A change in the way OS X 10.10.4 and iOS 8.4 handles security keys has caused a number of users — specifically those using Gmail — to see SMTP send failures and even app crashes. Luckily, there's an easy fix for both users and system admins looking for a permanent server-side solution.
The issue was first noted by users on Apple's Support Communities forum shortly after Apple released OS X 10.10.4 and iOS 8.4 on June 30. Sporadic account connection issues, inability to send email from specific servers and complete Mail shutdowns were reported.
Apple offered a possible explanation in a support document one day later, saying that both OS X 10.10.4 and iOS 8.4 provide increased security against a certain TLS vulnerability called "Logjam." To protect users, devices updated to the latest OS versions no longer connect to servers or webpages using "weaker" Diffie-Hellman encryption, defined as having a group size of less than 2,048 bits.
As a result of the poorly documented change, users might encounter problems when connecting to enterprise class Wi-Fi (802.1X), secure email connections (SMTP), secure web connections (HTTPS) and secure Internet printing (IPP over TLS/SSL), Apple said.
Support Communities forum members have discovered a number of workarounds, including the disablement of SSL, which is not recommended considering it removes a layer of protection.
A more viable fix can be accessed by navigating to Preferences option in the Mail for OS X menu dropdown. In the Settings window, click on the Accounts icon and select the email account experiencing issues.
Next, click on Advanced in the resulting pane, toggle the check box next to the "Automatically detect and maintain account settings" item line and restart Mail. Upon opening, navigate back to the affected account and tick the box if you turned it off, or confirm that it remained checked upon restart.
For system administrators, Apple again notes servers should employ a group size of 2,048 bits or greater when using Diffie-Hellman key exchange. Apple Support Communities forum member "PeetDeVos" offers the following suggestion:
Sendmail server on CentOS / Linux:I added the following to the /etc/mail/sendmail.mc file before re-make (make -C /etc/mail) and restart of sendmail only (service sendmail restart). It instantly worked:
dnl # Added to resolve issues with Mac Mail
define(`confDH_PARAMETERS',`/etc/mail/certs/dh_2048.pem')
Before you do that, create the dh_2048.pem file using (openssl gendh -out dh_2048.pem -2 2048) in the relevant path (/etc/mail/certs or what you use).
If problems persists, the next recommended step is to contact your email provider and request Apple's new 2,048-bit cryptographic protocol be instated.
18 Comments
"If problems persists, the next recommended step is to contact your email provider and request Apple's new 2,048-bit cryptographic protocol be instated." Ooooor, Apple could just support the standards mail servers use instead. Sounds like a case of the tail trying to wag the dog. The client is subservient to the server Apple.
"If problems persists, the next recommended step is to contact your email provider and request Apple's new 2,048-bit cryptographic protocol be instated."
Ooooor, Apple could just support the standards mail servers use instead. Sounds like a case of the tail trying to wag the dog. The client is subservient to the server Apple.
Dear Google, would you please do what Apple says.
Thanks.
@seafox I felt the same way, however, would the issue is a vulnerability in week encryption keys. The recommendation is to use keys of size 2048 and higher. This is not an Apple cryptographic protocol as the article suggests. There is no RFC that states a minimum key size that must be supported with TLS so I'm not convinced this is a non-standard implementation. Or, am I missing something?
withdrawn
"If problems persists, the next recommended step is to contact your email provider and request Apple's new 2,048-bit cryptographic protocol be instated."
Ooooor, Apple could just support the standards mail servers use instead. Sounds like a case of the tail trying to wag the dog. The client is subservient to the server Apple.
Apple users are so plentiful that this will be very effective for the few who haven't done it already.