WordPress RSS Feed - Mailchimp Campaign - Images not showing up in EMAILS

NoahDavid123 wrote:

I've had new SSL's placed on both websites. That didn't fix the issue.

I am working with a dev to try and find the issue, but if you have any thoughts, please let me know. We have not solved this issue.

That certificate is still no good.

I compared your new certificate with my two working certificates from ssl.com and Let's Encrypt. Then I opened the message using Mail while running Console.app. I stepped through Console log messages and I think I've found the cause.

One of the differences between your certificate and my certificates is that "OCSP stapling" is set to YES for yours, but NO for mine. This is output from Console:

default	20:25:53.000821-0500	Mail	Connection 9656: enabling TLS
default	20:25:53.000828-0500	Mail	Connection 9656: starting, TC(0x0)
default	20:25:53.123516-0500	trustd	Leaf has invalid basic constraints
default	20:25:53.123987-0500	trustd	ocsp responder: (null) did not include status of requested cert
default	20:25:53.123963-0500	Mail	boringssl_session_apply_protocol_options_for_transport_block_invoke(1719) [C9656.1:2][0x13c4adba0] TLS configured [min_version(0x0301) max_version(0x0304) name(<private>) tickets(false) false_start(false) enforce_ev(false) enforce_ats(false)]
default	20:25:53.124038-0500	Mail	boringssl_context_info_handler(2012) [C9656.1:2][0x13c4adba0] Client handshake started
default	20:25:53.124156-0500	Mail	boringssl_context_info_handler(2029) [C9656.1:2][0x13c4adba0] Client handshake state: TLS client enter_early_data
default	20:25:53.124245-0500	Mail	boringssl_context_info_handler(2029) [C9656.1:2][0x13c4adba0] Client handshake state: TLS client read_server_hello
default	20:25:53.152735-0500	Mail	Connection 9656: asked to evaluate TLS Trust
default	20:25:53.174248-0500	Mail	Connection 9656: TLS Trust result 0

OCSP Stapling seems to be a relatively new security feature and not widely supported. You can debug details of a certificate and server support with a command like this:

openssl s_client -connect atowndailynews.com:443 -status

I found this from a web search so I ran this in Linux to avoid any Mac complications. It took a couple of tries, but I did find a site that supports OCSP Stapling and also works with Apple Mail. (Replacing one of those atowndailynews images with "https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg"). So compare the output from the above command with output from this one:

openssl s_client -connect logincdn.msauth.net:443 -status

There is some difference in the OCSP response data.

However, it gets more interesting. I also tried the above commands on the Mac and got radically different results. On one Mac, I get an expired certificate from "cambriadailynews.com".

/tmp $ openssl s_client -connect atowndailynews.com:443 -status
CONNECTED(00000005)
OCSP response: no response sent
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = cambriadailynews.com
verify error:num=10:certificate has expired
notAfter=May  6 23:59:59 2019 GMT
verify return:1
depth=0 CN = cambriadailynews.com
notAfter=May  6 23:59:59 2019 GMT
verify return:1
---
Certificate chain
 0 s:/CN=cambriadailynews.com
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

On another Mac (in a data centre in the US), I get a completely different error:

/tmp $ openssl s_client -connect atowndailynews.com:443 -status
CONNECTED(00000005)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.atowndailynews.com
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

While the OCSP response is good, I don't know why I get "unable to get local issuer certificate" or even if that is a fatal error. Unfortunately, this is a build-only machine running Big Sur. Mail isn't configured and it won't even open the test file.

I don't know what to tell you. A free Let's Encrypt certificate works. An SSL.com certificate (much cheaper than your GlobalSign) also works. Microsoft works too.

Thanks! That's exactly what I needed.

I think it is a problem with the security certificate on the "atowndailynews.com" server. There are other images in that data that appear fine. I can manually hack up images on the atowndailynews.com site to redirect elsewhere, anywhere, and they appear fine. It is only with images on that site.

When I run a test on that site, it only scores a "B": https://www.ssllabs.com/ssltest/analyze.html?d=atowndailynews.com

The testing site complains that the server does not support "Forward secrecy". This seems to be an important factor in Apple security, as documented here (https://support.apple.com/guide/security/sec100a75d12/web). I'm confident that this is the cause.

Things like this are to be expected when trying to send HTML content through e-mail. A better option would be to include all of the content in the e-mail. For example, if you manually go to that site via the "Show this site in your web browser", and then use the Share control in Safari to share it with Mail, you can tell Apple Mail to share with the full web content. This will include all of the images inside the e-mail message itself. E-mail it to yourself and you will see all images. It should be possible on the server side to do the same kind of transformation.

NoahDavid123 wrote:

Any other thoughts?

I don't know. That "B" score is just something that particular website uses. I can't tell what else Mail is complaining about.

I even found this site with instructions on how to use the really cool "nscurl" utility. I had never heard of that.

Unfortunately, it didn't help. I used the "--ats-diagnostics" mode and even tried to run it using Mail's own plist file. Everything passed.

In addition to forward secrecy, some of the required cipher suites show up as "weak" for that site. I compared it to my own sites and I just don't understand the cryptography details enough to know exactly where it is failing.

Also, if I was going to hire a person to dig deep into this issue, what kind of "tech" would I hire? What might be that type of developers "title"?

I don't think it is really worth that. I did notice that the certificate expires in 30 days. Why not just get a new certificate? I even tested this with a free Let's Encrypt certificate. That worked fine. The current certificate for that site seems to have been generate from cPanel?

Just buy a High Assurance certificate from ssl.com for $69. You don't need the fancy wildcard/SAN certificates and you don't want the cheap Domain Validation certificates.

For now, you can just get a Let's Encrypt certificate to fix the site. That shouldn't take more than 5 minutes. Don't try any of the automated systems. Just get a certificate and stuff it in, temporarily. You can install the real certificate on a test site and hack up your hosts file to redirect the name and verify it is working. I just took what you posted in the Additional text, saved it as an "eml" file and hacked up that first content image link under "Atascadero Chamber of Commerce announces key hires" and then opened the eml file in Mail.

You are talking about a problem in an e-mail message. The only protocols that matter are MIME and HTTP. One image works and one image doesn't. What is the difference between them? Is one embedded in the message and the other a remote URL? Until you know that fundamental nature of the images, you can't being to debug the problem. I can't tell that from a screenshot.

Could you post the RAW MIME content using the "Additional text" tool or pastebin? Make sure to redact any actual e-mail addresses, servers, or IP addresses.

Are these remote images (not gonna wade through the raw SMTP), and —if so—are the remote image load and privacy settings within Settings > Mail amenable to remotely loading these images?

etresoft wrote:

MrHoffman wrote:

Are these remote images (not gonna wade through the raw SMTP), and —if so—are the remote image load and privacy settings within Settings > Mail amenable to remotely loading these images?

Yes and yes. As the original screenshots show, Mail is displaying the advertising images, but not the content images.

Okay. Wasn’t sure which were referenced images and which were not.

It actually isn’t that difficult to wade through the raw content.

On an iPad 12.9” screen with a virtual keyboard and a slit for a MIME text display, it was more effort than I was inclined to invest.

The OP posted an anonymize version of said content. That makes it easy. Just save the content as a text eml file and open in Mail to debug yourself.

I’ve been looking at MIME-encoded text for ~twenty years, and routinely deal with a platform with ~Y2K MIME generation and rendering capabilities. I usually pull the text up in vim or with some command-line MIME-formatting tools for a look, and with tools that can strip off the chaff content. Just not usually from an iPad display. I also don’t have easy access to the SSL verification and website-crawling tools from the iPad, but you’d been poking at that—and seemingly effectively poking—and wasn’t going to comment on that without a better look.

MrHoffman wrote:

Are these remote images (not gonna wade through the raw SMTP), and —if so—are the remote image load and privacy settings within Settings > Mail amenable to remotely loading these images?

Yes and yes. As the original screenshots show, Mail is displaying the advertising images, but not the content images.

It actually isn’t that difficult to wade through the raw content. The OP posted an anonymize version of said content. That makes it easy. Just save the content as a text eml file and open in Mail to debug yourself.

What is different about those images that do show up?