TLS 1.2 Security and Macintosh Mail?
Question asked by Melanie White - 6/28/2018 at 1:21 PM
I'm hoping someone can help me.  We just upgraded our mail servers to only support tls 1.2 and to not support other security methods.  We also turned off the clear text password authentication and now several customers are having trouble connecting.  I've been able to get most customers on the right path but I'm stuck on a couple.
#1 a customer on a newer mac using mail there. They can only seem to connect without ssl enabled for incoming.  For outgoing smtp they also cant connect securely, on the server i see the following message:
Exception negotiating TLS session: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
Usually when I've seen this error its been because of Windows 7 and by getting the customer to enable the tls 1.2 support it works. 
In the case of this customer their operating system is newer says it supports TLS but they are still unable to connect.  Anything different we have to do to get this working on a mac?  There doesnt seem to be a choice for TLS, you just say to use SSL and there is a checkbox for that, no choice to pick TLS or SSL connection.

4 Replies

Reply to Thread
Employee Replied
Employee Post
Hi Melanie.  From what I can tell, you're running SmarterMail 12.  We didn't add full support for TLS 1.2 until SmarterMail 14.
Melanie White Replied
True, we are using an older version. I'm able to connect via tls 1.2 though along with most of my users, just having trouble with a couple of them. So are there some missing things that might cause this problem with the older smartermail? I've upgraded my older dot net versions to support the strong ciphers etc.
John Reid Replied
Apple's Mail.app does not support TLSv1.2 until OS 10.12 Sierra. Yes, I know that is only one version back. So we all have to continue to run TLSv1.0 even after the PCI deadline of June 30th this year. It sucks, and it make anybody who does not have their mail server totally isolated both on the logical network and the the physical network in violation of PCI 3.1, but Apple is not the only ones at fault (as much as I wish I could point that finger.) If you turn off TLSv1.0 in your cipher suites you will find even the newer versions of Outlook also fail.
echoDreamz Replied
Not only that, what about other mail servers that may not support TLS 1.2. This issue here is a nightmare.

Reply to Thread