On Oct 11, 2019, at 2:00 PM, Joseph Tam <jtam.home@gmail.com> wrote:
On Fri, 11 Oct 2019, @lbutlr wrote:
Oct 09 16:02:50 imap-login: Info: Aborted login (auth failed, 5 attempts in 33 secs): user=<myuser@covisp.net>, xx.xx.xx.xx, PLAIN, TLS
This turns out to have been caused by the MUA attempting to connect to port 25 (despite clearly showing port 587 in the MUA settings). Thanks to Mac/iOS account syncing, merely trying to change the port never seemed to work, but removing the account entirely and recreating it got it to connect to port 587 as configured.
Yes, MacOSX Mail.app seems to bumble around, even ignoring your port settings to find the "correct" configuration. (This happens, for example, when there is a transient network problem). You need to disable "Automatically manage connections" to stop these mail readers from wandering around and strictly use your settings.
There is no such setting in iOS or iPadOS though, and setting the explicit port for SMTP and.or IMAP advanced settings didn’t change the port it actually tried connecting go until I removed the account and re-added it.
No problems on iOS 12 or macOS 10.14 so far.
This behaviour can be exploited to grab credentials using a MITM attacks, by convincing MacOSX clients that the target server does not support SSL/TLS, then providing a cleartext listener or proxy.
I have filed a suggestion to have a setting for never connecting to a mail server without security, but nothing so far. Perhaps I should refile it as a critical security flaw?
-- We could grind our enemies into talcum powder with a sledgehammer, but gosh, we did that last night.