Configuring SSL/TLS for email communication for the Mail app with macOS Big Sur/macOS 11 and Symantec Encryption Desktop 10.5 MP1

book

Article ID: 207391

calendar_today

Updated On:

Products

Desktop Email Encryption, Powered by PGP Technology Drive Encryption Powered by PGP Technology Encryption Desktop Corporate Powered by PGP Technology Encryption Desktop Powered by PGP Technology Encryption Desktop Professional Powered by PGP Technology Encryption Desktop Storage Powered by PGP Technology Desktop Email Encryption

Issue/Introduction

Update Feb 9, 2021: macOS 11.2 (Big Sur) no longer requires this utility to disable TLS as mentioned in this article, however, this information is retained for historical purposes.  Symantec recommends updating macOS to version 11.2 for best results.

 

The macOS Big Sur native mail application includes easy setup as many clients, however as part of this, there is no option to disable TLS, which is required to use the proxy with Symantec Encryption Desktop. If the Mail app is configured to use SSL/TLS for communication, Symantec Encryption Desktop cannot encrypt or decrypt emails. To allow Symantec Encryption Desktop to secure email messages, users must disable the use of SSL/TLS for email communication on macOS computers. However, macOS Big Sur users are unable to manually disable the use of SSL/TLS from Mail > Preferences > Accounts.

Cause

If you are already using Symantec Encryption Desktop’s Email Messaging for macOS Big Sur and your email accounts are already configured, nothing needs to be done for upgrade.

If you are installing Symantec Encryption Desktop on Mac OSX 11.x for the first time, follow the steps below to disable SSL for configured mail accounts.

Resolution

Symantec provides a script in order to disable TLS and allow you to encrypt/decrypt emails automatically and the steps below will go over how to use this script.

 

  1. Launch Apple’s native mail app client. You’ll get a pop up warning about SSL traffic. Click OK.
  2. Go to the Mail top menu, select Preferences and select the mail account for which email encryption needs to be enabled.  In the server settings tab , uncheck "Automatically manage connection settings" for both IMAP/POP and SMTP.
  3. Make note of the port numbers used for SMTP and IMAP/POP and Quit Mail app.
  4. Open Symantec Encryption Desktop and verify the associated messaging services are using the correct ports you made note of above.
  5. Open terminal and run the following:

    /Library/Application\ Support/PGP/PGPUpdateMailAccounts​

    Running this command above will ask about disabling TLS on each of the Mail accounts individually.

    Alternatively, if you have multiple mail accounts and you wish to encrypt/decrypt with all of them, you can run the following account to disable TLS for all:

    /Library/Application\ Support/PGP/PGPUpdateMailAccounts -update -noprompt​


    Make sure that terminal has Full Disk Access before running this command as a standard user will not have permissions to do this.

  6. Open the Apple Mail app and verify server settings in preferences and that TLS is now disabled.


More details about the  command line tool PGPUpdateMailAccounts can be found below:


PGPUpdateMailAccounts Usage Prerequisites

Terminal must have full disk access.  Quit Mail app before running the tool.


The following path is where the tool is located:

/Library/Application\ Support/PGP/PGPUpdateMailAccounts



Usage
The PGPUpdateMailAccounts tool will disable security from mail accounts by disabling SSL, changing SSL ports to non-SSL ports and allowing insecure authentication. This is needed so that PGP proxy on the client itself can read outgoing and incoming mails. PGP proxy on client will upgrade connection to mail server internally.  The PGP proxy sits between the mailserver and the mail client, so all communications to/from the mailserver are still encrypted.


Running the tool:

PGPUpdateMailAccounts

Running the tool without any option will show a list of IMAP/POP/SMTP accounts for the user followed by an option to go through each account one by one and disable SSL.



PGPUpdateMailAccounts -help

Run with the -help option to show all available options.

 

PGPUpdateMailAccounts -list

Run with the -list option to show a list of IMAP/POP/SMTP accounts for the user.



To disable TLS for the account run the following:

PGPUpdateMailAccounts -update

The -update option will prompt for each account.  You will need to press "y" to disable TLS for the account or "n" to keep TLS enabled for an account you do not wish to encrypt/decrypt.  



To bypass confirmation prompt use -noprompt option, which will disable TLS for all mail accounts and will not ask:

PGPUpdateMailAccounts -update -noprompt

 

In order to pick accounts specifically to update supply the -acclist option:

PGPUpdateMailAccounts -update -noprompt -acclist 41 44 40

or

PGPUpdateMailAccounts -update -acclist 41 44 40

These commands will update supplied accounts only. Account IDs can be obtained by running the "-list" option with the tool.

 

Effect on system
This tool will attempt to change the following settings of Apple’s Mail app’s SMTP/POP/IMAP accounts without verification.

  1. Disable TLS
  2. Change port to non TLS Port
  3. Disable Automatic Setting
  4. Enable Allow Insecure Authentication

Note: The PGP proxy will upgrade the connection, so this disables TLS only for the mail client.  The proxy sits between the mailserver and the mail client and will still provide secure authentication to protect your email content.