eudora was the first client I discovered whose message store was a simple transfer from Unix, drop-in, and run. I never looked back. Since then I’ve developed a rather extensive set of filters and such to efficiently manage dozens of email accounts and tens of GB of messages.

Bummer, Eudora hasn’t been actively supported since Qualcomm gave it up in 2006. Yeah, I know, it went Open Source. But IMHO they went and screwed it up.

As with any unsupported software, sometimes the passage of time breaks things. More than a few times I’ve cast about for another capable email client. It’s always gone the same way: I find none, get tired of searching, and turn my attention to propping the old girl up just a bit longer.

One afternoon in October last year one of my email hosts suddenly rejected its SSL certificate. It happens. When it does, Eudora offers to trust the new certificate. Thereafter all’s well. Not this time.

It wasn’t my host, and it wasn’t a critical account. Via trouble tickets, I went back and forth with the admins at the hosting company for the better part of a month. They’d suggest something, I’d try it – and maybe try a few things on my own – but nothing worked. Along the way I cast about for a replacement client and I came up dry. Finally I just shut off SSL for the account and got on with life. Not the best solution, but it worked. I really do need to find a new client! Maybe tomorrow… Yeah, right.

Last night Eudora rejected more certificates. This time it affected a multiple accounts on different domains. These were more important to me so I needed a solution.

And I found one.

First, some groundwork. My Eudora is version 7.1.0.9 running on Windows 8.1 Update 1. Of note, Eudora has a patched QCSSL.dll, needed since Microsoft made some changes to a library that caused the old client to loop for a Very… Long… Time… on the first use of SSL. I think that was around the time Windows 7 launched. Depending on your version(s), you may find differences in the dialogues and steps. I tried to give enough detail that you might find your way.

Let’s get started. The certificate rejection error looks like this:

Server SSL Certificate Rejected
Server SSL Certificate Rejected

See the question in the dialogue, “Do you want to trust this certificate in future sessions?”

It once was a simple matter of clicking the Yes button and that would be that. But that didn’t work in October and it didn’t work last night either.

Heres what to do to fix the problem.

Close the error dialogue and open Properties for the affected Persona. On the Incoming Mail tab (because it’s likely that a receive operation failed first), click the Last SSL Info button. The Eudora SSL Connection Information Manager opens. It looks like this:

Eudora SSL Connection Information Manager
Eudora SSL Connection Information Manager

There’s some weirdness in this dialogue, some confusion over host names. I think it’s a junk message. Click the Certificate Information Manager button. The Certificate Information Manager opens, and it looks like this:

Certificate Information Manager
Certificate Information Manager

Look at the section called Server Certificates. See the smiley face? That means trusted status. Expand that certificate tree in the usual way – click the plus sign next to it. Keep expanding, drilling down until you see one that’s untrusted. That’s the one with the skull ‘n crossbones. Of course.

The Certificate Information Manager panel, with the untrusted certificate, will now look something like this:

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

Click the offending untrusted certificate to select it then click the View Certificate Details button. The Certificate opens. It looks like this:

Certificate panel
Certificate panel

Select the General tab, if necessary, and click the Install Certificate button. The Certificate Import Wizard panel opens. It looks like this:

Certificate Import Wizard
Certificate Import Wizard – Location

Choose a Store Location – Current User or Local Machine – as needed for your situation. I chose the Current User because I’m the only user on this box. Click the Next button. The Certificate Import Wizard continues, and it looks like this:

Certificate Import Wizard – Certificate Store

The wizard asks where to store the certificate. Windows can automatically choose the Store based on the type of certificate, and that’s a pretty good choice. It’s also the default. Click the Next button to display a confirmation panel. It looks like this.

Certificate Import Wizard - Completing the Certificate Import Wizard
Certificate Import Wizard – Completing the Certificate Import Wizard

Click the Finish button.

Whew! It looks like the import was successful.

Certificate Import Wizard - Success!
Certificate Import Wizard – Success!

Click the OK button to close the Certificate Import Wizard.

Now, you’ll be looking at the Certificate Information Manager again, just how we left it.

Certificate Information Managed - Expanded to show untrusted certificate
Certificate Information Managed – Expanded to show untrusted certificate

 

With the untrusted skull ‘n crossbones certificate highlighted, click the Add To Trusted button. Then click the Done button to close the Certificate Information Manager.

Finally, try to reach the server that rejected the SSL certificate in the first place.

Did it work?

If it did then you’re finished.

Uh oh, waddya mean, it didn’t work?

You’ll need to go back and follow those steps again.

I hear you now. “Only an idiot does the same thing over and over expecting different results.”

Well, you’ll notice that the next time through the Certificate Information Manager will show a deeper tree of Server Certificates before you get to the untrusted certificate. You’ll need to drill deeper.

You may need to import and add several before achieving success. After a couple of imports it’s easy to forget the Add To Trusted button. Don’t ask me how I know!

I hope that helps someone.

Sometimes I think I’m the very last Eudora user out there. I’d love to hear from others. In fact, if you’ve moved off Eudora and found a decent replacement, I’d love to hear that, too. I know it’s only a matter of time.


 

Additional information added April 17, 2015…

One person described, in the comments below, that he she had some difficulty with the Add To Trusted button in the Certificate Information Manager when working with Google’s new certificates. His Her insight came when he she realized that he she was simultaneously viewing this post with Google Chrome. When he she closed Chrome and went through the process again, everything worked.

A big THANK YOU goes out to one Pat Toner for checkin’ in and increasing the value of this post with his her feedback. I owe you a beer, Pat. And an apology for my gender assumption based on name.

Share this:

329 thoughts on “Eudora and SSL Certificate Failures”

  1. Thanks much. Clear and succint article, and rose to the top of the search results. I have not had to do this since 2010, and had forgotten how. Back in the game in < 5 minutes, thanks to this article. Thanks for leaving it up. Surprising how many of us still use Eudora, huh? I'm all for upgrading, in fact, I look forward constantly to product improvements, but not at the loss of ease of use. I still use a Palm Pilot for the same reason.

  2. Thanks for leaving this on. When I was using Eudora with Google accounts, I had to update certificates on a daily basis. It was a pain but I got proficient in the procedure. I switched to Fastmail only and forgot all about it, till yesterday, when fingerprints changed for the first time in 8 months. A quick glance at this page refreshed my memory and I was back up in a minute

  3. Thank you!!! Your generosity and technical perspicacity has been perfectly helpful. Especially the reminder that it takes multiple times to accept the new certificate!!! I’m grateful for your full-hearted and knowledgeable help.

    1. Thanks for the kind words.

      But instead of all that over-and-over-again work the general consensus these days is to install the HERMES patched QCSSL stuff and be done with it.

  4. THANK YOU!

    Just wanted to confirm that HERMES also works on Eudora v7.0.1. They haven’t updated our server TLS yet, so incoming mail still shows TLSv1, but outgoing shows TLSv1.2. We have Eudora v7.1, but v7.0.1 is the last version that is in paid mode, so I tried the TLS update on that one first and it WORKS!

    Also wanted to commend the OP for this article. I couldn’t have written it better myself, as we feel the same way. Finally found someone else who has the same situation we’re in. Haven’t researched the recent Eudora replacements, but the ones that I had some years ago wouldn’t import the rulesets. Yes, going through re-creating them in more modern software would be good to do, but there’s more important things to do with our days than re-inventing that which has already been in use for so long.

    BJ

  5. I need to find out how one goes to change the part that is on the place where the 340 is. 207/4361K/340 Thanks

    1. That’s the Mailbox Size Display. Normally, three numbers are shown. The first is the number of messages in the mailbox. The second is the total amount of space those messages require. The third is the amount of disk space that’s wasted in the mailbox.

      Use Compact Mailboxes (under Special on the main menu) to reclaim the wasted space.

  6. Hi everyone, Especial Thanks goes to the developers, the initiators and the Lead, off course!

  7. Hello, everyone. I’m the project lead for an effort to relaunch Eudora for Windows, called Hermes Mail. Some of you may have heard of me, as it was my team that wrote the Hermes SSL extensions for Eudora (i.e. the new QCSSL.DLL). For those of you that are awaiting Hermes Mail for Windows, it should be out on or before St Valentine’s Day of this year (February 14th, i.e. in two weeks!)

    I’m writing because I’m also running a campaign to save Eudora for the Mac. Macintosh programmers are harder to find and more expensive than programmers for Windows, so I’m soliciting donations here: https://www.kickstarter.com/projects/1313324524/hermes-mail-x-a-continuation-of-eudora-in-cocoa-fo/description

    There are only 17 days to go! Hope we hit that target!

    1. Helluva target, Nicholas Edward Werner-Matavka! I hope you – and your team – hit it.

      I cut over to your replacement QCSSL.DLL from stunnel with your latest release and I’ve got to say it’s been working flawlessly. For that, thank you!

    2. Huzzah!! Been waiting for years for someone to resuscitate
      Eudora. Bless you!!

      One thing that Eudora lacks and which maybe will be a feature of Hermes Mail is the ability to handle Chinese language. Yes?

      Jerry Stryker
      Danville, CA
      USA

      1. I second Jerry’s enthusiasm and celebration of the resurrection of Eudora as Hermes! (Sadly I will say Hermes Mail brings up visions of a really poor package delivery service here in the uK where I now live…)

        BTW > very small world Jerry, I’m from Alamo!
        Cheers & thanks again to Rick for the forum and ongoing help!
        Ceci

      1. I haven’t heard anything since the team was to distribute to their testers. I’m taking that to mean that issues were – or are being – discovered and fixed. If so, then good. Given the heat they took over the QCSSL patch – that took several iterations to get working reasonably – and the install instructions are still poor – I’d rather see ’em come out the door with something a little more solid.

      1. Simple question, Iska, with a simple answer. It’s available here:

        https://sourceforge.net/projects/hermesmail/files/hermsetup.exe/download

        Here are some important notes from the author regarding that download:

        Ladies and Gentlemen:

        If you’ve been following the progress of the HERMES Mail for Windows Kickstarter page, you’ll surely have noticed that the final release of the so-called “bridge” or “transitional” package is now publicly available. If not, you can consider this your notice. You can download it at: https://sourceforge.net/projects/hermesmail/files/hermsetup.exe/download

        If Eudora 7.1.0.9 works to your satisfaction and you can send and check mail with no problems, you do not need this release. Fundamentally, it’s an automatic, “set-it-and-forget-it” distribution of Eudora Paid Mode, the existing HERMES SSL Extensions, the Microsoft C++ Redistributable, various foreign-language dictionaries for Sentry.

        You may also have heard that the direction of HERMES Mail proper has undergone a radical re-alignment. Quite simply, we can not in good time re-create Eudora in pure MFC; that is the uncompromising reality with which we’re faced, and I’m resigned to it. Notwithstanding this change in plan, our promises to you stand: UTF-8/Unicode handling, multiple language support, program available free of cost, etc. I’ll be the first to admit we’ve had a rough start, but it *is* a start, and we’re that much closer to offering you the best eMail client we can possibly create.

        The release after that is on the drawing board, in what could be called the specification stages—essentially, plain-English descriptions and flow charts of planned new features. Oh, yes, HERMES Mail is getting new features, but it’ll have to be an evolution rather than a revolution. Not sure when we’ll be able to scrub away the Stingray influence, but it’s taken a back seat for now.

        The next step is adding content to our project Web site; that’ll most likely take place during the coming days or week. More to come.

        Cordially,

        Nicholas Edward Werner-Matavka.

        1. Super, thank you, Rick! Like many others here, I just can’t give up Eudora after well-over two happy decades with it! Now that I read the note not to touch it if my version works, and it DOES after following Zok T’s clear instructions (thanks for that, too!), I can merrily continue. Will save the link in case there are future changes/issues. Cheers!

  8. (Also posted to the updated article.) Now you can instead just get the updated QCSSL patch (4 files), which updates Eudora’s root certificate store to 2018, and adds TLS 1.1 and TLS 1.2 support to your Eudora 7.1!

    Here’s how:

    The updated SSL library from the Hermes developers can be patched into your current installation of Eudora 7.1, and it 1) resolves certificate problems, and 2) adds TLS 1.1 and 1.2 support to Eudora, so mail servers that recently dropped TLS 1.0 support will once again work with Eudora.

    How to patch your Eudora 7.1 installation:

    1) Download https://sourceforge.net/projects/hermesmail/files/HermSSL.zip/download and extract it somewhere.

    2) Quit Eudora

    3) Find your Eudora program files folder. Backup these files: libeay32.dll, QCSSL.dll, rootcerts.p7b, ssleay32.dll

    4) Run vcredist.exe that you extracted above, although you might already have a new enough version of this Microsoft library on your system, in which case it will tell you that and will abort.

    5) Copy these new 4 files you extracted (libeay32.dll, QCSSL.dll, rootcerts.p7b, ssleay32.dll) into your Eudora program directory. You’ll see they’re from 2018 instead of 2006.

    6) Start Eudora and all should be well!

    7) If you were getting certificate errors, they should be gone.

    8) If you’re using a server that supports TLS 1.1 or 1.2, you can confirm that Eudora is now using them, by checking your mail, then going to that personality, properties, incoming mail, Last SSL Info, and look for “TLSv1.2” or “TLSv1.1” in the SSL version field, instead of “TLSv1”. (Or, if you only have one personality, you’ll find this via Tools, Options, Checking Mail, Last SSL Info.)

    The Hermes project seems to have a long way to go as far as getting Eudora restored and updated, BUT they have successfully updated the SSL library and root certificate store for all of us still using the official Eudora 7.1, keeping us on life support again. Thank you, Hermes developers!

    1. Excellent comment, Zok T! Thanks for bringing it to the comment stream in these Eudora articles, especially for taking the time to add it to both – it’s good info.

      I’ve been running the patch born of the Hermes project for a couple of months on my main desktop box with nothing but success.

      However, I’ve heard of several cases for which it’s been said to be ineffective – or worse. To be fair I’ve never had one of those reach out to me for help and so I have no direct experience with the reported trouble. It’s perfectly possible, for example, that the ‘install’ – actually nothing more than a series of file replacements – was simply performed improperly.

      I suppose it’s time to create a third article in the Eudora series to give prominent mention to both the Hermes project and the stunnel solution. Thanks for prompting me!

      1. Happy to read this. I was just living with the inconvenience of manually updating the certificates. I’m glad someone is smart enough and cares enough to have done this. Kudos for whoever it was.

    2. Rats, I have Eudora on two almost identical machines with Win-7 64 and it worked on one but not the other. Now it just hangs on Logging into POP server. If I replace the 4 files with the originals it logs in and downloads mail.

      1. I cannot edit my previous post to say . . . The only difference is that on the first machine that the patch worked on, vcredist.exe was already up to date but the machine it did not work on, it installed vcredist.exe but only after I downloaded and installed vc_redist.x64 2017 version. It never logs in to the pop server and takes for ever to finally quit and say it timed out.

        1. Nah, ya can’t edit previous *comments*, Hap. That’s because this isn’t a forum, you’re commenting on one of by blog posts from back in 2015!

          The popular opinion seems to be that *any* version of “Microsoft Visual C++ 2015 Redistributable (x86)” is a good one for use with the Hermes patch.

          Note the “2015” and the “x86” bits – they’re important. There are many “Microsoft Visual C++ YYYY Redistributable …” versions with the YYYY representing different years – my work-a-day desktop has twenty-some-odd of ’em.

        2. I’m on a Win-7 64 machine still… now a bit nervous (am no programmer, though husband is an IT professional so can help – though he rolls his eyes about my Eudora passion!).

          It sounds like I am in luck *if* vcredist.exe is up to date but not in luck if I need to update it??

          1. I had trouble on one machine but not the other. I finally got it to work on BOTH machines, All I had to do is wait a LONG time for vcredist.exe to install. No need for the 64 bit version. I thought it had *hung* but on the third try it did eventually install after almost 5 minutes.

    3. Hello,

      Eudora user since 1992 and I never found a better email programme than Eudora.
      I even managed to get other family members and friends to work with Eudora and they all love it!
      This morning started with bad news as we could not receive emails anymore, even though all certificates were OK.
      Than I found this solution offered by the Hermes developers and it worked !!
      I am so happy!
      THANK YOU – THANK YOU – THANK YOU

  9. This procedure has worked perfectly for me for ages BUT I use (and recommend) Kaspersky Internet Security and a recent update generates personal anti-virus email certificates. The procedure you describe works fine but it seems the certificates are regenerated each day: While most certificates only need to be installed once, the KIS ones have to be re-installed – a lengthy and tiresome business when you have lots of email accounts.
    Kaspersky support has been very responsive and helpful but it looks like they’re going to have to do some kind of rewrite. Currently the only way I can avoid continual re-installations is to make Eudora a ‘trusted application’ – and that means emails aren’t scanned for threats: not an acceptable solution. Anyone found a better way forward?.

    1. Thanks for taking the time to write. The follow-up article‘s a little more straightforward, better written.

      And Stunnel makes the problem simply go away by acting as a proxy between Eudora and Gmail, handling the frequently updated certificates automatically.

      Both, recommended stuff.

      1. Stunnel only worked for a few months for me. Was not worth the effort. It only takes a few seconds to add the new certificates every so often.

  10. It would seem to me it would be possible for someone, ( I don’t code) to write a script to do this automatically.

  11. Hello,

    “You’ll need to go back and follow those steps again.”

    “I hear you now. “Only an idiot does the same thing over and over expecting different results.””

    It took three cycles of following your steps to remove the errors, but it worked

    Thank you very much

    David

Leave a Reply to Rick Cancel reply

Your email address will not be published. Required fields are marked *