Apple mail can't connect with SSL since upgrade

[Frater]

Ever since I've upgraded from Plesk 12.x to Plesk 12.5 I'm getting calls from customers that their mail doesn't work.
All these users have Apple mail and use SSL to connect with either IMAP or POP.

Thus far I changed their Mail-clients to plain and then they start working again.

These are the differences of the Courier configs

diff imapd-ssl etc/courier-imap/imapd-ssl

131c131
< TLS_PROTOCOL=TLSv1
---
> TLS_PROTOCOL=SSL23
309,310d308
< TLS_CIPHER_LIST=HIGH:!aNULL:!MD5
< TLS_STARTTLS_PROTOCOL=TLSv1

# diff pop3d-ssl etc/courier-imap/pop3d-ssl

162c162
< TLS_PROTOCOL=TLSv1
---
> TLS_PROTOCOL=SSL23
352c352
< POPLOCK_TIME=20
---
> POPLOCK_TIME=30

I have just reverted to the 12.x configs.

It's all very nice that better security is made, but this can't come at the cost of unreachable mail for the legititimate owners....

Who's at fault here? Plesk or Apple?

 

[KristianM]

Hi,

I see this as an Apple issue.
POODLE made SSLv3 unusable. To this date, Apple does not seem to have been able to update their Mail App to support TLS.
I prefer having a secure server over an insecure client.

However maybe it's your clients?
If I remember right, Apple did disable SSLv3 support 1 year ago.
However if customers do not update their system, they will not benefit of this.

Just my two cents
Kristian

 

[Frater]

I prefer having a secure server over an insecure client.

I think most people find it more important that they can receive their mail.

From the client side's perspective we're a small firm that has changed their service. They are not interested in that kind of security. Their machine, made by Apple, the inventor of all computers (sarcasm) can never be at fault.

 

[KristianM]

Hi,

in that case they should invest the money and time to keep their (Apple/Mac-)system uptodate.
This obviously does not seem to be the case. I just googled to find out when Apple actually patched their system.
This was 1 year ago now. I think this is time enough for anybody to update their system and software.
Even if it is Apple, the inventor of computers. Your customers choose to use their software

I do understand this might be frustrating in support. We have the very same discussion every week.
But we also have customers that rely on us to provide a secure service. SSLv3 is deprecated/outdated and insecure.
If you/we keep supporting it, the customers will never understand what security is about and never update their systems.

Of course I also understand that this discussion has a major potential to end in a flame war.
This is not what I am intending.
But you would not want your clients to drive a car that is known to have faulty breaks, right?
(stupid comparison, I know )

Regards,
Kristian

 

[Frater]

Hi,

in that case they should invest the money and time to keep their (Apple/Mac-)system uptodate.
This obviously does not seem to be the case. I just googled to find out when Apple actually patched their system.
This was 1 year ago now. I think this is time enough for anybody to update their system and software.
Even if it is Apple, the inventor of computers. Your customers choose to use their software

I don't know exactly how Apple's policy is on updates. I know they just released "El Capitan" and before you could easily upgrade from mountain lion to Maverick, but when I just checked "update" on that 10.7.5 system this morning it told me there are no updates found.
Does Apple expect their users to do anything more or even this?

So, Apple isn't patching all their snow leopards, Lions, mountain lions out there?

 

[KristianM]

Hi,

well I don't even own a Mac, so I can't tell you
But this is what I found:
http://www.computerworld.com/articl...ort--leaves-1-in-5-macs-vulnerable-to-at.html

In general Apple seems to always support the most recent OS X + the previous one. Everything older than that no longer gets support.
Maybe you could get further information from Apple as when did they actually support TLS in their Mail App and how to retrieve updates for it.

Regards,
Kristian

 

[UFHH01]

Hi Frater,

I can't confirm, that Apple Mail in general might be unable to use SSL/TLS, when SSLv3 is disabled on the server and I would like to investigate the issues with Apple Mail, but I need some more details.

Can you confirm, that you use the recommendations from KB - article 123 160 ( http://kb.odin.com/123160 ) for your configuration files?

Can you confirm, that other mail - software on the same customers/users computer has no issues/failures/errors using TLS with the very same eMail - account? Please test the very same eMail - account on the same computer with for example Thunderbird.

WHICH openssl version is being used on your server?
WHICH courier-imap version is being used on your server?
WHICH operating system is being used on your server?

Please post all courier-imap configuration files as attachments.

/etc/courier-imap/imapd
/etc/courier-imap/imapd-ssl
/etc/courier-imap/pop3d
/etc/courier-imap/pop3d-ssl

Did you try to investigate the issue with the help of error - logs? Could you please try to add corresponding errors from your logs, so that investigations could be easier? Please don't post the whole logs.... only the corresponding errors from it.

WHICH operating system is being used on the customers/users computer?
WHICH version of Apple Mail is being used?

Did you try to setup courier-imap with the option "IMAP_TLS_REQUIRED=1", so that only TLS - connections are allowed?
If you tried out the "TLS_REQUIRED" - option, did you as well tried to close port 993, as for example with "IMAPDSSLSTART=NO", in your configuration files?

IF the customer/user uses IMAP, WHICH port has been setup for connections to your server ( 993 or 143 ) ?
Can you confirm, that the customer/user has setup to use SSL ?

Can you confirm, that you don't use the standard DHPARAM - file ( which is only 768 bits ) on your server and that you use at least 1024 bits ( 2048 bits are recommended )?. Modern mail clients will refuse to connect to IMAPS, if the standard 768-bits-file for DHPARAM is being used.​