I think the solution to this is to:<p>a) run your own private root CA<p>b) install the public part of the root CA on your device and trust it (basically the same as many major enterprise end users of android and ios devices need to do already, so this functionality is extremely unlikely to be removed from the operating system)<p>c) use the root CA to sign a cert for your mail server<p>Yes it's a bit more hassle than just trying to tell the mail client to trust your self-signed cert that was generated on the mail server and signed by nothing, but I can understand why apple (given the population of hundreds of millions of NON TECHNICAL end users) doesn't want people just blindly clicking through "yes/I accept/trust this server" self signed cert warnings.
I wish they could break Snapchat, Facebook etcs ‘s self-signed certs. I own the device, why can’t I see the traffic to and from all of these apps if I add my self-signed cert and approve to use a MITM-proxy.<p>Most apps work, but not everyone.<p>Often called certificate pinning.
I run my own CA and install it as a trusted CA via Configuration Profiles. This works fine, including iOS 17.<p>Does this break in iOS 18 or does this affect only self-signed (untrusted) certificates?
I feel like this going to happen to the permissionless side of crypto assets just like whats happened to most of the web 1.0 stuff<p>Walled garden things will take over and something is going to happen to EOAs that make them nerfed or rare<p>but at the same time, that might take 40 years just like these web 1.0 problems so its fine for now
I had this issue with let's encrypt certificates. IMHO it's unreleated to the issue. IOS18 mail initially connected using TLSv1.3. Afer deleting and re-installing Mail, the connection falls back to TLSSv1.2 and another set of ciphers. Then downloading of mails works again.<p>Using dovecot 2.3/Ubuntu on the server.
I think I've seen this before, in previous versions of iOS. You used to be able to just force a trust, but it would ask you again sometimes. I ended up just using LetsEncrypt certs, the one I use on the main website. Then I have a hook that also copies it to mailu.
tangent, but you can’t send mail on ios with an idn because “the sender address was invalid”, despite it working in macos. i’ve read this is caused by a broken regex check. if any apple employees are reading please take a look
I use letsencrypt for my mail server and I have done so for years, but iOS 18 appears to have broken my configuration which has worked perfectly for as long as I can remember. I believe my certificates were all set up correctly because it never gave me a problem up until now and never asked for authorisation of any kind. At this stage MacOSX works just fine, but iOS 18 and iPadOS 18 just do nothing.
It's 2024, PKI best practices are well known and well documented, anybody still using a self-signed certs on their mail server (or anywhere) is either lazy or stupid.<p>Plenty of existing applications will refuse to connect to a self-signed certificate on the belief that allowing the end-user to confirm a certificate offers basically 0 protection against malicious actors.
And the Apple fanboys are loose again...<p>Regardless how your opinion on PKI and self-signed certificates is, shouldn't we at least be bothered by the fact that Apple just switched off this feature without any communication whatsoever? The community was literally in the dark about whether this is an official policy change or a bug.<p>Google, in situations like this, at least made some corpospeak press release officially "sunsetting" the feature and provided an official deprecation timeline so users have time to adapt.<p>Apple is apparently just leaving their users stranded and unable to access their email.
<a href="https://developer.apple.com/forums/thread/732409" rel="nofollow">https://developer.apple.com/forums/thread/732409</a> (fixed url)<p>seems like the issue is specifically with IMAP- I can confirm that calendar syncing works fine with the self signed cert.<p>this is really disappointing.
So in summary: iOS used to accept untrusted certificates, yikes! Now, it validates the server cert, and people are upset? This blatantly insecure thing is broken now and the posters don't want to set it up securely?<p>It seems like these people are just struggling with how to properly set up their email server and clients when using a private CA. If you're going to use your own CA, then configure your client to trust it. The rest of us should be able to enjoy secure defaults and not have to worry about our less informed family members being tricked into bypassing basic security protections like TLS validation.