Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Kefevs
Kefevs Author
User level: Level 1
0 points

Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)

Hi,



Setup

Computer:

OSX 10.10.2

Mail 8.2 (2070.6)


Mail server A

POP3 port 995 SSL

(Non SSL - port 110 - is disabled due to security reasons)


Mail server B

POP3 port 110

POP3 port 995 SSL


Summary

OSX Mail client removes SSL support on non regular intervals for POP3 connections. For the connections that support regular non SSL POP3 (port 110) this reduces the security, but the mail is available. This was noticed by me because one ISP has locked down their POP3 server to SSL only due to security reasons. After reenabling SSL on the connection (Mail -> Preferences -> Accounts -> Account in question -> Advanced) the connection remains with SSL support for a while, then it is removed again. As OS X Mail has no token to identify SSL or regular port 110 connection this is transparant to the user, unless the server does not support regular POP3, at which time a error is generated.


Comments

1) This seems to be a security related issue with mail where OS X mail downgrades from SSL connection to regular port 110 POP3 traffic

2) If corrected the connection is downgraded again within a couple of days, if not sooner.

3) Connections to POP3 servers supporting port 110 are "unaffected" with the exception of the security issue of a downgrade

4) Connections to POP3 servers that only support SSL - port 995 - are not able to complete until SSL has been reenabled manualy.

5) Downgrade bug has been seen only on my machine, so it might not be something mainstream. Machine is updated to latest patches.


Questions

1) As this has only been observed on my machine, has anybody else seen this POP3 SSL downgrade bug?

Mail 8.2-OTHER, OS X Yosemite (10.10.2), OS X Mail 8.2

Posted on Mar 13, 2015 5:51 AM

Reply
Question marked as Best reply
User profile for user: Eric Root
Eric Root
User level: Level 10
684,039 points

Posted on Mar 13, 2015 2:22 PM

Try Mail/Preferences/Accounts/Advanced - uncheck Automatically detect and maintain account setting. You must do this for each account.

View in context
9 replies
User profile for user: everhopeful
everhopeful
User level: Level 1
9 points

Mar 13, 2015 3:55 PM in response to Kefevs

Same problem. The following information is from Symantec:

To disable SSL\TLS

  1. Open Apple Mail.
  2. Click the Mail menu and select Preferences.
  3. Select your mail account on the left under Accounts, then click the Advanced tab.
  4. Confirm the check box labeled "use SSL" is not checked next to ports. If necessary remove the checkmark.
  5. Click the Account Information tab and select Edit Server list from the drop down next to Outgoing Mail Server.
  6. Click the Advanced tab and confirm there is not a checkmark next to Use Secure Socket Layer(SSL).
  7. Click OK and close the accounts. Window and choose to save.
  8. Click Save to update your settings.

Restart Apple Mail.

This does work for a while but eventually Mail reverts to enabling Use SSL and disabling Allow Insecure Authentication but only one some of my addresses but not all. Some accounts POP logs-in but not SMTP.

Reply
User profile for user: Kefevs
Kefevs Author
User level: Level 1
0 points

Mar 13, 2015 4:07 PM in response to Eric Root

This seems like the logical thing. Im testing, and if config remains static for 12h I will update as helped.


If this works, I do still feel there is a bug. A mail solution should never opt for a lower security setting than configured, once configured; and that service is available. There might be cases where this is wrong, but in this case this feature acts like it is buggy.


Thanks for your input

Reply
User profile for user: everhopeful
everhopeful
User level: Level 1
9 points

Mar 14, 2015 7:09 AM in response to everhopeful

Ignore my previous message, on signing in again after a couple of hours various e-mail addresses have changed again to "use SSL" and fail to go online. It would appear that I have to access every address to change the preferences every time I log in to Mail. I didn't load Yosemite voluntarily but having had a monumental crash from 10.7.5 Yosemite was the only option available to download. If I was in business I would soon be out of it at this rate.

Reply
User profile for user: Eric Root
Eric Root
User level: Level 10
684,039 points

Mar 14, 2015 2:00 PM in response to Kefevs

You are welcome.


Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.

Mail Feedback


Or you can use your Apple ID to register with this site and go the Apple BugReporter. Supposedly you will get an answer if you submit feedback.


Feedback via Apple Developer

Reply
User profile for user: everhopeful
everhopeful
User level: Level 1
9 points

Mar 16, 2015 3:23 AM in response to Eric Root

Finally my "use SSL" problem appears to be (quite illogically) sorted. Apple Mail has been stable now for 24 hours. Using two computers I have sent messages to all my addresses from computer 1 to computer 2, and replied from computer 2 to computer 1. I have done this probably 12 times until I can go into preferences and find that my saved settings have not been altered by the system. Prior to this the system changed my saved preferences every time I logged out and then logged in again. As I said before, totally illogical but so far it is now stable. For how long remains to be seen.

Reply

Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up