OlaMontan

Q: Mail server in El Capitan not working from iPhone

I made a clean install of El Capitan 10.11.2 and then Server 5.0.15 on my local network. Then I started the mail server from Server to use it as my IMAP mail server.

 

It works just fine från all my Mac's (Apple Mail or Thunderbird) and PC's (Thunderbird).

 

But when I try to read my e-mail från an iPhone or Android, it doesn't work. My iPhone complains that "Logins are disabled for "xxx" where "xxx" is one of the users that I created from Server. The mail.log file doesn't get any new entries when trying. One thing that disturb me is that the status line in the Mail screen in Server says "Available on your local network at Server.local" instead of "Available at montan.biz" at it was in my previous installation that worked.

 

What can be wrong?

Mac mini, OS X El Capitan (10.11.2)

Posted on Jan 8, 2016 3:30 AM

Close

Q: Mail server in El Capitan not working from iPhone

  • All replies
  • Helpful answers

Page 1 Next
  • by FromOZ,

    FromOZ FromOZ Jan 9, 2016 3:20 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 3:20 AM in response to OlaMontan
    One thing that disturb me is that the status line in the Mail screen in Server says "Available on your local network at Server.local" instead of "Available at montan.biz" at it was in my previous installation that worked.

     

    Not of any relevance/concern, that is what Server.app 5.x reports. It is simply saying, in an unhelpful and slightly misleading way, that on the Apple local Bonjour (.local) network the mail service is available at server.local. But everywhere else Apple advises not to use the .local domain (which is not really a proper domain) for services like mail but to use a proper (ideally Internet legal) domain.

     

    What can be wrong?

    Well that is an open-ended question to which the answer could be, potentially, "everything". Don't worry... only (half) joking.


    Seeing as you have already given away your domain name, I will refer to it. From my Mac I see:

    $ dig @dns1.name-services.com montan.biz mx

     

    ;; QUESTION SECTION:

    ;montan.biz. IN MX

     

    ;; ANSWER SECTION:

    montan.biz. 3600 IN MX 10 montan.biz.

     

    ;; ADDITIONAL SECTION:

    montan.biz. 92 IN A 84.219.155.117

     

    dns1.name-services.com being the SOA for your domain on the Internet.


    If you open a Terminal prompt from a Mac inside your network, ideally not your server, and type the following commands (one per line in Terminal) what do you get in response.

    $ dig montan.biz soa

    $ dig montan.biz ns

    $ dig montan.biz mx


  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 3:47 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 3:47 AM in response to FromOZ

    Thank you for trying to help. Like I said, my mail server worked in Mavericks.

     

    This is the result from the commands (from a local Mac on which mail works to the server):

     

    [Olas-MacBook-Pro:~] ola% dig montan.biz soa

     

    ; <<>> DiG 9.8.3-P1 <<>> montan.biz soa

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45093

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

     

    ;; QUESTION SECTION:

    ;montan.biz. IN SOA

     

    ;; ANSWER SECTION:

    montan.biz. 3545 IN SOA dns1.name-services.com. info.name-services.com. 1452096136 172800 900 1814400 3600

     

    ;; Query time: 35 msec

    ;; SERVER: 192.168.0.1#53(192.168.0.1)

    ;; WHEN: Sat Jan  9 12:44:00 2016

    ;; MSG SIZE  rcvd: 91

     

    [Olas-MacBook-Pro:~] ola% dig montan.biz ns

     

    ; <<>> DiG 9.8.3-P1 <<>> montan.biz ns

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16605

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

     

    ;; QUESTION SECTION:

    ;montan.biz. IN NS

     

    ;; ANSWER SECTION:

    montan.biz. 3565 IN NS dns2.name-services.com.

    montan.biz. 3565 IN NS dns4.name-services.com.

    montan.biz. 3565 IN NS dns3.name-services.com.

    montan.biz. 3565 IN NS dns1.name-services.com.

    montan.biz. 3565 IN NS dns5.name-services.com.

     

    ;; Query time: 38 msec

    ;; SERVER: 192.168.0.1#53(192.168.0.1)

    ;; WHEN: Sat Jan  9 12:44:05 2016

    ;; MSG SIZE  rcvd: 140

     

    [Olas-MacBook-Pro:~] ola% dig montan.biz mx

     

    ; <<>> DiG 9.8.3-P1 <<>> montan.biz mx

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57395

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

     

    ;; QUESTION SECTION:

    ;montan.biz. IN MX

     

    ;; ANSWER SECTION:

    montan.biz. 3566 IN MX 10 montan.biz.

     

    ;; Query time: 31 msec

    ;; SERVER: 192.168.0.1#53(192.168.0.1)

    ;; WHEN: Sat Jan  9 12:44:10 2016

    ;; MSG SIZE  rcvd: 44

     

    [Olas-MacBook-Pro:~] ola%

  • by FromOZ,

    FromOZ FromOZ Jan 9, 2016 4:36 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 4:36 AM in response to OlaMontan

    So you definitely executed the commands from a Mac inside your LAN (local area network) that is behind some device that connects you to the Internet? The computer you executed the commands from has a private IP address (i.e. one of the private address ranges - https://en.wikipedia.org/wiki/Private_network) ?


    If so then sorry, your LAN DNS setup is not correct - if you have a Mac running Server.app then that Mac should (really/ideally) be running DNS and all your client machines should be referring to that machine running Server.app for their DNS server. The Server.app itself should have as its DNS server 127.0.0.1 — i.e. itself. That is, inside your LAN, the Server.app DNS has to be authoritative for the domain 'montan.biz', it's not. This is called 'split horizon' DNS https://en.wikipedia.org/wiki/Split-horizon_DNS  which is the standard way to set things up. The Server.app DNS server then, usually, uses DNS forwarders to forward DNS queries for Internet domains.


    Your queries show your client machine using 192.168.0.1 as their DNS server — is that your OS X Server machine?

     

    SERVER: 192.168.0.1#53(192.168.0.1)

     


    If you are running DNS on that machine does it have a zone for the montan.biz domain?


    If you ping 'montan.biz', which is defined as your mail server, from your client machine inside your LAN what do you get? If your internal DNS is pointing your internal clients to an external IP address for mail then that will likely be the issue for your iOS clients.


    You need to forget about Mavericks — you may, or may not, have had that setup correctly, but your current installation is not setup right, that's for sure.


    If you had your internal DNS setup correctly, assuming that 'example.com' is our domain, and 'server.example.com' is our OS X server providing both DNS and MX, and the server address is 192.168.1.20, then we would see something like this for the three commands.

     

    $ dig example.com soa

    ;; QUESTION SECTION:

    ;example.com. IN SOA

    ;; ANSWER SECTION:

    example.com. 10800 IN SOA server.example.com. admin.example.com. 2016010901 3600 900 1209600 86400

    ;; AUTHORITY SECTION:

    example.com. 10800 IN NS server.example.com.

    ;; ADDITIONAL SECTION:

    server.example.com. 10800 IN A 192.168.1.20

     

    $ dig example.com ns

    ;; QUESTION SECTION:

    ;example.com. IN NS

    ;; ANSWER SECTION:

    example.com. 10800 IN NS server.example.com.

    ;; ADDITIONAL SECTION:

    server.example.com. 10800 IN A 192.168.1.20

     

    $ dig example.com mx

    ;; QUESTION SECTION:

    ;example.com. IN MX

    ;; ANSWER SECTION:

    example.com. 10800 IN MX 10 server.example.com.

    ;; AUTHORITY SECTION:

    example.com. 10800 IN NS server.example.com.

    ;; ADDITIONAL SECTION:

    server.example.com. 10800 IN A 192.168.1.20

  • by FromOZ,

    FromOZ FromOZ Jan 9, 2016 4:56 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 4:56 AM in response to OlaMontan

    Please also do this:


    • Run a terminal session on your server, I assume it is on machine 192.168.0.1
    • Run command $ hostname
    • Whatever hostname that command returns then run the command $ dig [the.returned.hostname]
      so, for example, $ dig server.example.com


    Post the results.

  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 5:16 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 5:16 AM in response to FromOZ

    The machine i entered the command from is 192.168.0.11, the server is 192.168.0.2 and the router is 192.168.0.1. The router also works as my DNS server for my local machines, the router uses 8.8.8.8 and 8.8.4.4. as DNS servers (Google's).

     

    If I ping montan.biz, I get the external IP address that the WAN in the router 192.168.0.1 is connected to. My domain in managed by enom.com.

     

    I'm not convinced that DNS is the problem. I can address my web server from my phone on montan.biz at 192.168.0.2 with no problem both from outside and inside my local network. I can also receive e-mails from my Macbook both from inside and outside the network with address imap.montan.biz

     

    To me, it's looks more as an authentication problem. But I may me blind right now.

  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 5:32 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 5:32 AM in response to FromOZ

    [montan:~] admin% hostname

    montan.biz

    [montan:~] admin% dig montan.biz

     

    ; <<>> DiG 9.8.3-P1 <<>> montan.biz

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7291

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

     

    ;; QUESTION SECTION:

    ;montan.biz. IN A

     

    ;; ANSWER SECTION:

    montan.biz. 65 IN A 84.219.155.117

     

    ;; Query time: 34 msec

    ;; SERVER: 192.168.0.1#53(192.168.0.1)

    ;; WHEN: Sat Jan  9 14:32:17 2016

    ;; MSG SIZE  rcvd: 44

  • by FromOZ,

    FromOZ FromOZ Jan 9, 2016 6:20 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 6:20 AM in response to OlaMontan
    I'm not convinced that DNS is the problem.

    DNS is completely substantially your problem.


    Can we clarify some points - this (basically) is your internal network setup on network 192.168.0.0/24?


    [Internet] <---> [Router@192.168.0.1 / DNS]

                                 |

                                 +-------[Server@192.168.0.2 / SMTP + IMAP +??]

                                 |

                                 +-------[Client@192.168.0.11]


    • What is running on your OS X server? DHCP, Mail, etc. ?
    • Why are you not running DNS on your OS X server at 192.168.0.2?

     

    If I ping montan.biz, I get the external IP address that the WAN in the router 192.168.0.1 is connected to.

    While on internal LAN you should be getting/using the internal server address which 192.168.0.2

     

    I can address my web server from my phone on montan.biz at 192.168.0.2

    What do you mean 'address', do mean reach, IP wise, well sure because you are on the same network. But if you mean 'reach' as in referring to the server via DNS name montan.biz then you are not going to 192.168.0.2 are you, you are going to 84.219.155.117, because that is what your internal DNS setup is — incorrectly — saying it is.

     

    I can also receive e-mails from my Macbook both from inside and outside the network with address imap.montan.biz

    If you go outside your LAN and from a client machine ping imap.montan.biz and get 84.219.155.117 and then go inside your LAN and ping imap.montan.biz and get 84.219.155.117 then when you are inside your network (on your LAN) and going to your mail server using its DNS name imap.montan.biz then you are: 1) going out of your LAN to the Internet, 2) going back to the external network of your router, 3) going through your router into the network and 4) then going to the server. Unless your router is doing some fancy stuff. But anyway, the point is that you shouldn't need to, or be, doing it that way. Your Mac OS X server should be acting internally for DNS name resolution and pointing imap.montan.biz to 192.168.0.2.


    Read all the books about OS X Server, they will all say for a proper working of OS X Server a correct and fully functioning DNS server on the OS X Server is critical.

     

    To me, it's looks more as an authentication problem.

    Then why don't you see anything in server logs?


    Do you have an authorised digital certificate for your domain/hostname? I see you are running IMAP on port 143

    $ telnet imap.montan.biz 143

    Trying 84.219.155.117...

    Connected to montan.biz.

    Escape character is '^]'.

    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED XAPPLEPUSHSERVICE] Dovecot ready.

    You realise that IMAP port 143 does not use SSL and is not encrypted therefore at risk security wise?


    El_Capitan_Server.png

    This book is a good resource of information on setting up OS X Server, it's available on the Apple iBooks Store for a very reasonable price. Disclaimer: I have no affiliation to the author, and receive no benefit from sales.

    https://itunes.apple.com/nl/book/el-capitan-server/id1045748875?l=en&mt=13


    I strongly encourage you to get a copy and read the section on DNS.

     

    OSX_Server_Essentials.jpg

    Another good resource, OS X Server 5.0 Essentials, will be published soon.

    http://www.amazon.com/gp/product/0134434773/ref=s9_simh_gw_g14_i1_r


  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 7:36 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 7:36 AM in response to FromOZ

    > Can we clarify some points - this (basically) is your internal network setup on network 192.168.0.0/24?

    Yes, that's my network

     

     

    > What is running on your OS X server? DHCP, Mail, etc. ?

    Mail, web server, filesharing, Time Machine is running on my server, DHCP is running on the router.

     

    > Why are you not running DNS on your OS X server at 192.168.0.2

    My WAN address is dynamic, and it's hard do have a working DNS server on an IP address that is changing. I use enom as my DNS server with all host entries including MX entries. Then I'm have a shell script that is updating the IP address on the enom DNS server when my own address is changed by my ISP.

     

    > While on internal LAN you should be getting/using the internal server address which 192.168.0.2

    I'm not too good with this, although I have a lot of computer experience. But should not the WAN address be given? My internal computer addresses montan.biz. My local computer don't know that address så he askes the DNS server, my router. My router asks Google 8.8.8.8 for the address. Google has received the address to montan.biz from the DNS server that enom is using, which is the (dynamic) public IP (currently 84.219.155.117). That's why "ping montan.biz" gives 84.219.155.117. Or am I wrong?

     

    Yes, I guess that the IP packages exists my LAN and then back in again.

     

    For now, I'm using port 143 as IMAP port. Maybe I change that when things start to work. Mac OS Server has created a self-signed certificate for both "Server.local" and for "montan.biz" and used "Server.local" in the config files. I tried to change that to use the montan.biz-cert. My machines complains that the certificate is untrusted, and I need to allow it to be used. That can be the problem, but then, why did it work before with self-signed certs? Yes, that log files doesn't show anything when addressing from the phones, and that bothers me.

     

    I can't understand why it's not using SSL, I use SSL on my computers. How do I enforce SSL. Can't find any setting for that in Mac OS Server.

     

    Thank's for the advice about the books. Maybe I have to buy them as there is not too much help either locally on the server or on the Internet concerning the Mac OS Server.

  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 7:54 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 7:54 AM in response to FromOZ

    By the way. I just confirmed the my server is called from my phone by checking the log file in the router:

     

    [LAN access from remote] from 94.234.170.4:59224 to 192.168.0.2:143, Saturday, January 09,2016 16:48:27

     

    94.234.170.4 is currently my phone's IP address. Then someone says that "Logins are disabled for ...", but that's not logged in the mail.log file, and no calls from 94.234.170.4 is logged there either.

  • by FromOZ,Helpful

    FromOZ FromOZ Jan 9, 2016 9:19 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 9:19 AM in response to OlaMontan

    Look at the log — Logs > IMAP Log — you are looking at that one yes? That is where you will see all the specific activity of clients connecting to the IMAP service.


    What do you see there? When clients connect successfully and not?

  • by OlaMontan,

    OlaMontan OlaMontan Jan 9, 2016 8:22 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 8:22 AM in response to FromOZ

    Nope, I'm basically a Unix geek, so I checked /var/logs/mail.log

     

    Now I'm really confused. The IMAP logs says

     

    Jan 09 17:19:40 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=94.234.170.4, lip=192.168.0.2

     

    But in my phone, I do have a user name configured.

  • by FromOZ,Helpful

    FromOZ FromOZ Jan 9, 2016 9:28 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 9:28 AM in response to OlaMontan

    You have a very common home (small business) requirement — dynamic internet connection, external provider for DNS, home LAN, OS X Server, SMTP server for incoming email for your own domain, IMAP for client machines and various other services.


    It is all pretty standard and common stuff. Where you have got confused with respect to DNS servers is you are thinking that if you host a DNS server, an authoritative DNS server for an Internet legal domain, that it has to be on the Internet — not so.


    Read that link I sent you earlier about split-horizon DNS.


    Basically, and this is the totally standard way that this is done including up to large companies, with split-horizon DNS is like this. Assuming the following:


    • DNS domain = example.com
    • SMTP server = server.example.com
    • IMAP server = server.example.com


    You have a DNS server on the Internet owned by a company called, say, dnsservices.com. They have DNS servers ns01.dnsservices.com; ns02.dnsservices.com; ns03.dnsservices.com etc. They host the domain 'example.com' on the Internet so a search for authoritative name servers for the domain 'example.com' will list their servers. You have an account for your domain, example.com, and you edit records to point to your dynamic (home) IP address. You also have some mechanism to update those records if and when your home public dynamic IP address changes. Done.


    Now all of that infrastructure is totally separate from your internal (LAN) home network setup where you have your own authoritative DNS server (running on OS X server) for the same domain 'example.com'. Whereas the pubic Internet DNS servers might reply with the IP address of 84.219.155.117 to the query 'server.example.com' (I'll explain later why you should change to something like this) your internal LAN DNS server will respond with 192.168.0.2.


    Why is this good?


    You setup all your clients to point to the host 'server.montan.biz' for SMTP and IMAP services, when they are in your LAN they go straight to your server on your LAN IP addresses (and you can also manage them better) when they go out to the Internet they don't have to change any settings! As long as you have your public DNS records the same. So, ideally, you:


    • create an A record for server.montan.biz
    • change the MX record for SMTP from the domain name 'montan.biz' (which BTW is not good to use) to the host name server.montan.biz
    • get an official digital certificate for host 'server.montan.biz' (you can get wildcard cert. but they are more expensive and really you don't need it, your requirements are not that fancy that you need to have multiple DNS names like smtp.montan.biz and imap.montan.biz).
    • Install that digital certificate into your OS X server and it all just works.


    All this is very standard stuff, it's in the books. Buy 'El Capitan Server' from the iBook Store, it's about 15 bucks.

     

     

    as there is not too much help either locally on the server or on the Internet concerning the Mac OS Server.

     

    Well I wouldn't call all the advice you're getting for free here too shabby!

  • by FromOZ,

    FromOZ FromOZ Jan 9, 2016 8:36 AM in response to OlaMontan
    Level 3 (545 points)
    Jan 9, 2016 8:36 AM in response to OlaMontan

    Fix your DNS, get DNS + DHCP working on your OS X server. Get all clients setup to connect — via DNS name resolved to internal IP address (see my last post) — directly to (IMAP) service running on OS X server and check again.


    Buy the book - good luck!

  • by OlaMontan,Solvedanswer

    OlaMontan OlaMontan Jan 9, 2016 8:43 AM in response to FromOZ
    Level 1 (0 points)
    Jan 9, 2016 8:43 AM in response to FromOZ

    ****, now I'm, blushing from shame.

     

    I've solved it. Now with your help, but all your advice has made me look in the correct direction.

     

    When I tried to connect to port 143 from my phone it said "can't connect with SSL, should I try without SSL" and I said "yes". Then it can't connect as my mail server seems to require SSL for the authentication.

     

    Then I changes to SSL in my phone, but then it changed port to 993, which was not opened in my router's firewall.

     

    I just feel like an idiot. My only excuse is that I was focusing too much on the error message.

     

    Thank you very much for all your help. It has at least given me a lot of knowledge that I can use in the future.

Page 1 Next