Password cannot be sent securely

What is the address of the mail server, and what port are you using to connect to it? Note: I'm not asking for your email address. Please don't post that.

And are you using a secure wifi network?

I am Bette's friend and am having the same problem on my new iMac. We both use the same ISP. I helped her post the question to help us both. Our mail server is mail.optonline.net. It's using the outgoing default ports: (25, 465, 587). And, yes, we both have password protected wifi networks. We also both just changed our email passwords (and updated them in our send and receive settings).

Mail is going and coming, but we see that Warning message when we check our Internet Account in System Prefs:

"Password could not be sent to "mail.optonline.net" securely. Mail cannot send your password securely to the server. You can continue without a secured password, which could put your password at risk. Do you want to continue without a secured password?" Then 'cancel' or 'continue' buttons.

Should we worry?

This error usually means that SSL/TLS is not selected for either or both of the SMTP or POP/IMAP paths to the mail server — Mail.app has TWO paths into the server, with entirely separate configuration screens for each, and each with separate server and user and password and SSL/TLS settings — or maybe that there's something comparatively unusual about your mail provider's configuration. The SMTP settings are particularly buried within Apple's Mail.app — you can get at those by selecting the "edit SMTP server list" pop-up associated with the POP or IMAP account. (See below for related details.)

Per this posting, your ISP either does not provide secure mail, or they're using a comparatively odd port for it — it is possible to use SSL/TLS with TCP port 110, but POP with SSL/TLS is more commonly found over on TCP port 995.

This means that either you're not secure and the diagnostic message is correct, or that there's a bug in Apple Mail.app diagnostics, or that Apple Mail.app is not choosing to try SSL/TLS on 110.

To try SSL/TLS on TCP port 110, you might try manually configuring that. To do that, Mail.app > Mail > Preferences > Accounts > select the mail.optonline.net account, select Advanced, select TCP port 110 and SSL/TLS enabled. If that connection fails, then you can also try manually selecting TCP port 995 there, with SSL/TLS enabled, and see if that works. Without probing TCP port 110 from here (and I'm disinclined to go poke at some random mail server), I can't tell if it's allowing SSL/TLS connections on TCP port 110, or has TCP port 995 open and available.

AFAIK, WiFi security is not a directly-contributing factor here. Beyond a well-secured corporate or home WiFi network and particularly one that uses WPA2 with a gonzo password and that also either lacks WPS support or has WPS support disabled, most WiFi networks aren't trustworthy.

This could be a complicated problem to solve, as there are several possible causes for it.

Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.

Step 1

From the menu bar, select

 ▹ System Preferences... ▹ Date & Time

Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.

Check the box marked

Set date and time automatically

if it's not already checked, and select one of the Apple time servers from the menu next to it.

Step 2

Triple-click anywhere in the line below on this page to select it:

/System/Library/Keychains/SystemCACertificates.keychain

Right-click or control-click the highlighted line and select

Services ▹ Show Info

from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.

Repeat with this line:

/System/Library/Keychains/SystemRootCertificates.keychain

If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.

Step 3

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.

In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be items named System and System Roots. If not, select

File ▹ Add Keychain

from the menu bar and add the following items:

/Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled

Secure Sockets Layer (SSL)

select

no value specified

Close the inspection window. You'll be prompted for your administrator password to update the settings.

Now open the same inspection window again, and select

When using this certificate: Use System Defaults

Save the change in the same way as before.

Revert all the certificates with non-default trust settings. Never again change any of those settings.

Step 4

Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.

Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select

Help ▹ Keychain Access Help

from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.

Step 5

From the menu bar, select

Keychain Access ▹ Preferences... ▹ Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Step 6

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.

Step 7

Restart the computer, empty the Trash, and test.

my isp says not to check the SSL box. so, that must be the reason for the message?

Jan Brownell wrote:

my isp says not to check the SSL box. so, that must be the reason for the message?

Yes.

Your mail provider is apparently operating the mail servers without encryption — SSL/TLS provides an encrypted network connection — and Apple's Mail.app is correctly reporting on that configuration. This is a very unusual configuration, too.

I'd still try enabling SSL/TLS here and testing with both TCP port 110 and TCP port 995 connections. See if it works.

If your mail provider doesn't configure the mail server for SSL/TLS, then there's not much you can do about password security here other than migrating to a different mail provider, or treat the existing mail account and password, and the mail contents and all of the contact address information of folks you've exchanged mail with as potentially vulnerable. This is what Apple is warning you about.

Your suggestion to enable SSL/TLS on TCP port 995 is an excellent one. I would only add that port 995 seems to be for - as you point out - POP accounts. I didn't see where the OP stated the type of account in question, so ... if it is an IMAP account, my suggestion to Bette and Jan would be to try to enable SSL/TLS on port 993 instead of port 995.

San Lewy wrote:

Your suggestion to enable SSL/TLS on TCP port 995 is an excellent one. I would only add that port 995 seems to be for - as you point out - POP accounts. I didn't see where the OP stated the type of account in question, so ... if it is an IMAP account, my suggestion to Bette and Jan would be to try to enable SSL/TLS on port 993 instead of port 995.

Please see the page I linked earlier. That provider seems to offer POP, per the provider's posting describing the manual configuration processes.

ok -- yes, the account type is POP. Will try enabling SSL with 995 first... no, mail can't send 'with selected server'. Trying SSL with 993... no, same thing. Trying SSL with default ports (25, 465, 587)... nope. Deselecting SSL for outgoing only. Leaving 'Authentication - Password'... nope. Had to deselect SSL on both in and outgoing, with no Authentication on Outgoing, only on Incoming... so, back to original settings.

Thanks for Linking that page, MrHoffman. It provides basic info, but they don't discuss SSL at all. I may have to call again. Don't like unsecure mail.

and glad Apple is warning me of such.

Jan Brownell wrote:

ok -- yes, the account type is POP. Will try enabling SSL with 995 first... no, mail can't send 'with selected server'. Trying SSL with 993... no, same thing.

TCP port 993 is IMAP with SSL, and not POP. If you want to test with TCP port 993, you'll have to create a test account that uses the IMAP protocol. (I wouldn't assume a connection that's expecting a POP server to produce a sane message when confronted with an IMAP server. It might, but it might not.)

...It provides basic info, but they don't discuss SSL at all. I may have to call again. Don't like unsecure mail.

Some other options here, listed from easiest to most difficult, you can also find a different (free) mail provider, or can choose to have your own mail and your own domain hosted somewhere, or — if you want to expend the resources — run your own mail server. This assumes the current provider can't be convinced to enable and migrate to SSL/TLS connections.

As for the cost of hosting mail in your own domain, one provider I'm aware of charges ~USD$36 per year, plus a domain registration — they offer SSL/TLS connections, and a variety of other services and features for that, too.

Thank you! After hours of frustration, I saw your recommendation, and I enabled SSL for both incoming and outgoing settings. I did not check the box that allows the password to be sent without authentication, as some people recommended, and that 110 port automatically changed to 995. I now have email coming and going again! Thank so much! (Internet provider is Suddenlink, and operating system was just upgraded to Yosemite 2 days ago)

Another grateful respondent - I hit this problem after upgrading to El Capitan and enabling SSLsolved it for me too.

Thank you, Linc!!!