Q: iOS 9: Mail login for OSX server account only PLAIN?
Hi everybody,
I have upgraded my OS X Server to 10.11 El Capitan and Server 5.0.4. Also, iOS 9 has gained the convenient ability to add an OS X Server account with automatic setup for all services, so I went ahead and added my personal account on the server on my phone. Calendars, Contacts etc. are working fine, but there's a severe issue:
iOS Mail wants to authenticate to the server only through PLAIN login over TLS. When I set my Mail service authentication (Server.app -> Mail -> Authentication) to Open Directory, iOS Mail fails to connect and states “Logins are disabled on the server”. When I set authentication to “automatic” or “custom” with plaintext checked, it works just fine.
Adding an OS X server account on iOS offers no settings beside username + password. How can I convince iOS to use CRAM-MD5 or MD5-Digest authentication instead of PLAIN login? If that's not an option, how can I make sure that iOS sends no password unencrypted, i.e. before a TLS connection is established? At the moment, my router only forwards port 993 for IMAPS.
Mac mini Server (Mid 2010), Mac OS X (10.7.4)
Posted on Oct 13, 2015 12:05 AM
PLAIN text authentication inside TLS/SSL is secure.
This is the preferred mechanism for many providers.
Ex: Rackspace dropped cram-md5 not long ago, they support PLAIN over TLS/SSL.
Somewhat related note
Digest-MD5 can cause serious issues (dovecot crashes) for an OS X Server. I alwas disable Digest-MD5.
Yosemite & ElCapitan Mail.app have the new "Automatically detect and maint account settings" option. This will cause Mail.app to attempt Digest-MD5, and thats when you might see dovecot crashing.
IMPORTANT: Cram-MD5 and Digest-MD5 are different. Cram works fine, Digest is the one with issues.
Posted on Jan 4, 2016 6:27 AM