Apple's Logjam
July 13th 2015
The recent Apple updates of Yosemite (10.10.4) and IOS have caused a lot of frustration for a number of system administrators around the world. In response to yet another security threat referred to as LogJam that could affect any or all of us, they decided to take a hard line and require that connections using SSL encryption use 2014 bit encryption keys. Most companies including SilverServers began using and selling SSL certificates that are based on 2048 bit keys years ago, however some of the underlying server technologies may not have been reconfigured to force connections to use these higher strength keys.
Effects on Email Services for Apple Users
Sometimes the greatest intentions can still produce harm. Apple's security update is intended to help protect their users from being vulnerable to LogJam. While this makes sense from a security standpoint, a lot of users were unexpectedly left without the ability to send and/or receive email once the update was rolled out. Email providers that have been around for a long time are constantly trying to handle the wants and needs of clients with the latest technologies as well as clients that are using older software and equipment that may not support the latest changes. This balancing act can make it difficult to keep all clients happy. At SilverServers we've upgraded our many email servers to require that all POP3 and IMAP email services require SSL. For some clients this was a difficult upgrade as they used old email clients that didn't support SSL or they had problems finding out how to reconfigure their email settings to use encryption. We've also made it mandatory that clients use an authenticated and encrypted connection to be able to send outgoing email.
The latest Apple update showed that, while most of the technologies we use were fine with their new SSL encryption requirements, the outgoing SMTP server (Sendmail) was not set up to use the same level of encryption as the incoming POP3 and IMAP servers. What we quickly discovered is that clients using Apple products were able to receive email normally, but could not send outgoing mail. The odd bit about this discovery is that we found Apple allowed for no encryption (completely insecure) or high encryption (new requirement) and nothing in between. For companies that don't force their users to require encryption and were not able to meet the new requirements, this meant that their Apple users were forced to have no security at all rather than have a small risk of a LogJam issue. Since our servers require all users email sending and receiving connections be encrypted, this meant they were not able to send out mail at all.
Searching through the internet it was discovered that there were a lot of other systems administrators using Sendmail and various other systems experiencing the same problems. Whenever something like this happens, it can take awhile for information on how to resolve the issue to circulate through the internet. Systems administrators need to find out what steps are required and find a way to test and confirm the settings are working so that they are able to make the updates and roll them out. In our research we found a website had been created with information on how to update Sendmail. We tested the updates and were able to confirm that our iMac was able to send and receive without any changes to the users settings.
Do Not Update to the Newest iOS
It is certainly good that Apple is taking security considerations seriously. Unfortunately, it seems that Apple underestimated the amount of users who currently trust their device for encrypted POP email communications compared to the install rate of 2048-bit SSL certificates and high security requirements. The sheer volume of users who suddenly cannot send email properly from their device has made Apple suggest that users "do not update their devices to the newest iOS" in order to allow their encrypted emails to continue working, rather than upgrade and turn of encryption entirely (the only other solution for most users).
Along with newest updates of iOS. Users could no longer manually configure encryption and authentication settings before adding an email account. If an email account is added and fails to verify (because the user could not affect the settings beforehand),there is no way to edit the settings after as the mail account is not created. Many many small businesses and hosting providers have custom requirements for encryption and server port settings, Apple can no longer support adding these accounts properly and easily as they have taken the keys further away from user's hands.
Ironically, trying to prevent LogJam from being a security concern had created a log jam of users' mailboxes.
SilverServers offers POP3, IMAP and Zimbra email accounts that support 2048-bit encryption for all your business email needs.
Update: Our email services have changed slightly since 2015. Check out our Email Services page for current information!