Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)
Hi,
Setup
Computer:
OSX 10.10.2
Mail 8.2 (2070.6)
Mail server A
POP3 port 995 SSL
(Non SSL - port 110 - is disabled due to security reasons)
Mail server B
POP3 port 110
POP3 port 995 SSL
Summary
OSX Mail client removes SSL support on non regular intervals for POP3 connections. For the connections that support regular non SSL POP3 (port 110) this reduces the security, but the mail is available. This was noticed by me because one ISP has locked down their POP3 server to SSL only due to security reasons. After reenabling SSL on the connection (Mail -> Preferences -> Accounts -> Account in question -> Advanced) the connection remains with SSL support for a while, then it is removed again. As OS X Mail has no token to identify SSL or regular port 110 connection this is transparant to the user, unless the server does not support regular POP3, at which time a error is generated.
Comments
1) This seems to be a security related issue with mail where OS X mail downgrades from SSL connection to regular port 110 POP3 traffic
2) If corrected the connection is downgraded again within a couple of days, if not sooner.
3) Connections to POP3 servers supporting port 110 are "unaffected" with the exception of the security issue of a downgrade
4) Connections to POP3 servers that only support SSL - port 995 - are not able to complete until SSL has been reenabled manualy.
5) Downgrade bug has been seen only on my machine, so it might not be something mainstream. Machine is updated to latest patches.
Questions
1) As this has only been observed on my machine, has anybody else seen this POP3 SSL downgrade bug?
Mail 8.2-OTHER, OS X Yosemite (10.10.2), OS X Mail 8.2