Back to Community Threads
TLS 1.2 Security and Macintosh Mail?
Question asked by Melanie White - 6/28/2018 at 1:21 PM
Unanswered
M
Hello,
 
I'm hoping someone can help me.  We just upgraded our mail servers to only support tls 1.2 and to not support other security methods.  We also turned off the clear text password authentication and now several customers are having trouble connecting.  I've been able to get most customers on the right path but I'm stuck on a couple.
 
#1 a customer on a newer mac using mail there. They can only seem to connect without ssl enabled for incoming.  For outgoing smtp they also cant connect securely, on the server i see the following message:
 
Exception negotiating TLS session: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
 
Usually when I've seen this error its been because of Windows 7 and by getting the customer to enable the tls 1.2 support it works. 
 
In the case of this customer their operating system is newer says it supports TLS but they are still unable to connect.  Anything different we have to do to get this working on a mac?  There doesnt seem to be a choice for TLS, you just say to use SSL and there is a checkbox for that, no choice to pick TLS or SSL connection.
 
 
Employee Replied
6/28/2018 at 3:56 PM
Employee Post
Hi Melanie.  From what I can tell, you're running SmarterMail 12.  We didn't add full support for TLS 1.2 until SmarterMail 14.
M
Melanie White Replied
6/28/2018 at 4:46 PM
True, we are using an older version. I'm able to connect via tls 1.2 though along with most of my users, just having trouble with a couple of them. So are there some missing things that might cause this problem with the older smartermail? I've upgraded my older dot net versions to support the strong ciphers etc.
John C. Reid Replied
7/5/2018 at 2:20 PM
Apple's Mail.app does not support TLSv1.2 until OS 10.12 Sierra. Yes, I know that is only one version back. So we all have to continue to run TLSv1.0 even after the PCI deadline of June 30th this year. It sucks, and it make anybody who does not have their mail server totally isolated both on the logical network and the the physical network in violation of PCI 3.1, but Apple is not the only ones at fault (as much as I wish I could point that finger.) If you turn off TLSv1.0 in your cipher suites you will find even the newer versions of Outlook also fail.
John C. Reid  / Technology Director
John@prime42.net  / (530) 691-0042
1300 West Street, Suite 206, Redding, CA 96001
echoDreamz Replied
7/5/2018 at 6:44 PM
Not only that, what about other mail servers that may not support TLS 1.2. This issue here is a nightmare.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
SmarterMail Servers and TLS SupportSmarterMail > Installation and Configuration
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Trouble Connecting Apple Mail Using MAPI/EWSSmarterMail > Troubleshooting