10.10.4 Mail SMTP problem

It's good to have confirmation.

I'll be curious to hear if anyone using the 10.10.5 beta would confirm that this issue has been addressed.

Hey eike.hoffmann,

I've got the exact same problem as you do. A number of different SMTP servers I use with Mail are always being sent a * for the password. Both AUTH PLAIN and AUTH LOGIN don't work. But, I've also seen Google's XOAUTH2 work successfully with Mail. I did break out Wireshark to see if the actual protocol matched Mail's debug logs. Using unencrypted SMTP, I did see the single raw * sent as a password.

Obviously all my testing has been done with OS X 10.10.4 which is when my problems started too. I also saw Apple released the 10.10.5 Beta two days ago. No specific notes on what changed other than "bug fixes". Anyone willing to be a guinea pig and install it to see if the problem goes away? 😉

Chris.

Chris -

Have you managed to see any rhyme or reason why it might work sometimes, but not work other times? It would be really nice if we might be able to pin down why it stops working, so we can know what to avoid doing. Does Googles XOAUTH2 work consistently, or is it also a hit-and-miss event?

I'm dubious we'll get to hear much from the 10.10.5 Beta until it goes live, unfortunately. But, it would be okay for me to be wrong.

FWIW Thunderbird works fine for me too, so it does not seem a Keychain problem. Gmail (w/XOAUTH2) works for me 100% of the time, and the server with regular AUTH LOGIN 0% of the time.

I'm also experiencing this problem connecting to my company's SMTP server using Mail. I am able to connect to and send through Gmail with SMTP and the Mail app consistently.

I am also able to successfully send mail through the same account using Thunderbird. Additionally, I was able to connect and authenticate from OpenSSL on the command line.

I've yet to see SMTP with PLAIN or LOGIN work on 10.10.4 with any of my testing. I've only done a short bit of testing with Google's XOAUTH2, and so far so good. In the Keychain, passwords for XOAUTH2 are stored very differently, and the password is not actually passed back and forth during a regular login. Everything is token based. Google's SMTP server also does support PLAIN and LOGIN, but my laptop doesn't use it since setting up a brand new account through Mail.

I'm not sure how Mail chooses which AUTH method to use. Those who claimed that they couldn't send initially with Google, then deleted their accounts from Mail, recreated them, and then had their mail start sending again, I suspect Mail was using an old authentication method like PLAIN for the old account. When they recreated the account, Mail got smart and started using XOAUTH2. That checkbox "Automatically detect and maintain account settings" that everyone suggests to turn on is probably what triggered Mail to switch to XOAUTH2 on a new account.

I've also seen Mail attempt AUTH CRAM-MD5 and DIGEST-MD5. Neither of those worked. It keeps sending an * when it gets time to do something with the password.

Eiki, I'm located in western Canada. I sometimes don't get to replying to emails till a little later in the day. I also hear you about applying the Beta. I make my living with my laptop, and I'm not willing to apply the Beta either. I've installed Postbox for the short term to use as my Mail client for sending. Not terribly impressed with its performance, but it sends which is what counts right now.

Chris.

I hate to rain on the collected replies, but I don't think it is a Mail application problem. We upgraded 1 MacBook to 10.10.2 on Tuesday/Wednesday [July 14/15] on a network of three MacBooks. All four use a SMTP server of a private service, but only the upgraded MacBook uses Mail. The others use Thunderbird. Starting Thursday morning, July 16, around 0900 PDT, all of our Macs could not communicate with the SMTP server. But all of them could receive and communicate with the POP server for inbound eMail. Both servers require a password, but we are using older 6 and 7 character passwords. We got voice mail from our private service that our IP address, presumably the associated SMTP, had been blocked. They unblocked the IP address, but want us to change to the more secure passwords. While I have not yet gotten the full technical information about which IP address and how it could be blocked, I am totally perplexed, based on your collected comments, on how this can happen. During the outage, I tried pinging the private services POP servers and made contact but could not get a ping response from the SMTP servers. I have yet to dig into logs, so I can not give any more details at this point. I suspect the issue is with 10.10.x trying to solve LOGJAM problem.

I tried strengthening my password and attempting to connect again, but the problem remains. The password does not appear to be sent during the authentication process.

The Logjam issue is related to weak DH keys for TLS connections on the target server and I do believe the Apple updates were related to improving their security in this area. I manage the SMTP server that I am trying to connect to. We made sure that we had a 2048-bit DH group deployed and that we excluded weak DH ciphers.

I am able to successfully send mail through the server using Thunderbird from my Mac. I know many other people that are able to send mail through this SMTP server from PCs, mobile devices and other mail clients on a Mac device. This all suggests that the problem is not with the SMTP server or even the client device, but specifically with the Mail app itself.

Thanks for the reply and after reading Eike's logs and talking to the user of the upgraded MacBook, I have to agree that this looks like a Mail application problem. That MacBook sat idle for 1 1/2 days after the upgrade, while the Thunderbird Macs were in continual use. Only after the upgraded MacBook sent its first request for SMTP connection did things come unglued. All the Macs point to the same SMTP server with Port 587 open. The Thunderbird set ups use None for Connection Security, a Password transmitted insecure, and requires the user to enter the password manually for the first outbound transmission. For the Mail set up, the SMTP server is the same as Thunderbird but without password authentication; presume that is buried in Keychain. Sorry that I am not that knowledgeable about the Mail app, I personally don't use it.

What I do not understand is how Mail can send or not send a message to a third party SMTP server that would cause that server to block an IP address, while Thunderbird does not cause the same problem. Also, I am bothered by Chris's comment "I've yet to see SMTP with PLAIN or LOGIN work on 10.10.4 with any of my testing.". Does this mean I have to insure that Mail is always using XOAUTH2 and that my third party server is configured this way? Will know more on Friday after upgrading the password for the Mac using Mail. Hopefully, this will stop locking out our IP address.

Doby

yes, I see exact the same results!

I cannot get your work-around to work either unless I do as you suggest in EDIT2 (disable the "auto detect" for incoming as well); perhaps because I am not quick enough in sending a message! It does indeed show it working in the connection doctor immediately after (re-)creating the server, but then stops working.

Luckily for me, I do seem to still be able to pull down incoming mail with the "auto detect" feature off, so at least I think I'm back in business for now.

Thanks, Eike for all of your detective work here! Hopefully there's enough for Apple to fix the **** bug.