GSOY

Q: iOS 9: Mail login for OSX server account only PLAIN?

Hi everybody,

 

I have upgraded my OS X Server to 10.11 El Capitan and Server 5.0.4. Also, iOS 9 has gained the convenient ability to add an OS X Server account with automatic setup for all services, so I went ahead and added my personal account on the server on my phone. Calendars, Contacts etc. are working fine, but there's a severe issue:

 

iOS Mail wants to authenticate to the server only through PLAIN login over TLS. When I set my Mail service authentication (Server.app -> Mail -> Authentication) to Open Directory, iOS Mail fails to connect and states “Logins are disabled on the server”. When I set authentication to “automatic” or “custom” with plaintext checked, it works just fine.

Adding an OS X server account on iOS offers no settings beside username  + password. How can I convince iOS to use CRAM-MD5 or MD5-Digest authentication instead of PLAIN login? If that's not an option, how can I make sure that iOS sends no password unencrypted, i.e. before a TLS connection is established? At the moment, my router only forwards port 993 for IMAPS.

Mac mini Server (Mid 2010), Mac OS X (10.7.4)

Posted on Oct 13, 2015 12:05 AM

Close

Q: iOS 9: Mail login for OSX server account only PLAIN?

  • All replies
  • Helpful answers

  • by hemmes,

    hemmes hemmes Oct 13, 2015 5:12 PM in response to GSOY
    Level 1 (5 points)
    Servers Enterprise
    Oct 13, 2015 5:12 PM in response to GSOY

    I have a bug case open about this.  What's really insane is that I'll push the OS X server account via an imap payload on my Profile Manager, choosing MD5 Digest and it shows up, locked, as password on my iOS devices.

  • by emailboy,

    emailboy emailboy Nov 8, 2015 3:50 PM in response to hemmes
    Level 1 (0 points)
    Nov 8, 2015 3:50 PM in response to hemmes

    Is it possible to edit the dovecot config files to permit non-plaintext methods?  What version of dovecot comes with OS X server 10.11?

  • by hemmes,

    hemmes hemmes Nov 9, 2015 4:56 PM in response to emailboy
    Level 1 (5 points)
    Servers Enterprise
    Nov 9, 2015 4:56 PM in response to emailboy

    I'm not sure editing anything in dovecot will help, as I have no issue manually configuring the OS X server account in iOS, with MD5, via IMAP.  I'm thinking something is up with the iOS implementation.  I'm pretty sure the new OS X mail account option in iOS 9 is also stuck with plain text, but will have to test to be sure.

  • by UptimeJeff,Solvedanswer

    UptimeJeff UptimeJeff Jan 4, 2016 6:27 AM in response to hemmes
    Level 4 (3,477 points)
    Jan 4, 2016 6:27 AM in response to hemmes

    PLAIN text authentication inside TLS/SSL is secure.

    This is the preferred mechanism for many providers.

    Ex: Rackspace dropped cram-md5 not long ago, they support PLAIN over TLS/SSL.

     

     

    Somewhat related note

    Digest-MD5 can cause serious issues (dovecot crashes) for an OS X Server. I alwas disable Digest-MD5.

    Yosemite & ElCapitan Mail.app have the new "Automatically detect and maint account settings" option. This will cause Mail.app to attempt Digest-MD5, and thats when you might see dovecot crashing.

    IMPORTANT: Cram-MD5 and Digest-MD5 are different. Cram works fine, Digest is the one with issues.