Stop maintaining a list of valid SSL certificates for common mail servers

jstedfast · jstedfast · commit bf6f21f18a46 · 2026-02-15T11:17:51.000-05:00
MailService.DefaultServerCertificateValidationCallback will no longer
maintain a list of known SSL certificate fingerprints for common mail
servers such as gmail.com, outlook.com, office365.com, mail.me.com,
yahoo.com, gmx.clom or gmx.net.

This no longer seems needed and was only ever really needed for clients
running on Mono on Linux/MacOS (which has been obsoleted for years by the
official dotnet runtime).
diff --git a/MailKit/MailService.cs b/MailKit/MailService.cs
@@ -443,114 +443,11 @@ public abstract int Timeout {
 			get; set;
 		}
 
-		const string AppleCertificateIssuer = "C=US, S=California, O=Apple Inc., CN=Apple Public Server RSA CA 11 - G1";
-		const string GMailCertificateIssuer = "CN=WR2, O=Google Trust Services, C=US";
-		const string OutlookCertificateIssuer = "CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US";
-		const string YahooCertificateIssuer = "CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US";
-		const string GmxDotComCertificateIssuer = "CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB";
-		const string GmxDotNetCertificateIssuer = "CN=Telekom Security ServerID OV Class 2 CA, O=Deutsche Telekom Security GmbH, C=DE";
-
-		// Note: This method auto-generated by https://gist.github.com/jstedfast/7cd36a51cee740ed84b18435106eaea5
-		internal static bool IsKnownMailServerCertificate (X509Certificate2 certificate)
-		{
-			var cn = certificate.GetNameInfo (X509NameType.SimpleName, false);
-			var fingerprint = certificate.Thumbprint;
-			var serial = certificate.SerialNumber;
-			var issuer = certificate.Issuer;
-
-			switch (cn) {
-			case "imap.gmail.com":
-				switch (issuer) {
-				case GMailCertificateIssuer:
-					return (serial == "00EBD9C1E819C5E8210A9042A1DB68CA4A" && fingerprint == "F782C958321514486235A43F048B1BF322E028B0"); // Expires 4/20/2026 4:40:51 AM
-				default:
-					return false;
-				}
-			case "pop.gmail.com":
-				switch (issuer) {
-				case GMailCertificateIssuer:
-					return (serial == "00DF09248D5E6774CC10620F198E408025" && fingerprint == "2B12A6D5C26D8359A3ABD88B37779A12CB3FA72A"); // Expires 4/20/2026 4:40:52 AM
-				default:
-					return false;
-				}
-			case "smtp.gmail.com":
-				switch (issuer) {
-				case GMailCertificateIssuer:
-					return (serial == "0085E25FC8F0D6B36312BF7499A3EE174D" && fingerprint == "4147F8A9DC5208A32F7C4B212942443C267D094E"); // Expires 4/20/2026 4:40:53 AM
-				default:
-					return false;
-				}
-			case "outlook.com":
-				switch (issuer) {
-				case OutlookCertificateIssuer:
-					return (serial == "07ECFAB580E06830E3EC580E3C1D4765" && fingerprint == "A6F7ECFB2BF631B3A84FEBB09FFDBB4E3B0F4211") // Expires 3/28/2026 7:59:59 PM
-						|| (serial == "05A8E2577A9AC3107AC04CAC3D282AF2" && fingerprint == "49EB381366CB543F6C6235F2D33C667DEDFA206F"); // Expires 11/9/2026 6:59:59 PM
-				default:
-					return false;
-				}
-			case "imap.mail.me.com":
-				switch (issuer) {
-				case AppleCertificateIssuer:
-					return (serial == "0FEE8FBB49AC97EC86D7ED21EFC51897" && fingerprint == "165176380DCFC6A132F525FDE4CF18F4442FCC0C"); // Expires 4/29/2026 3:21:15 PM
-				default:
-					return false;
-				}
-			case "smtp.mail.me.com":
-				switch (issuer) {
-				case AppleCertificateIssuer:
-					return (serial == "7250507B5C1C895E323A3A5B023B20C0" && fingerprint == "160053F7CF49B1C29393A837C4F0A56240677F03"); // Expires 4/1/2026 1:30:06 PM
-				default:
-					return false;
-				}
-			case "*.imap.mail.yahoo.com":
-				switch (issuer) {
-				case YahooCertificateIssuer:
-					return (serial == "085C2B88669F6FA216C9B13834BF9030" && fingerprint == "7FEC1E5DB496FE90CEA033EEAF58A140688391AD"); // Expires 3/25/2026 7:59:59 PM
-				default:
-					return false;
-				}
-			case "legacy.pop.mail.yahoo.com":
-				switch (issuer) {
-				case YahooCertificateIssuer:
-					return (serial == "02D30096956F2F636E4F8C8A428B8B7A" && fingerprint == "BA185970AD9E15E8D21EFC8F691E1D18711EEE56"); // Expires 4/8/2026 7:59:59 PM
-				default:
-					return false;
-				}
-			case "smtp.mail.yahoo.com":
-				switch (issuer) {
-				case YahooCertificateIssuer:
-					return (serial == "06C9D3C60F0F318236412975B3A7A2BC" && fingerprint == "15B8788B67B16595E596F042779C79640D9F2181"); // Expires 4/8/2026 7:59:59 PM
-				default:
-					return false;
-				}
-			case "mout.gmx.com":
-				return issuer == GmxDotComCertificateIssuer && serial == "49F9B6205B93B1A9DCEC50C54192A0A5" && fingerprint == "34DC8F699802DC1FAE824560C27E985020ACCFCC"; // Expires 5/5/2026 7:59:59 PM
-			case "mail.gmx.net":
-				return issuer == GmxDotNetCertificateIssuer && serial == "27AA0BBE1A29991EFFA8D799F4473004" && fingerprint == "53738E6CBB6B7EEA1E6CC77BC1A8867B0FB20331"; // Expires 11/22/2026 6:59:59 PM
-			default:
-				return false;
-			}
-		}
-
-		static bool IsUntrustedRoot (X509Chain chain)
-		{
-			foreach (var status in chain.ChainStatus) {
-				if (status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)
-					continue;
-
-				return false;
-			}
-
-			return true;
-		}
-
 		/// <summary>
 		/// The default server certificate validation callback used when connecting via SSL or TLS.
 		/// </summary>
 		/// <remarks>
-		/// <para>The default server certificate validation callback recognizes and accepts the certificates
-		/// for a list of commonly used mail servers such as gmail.com, outlook.com, mail.me.com, yahoo.com,
-		/// and gmx.net.</para>
+		/// The default server certificate validation callback only succeeds if there are no SSL/TLS certificate validation errors.
 		/// </remarks>
 		/// <returns><see langword="true" /> if the certificate is deemed valid; otherwise, <see langword="false" />.</returns>
 		/// <param name="sender">The object that is connecting via SSL or TLS.</param>
@@ -559,22 +456,7 @@ static bool IsUntrustedRoot (X509Chain chain)
 		/// <param name="sslPolicyErrors">The SSL policy errors.</param>
 		protected static bool DefaultServerCertificateValidationCallback (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
 		{
-			const SslPolicyErrors mask = SslPolicyErrors.RemoteCertificateNotAvailable | SslPolicyErrors.RemoteCertificateNameMismatch;
-
-			if (sslPolicyErrors == SslPolicyErrors.None)
-				return true;
-
-			if ((sslPolicyErrors & mask) == 0) {
-				// At this point, all that is left is SslPolicyErrors.RemoteCertificateChainErrors
-
-				// If the problem is an untrusted root, then compare the certificate to a list of known mail server certificates.
-				if (IsUntrustedRoot (chain) && certificate is X509Certificate2 certificate2) {
-					if (IsKnownMailServerCertificate (certificate2) && DateTime.Now <= certificate2.NotAfter)
-						return true;
-				}
-			}
-
-			return false;
+			return sslPolicyErrors == SslPolicyErrors.None;
 		}
 
 #if NET5_0_OR_GREATER || NETSTANDARD2_1_OR_GREATER
