Q: os x update 10.10.4; mail won't send 6/30/15

Using the connection doctor I get the following logs, which makes this all even more strange. It seems that the mail.app client does not respond to the server's STARTTLS and pops an error about a minute later. I have no idea what this error means right now, but inquire minds want to know?!?!

LOGS:

Jul  1 15:09:59 client Mail[546] <Debug>: [0x600000361bc0] << 220  (89 additional bytes)

Jul  1 15:09:59 client Mail[546] <Debug>: Connected: <MFSMTPConnection: 0x600000361bc0> (Connected) account: A{SMTP - A356B9FF-6A70-4B81-9156-43BD847F0BED}

hostname: postoffice, port: 587, security layer: kCFStreamSocketSecurityLevelNone

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] >> EHLO  (25 additional bytes)

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-postoffice Hello client [redacted], pleased to meet you

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-ENHANCEDSTATUSCODES

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-PIPELINING

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-8BITMIME

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-SIZE

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-DSN

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-AUTH GSSAPI

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-STARTTLS

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250-DELIVERBY

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 250 HELP

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] >> STARTTLS (0 additional bytes)

Jul  1 15:10:00 client Mail[546] <Debug>: [0x600000361bc0] << 220 2.0.0  (18 additional bytes)

Jul  1 15:11:00 client Mail[546] <Debug>: Could not connect: <MFSMTPConnection: 0x600000361bc0> (Disconnected) account: A{SMTP - A356B9FF-6A70-4B81-9156-43BD847F0BED} (Error Domain=NSPOSIXErrorDomain Code=60 "The operation couldn’t be completed. Operation timed out")

That didnt work for me though :-(

Its clearly something they changed in the update as those with 10.10.3 or iOS 8.3 using the same settings on the server are fine.

I tried both "Automatically detect and maintain account settings" box (on and off) did not make a difference.

Neither did the SSL/MD5 option. The logs clearly show mail issues a STARTTLS and receives a 220 from the server but than Mail.app simply does nothing until about a minute later when it reports an error, which I don't know what that error even means.

What worked for me was to switch from Gmail Application Passwords to two-factor authentication, which is supported since OS X 10.10.3 (and iOS 8.3): Deleted all GMail SMTP accounts in Key Chain, Removed Google Account from System Preferences, Internet Accounts and set up a new account for Google, providing a token from the Google Authenticator app (others may work, too). Now, SMTP outgoing is working in Apple Mail.

Problem I have is that its not GMAIL but our own mail server.

I've talked with a couple of different people at Apple phone support, and seems like there is no solution yet they can give me. I also have our own mail server. My Gmail works, but not my company mail for outgoing mails. Very frustrating..

TBH, Can't understand how Apple can release an official OS update in this condition. Unbelievable....

Our Mail server is fixed.

Basically our network company had to reconfigure Sendmail to accept a higher level encryption.

We used a 2048 bit SSL Cert for mail however the DH key was 256 bit - Apples changes needs at least 768 bit.

The guys then needed to use Open SSL to generate a higher DH Key and then configure Sendmail to use it as its default is 256 bit

Not entirely sure that makes sense but I am sure if you manage a server it may help.

I've reverted to 10.10.3 using my Time Capsule and now mail is working perfectly again. I've alerted the system administrator to the problem and the mention in a later post that it might be that the level of encryption on the SSL needs to be adjusted.

This actually helped me. Before changing anything I checked the connection initiation with my server by using the openssl tool and that one threw a warning about the length of the dhparam key.

I increased the length of the dhparam key in my courier installation. Important to remark is, that 768bit is not enough, you have to go to 1024.

The sad side is, that this is so typical apple again, that it hurts. Why is it not possible to tell that to the user? At least give a warning? Instead this annoying "your internet is broken! By a new one at your closest genius bar!"-Message.

OS X and iOS work for me 85% of the time really really good, otherwise I would be long gone. But it has something of a drug addiction...

Quams wrote:

 

The sad side is, that this is so typical apple again, that it hurts. Why is it not possible to tell that to the user? At least give a warning? Instead this annoying "your internet is broken! By a new one at your closest genius bar!"-Message.

 

OS X and iOS work for me 85% of the time really really good, otherwise I would be long gone. But it has something of a drug addiction...

I agree. Addiction is where you're compelled to take ill-advised action before submitting it to a rational calculus, right? Like installing a system update on the first day it's available. Five, six, seven years ago I was more cautious with system updates, as unexpected turbulence was common. But more recently Apple got better and I've let my guard down, excited to see what the engineers have come up with. This is a throw-back to the bad old days; Mail is the app I use most, and now mine's unusable. I'm not techie enough to try tweaking the "dhparam key," whatever that is, so instead I'm waiting five hours while Time Machine restores me to my last 10.10.3 state.

It all gives new meaning to the phrase "user group," no?

I've verified that we use 1024 bits... but this has lead me to wonder if it's not a SHA1 vs. SHA256 issue. I know SHA1 as suppose to be phased out in 2016 by Google et al... I wonder if Apple has done the same thing.

I'm checking into that now. Our mail server has been around for some time and is long in the tooth. I would hate to be forced into an upgrade at this point in a rush :S

I don't think it's that.  This isn't a question of the length of the private key itself, like you'd see here:

[root@host private]# openssl rsa -in localhost.key -text -noout

Private-Key: (1024 bit)

I'd venture a guess that this is Apple responding to Logjam (or, more accurately, Apple nudging system administrators to patching/fixing their systems):

https://weakdh.org/

From there, you'll see a link to what you might need to do to address the problem with various common server software packages, including Sendmail and the like.

So we just have to wait for a fix now? Should I contact Apple about it? I don't remember ever having a bad update since maybe Panther or Tiger days.

Smart idea to roll back. I might have to do that or rely on web based mail instead.