On Tue, 18 Nov 2025, at 09:53, Riccardo Mottola wrote: > so your guess is right, the system openssl has issues, the macports not. > I think the system one doesn't like TLSv1.3 (with which OS version did > Mac get it?) or for some other reason it is not switching by defaulting > to a lower one.
I think Apple support TLS 1.2 and TLS 1.3 on iCloud but refuse older protocols. this works for me: openssl s_client -host smtp.mail.me.com -port 587 -starttls smtp -no_tls1_3 but this fails: openssl s_client -host smtp.mail.me.com -port 587 -starttls smtp -no_tls1_2 -no_tls1_3 Unsure whether TLS 1.2 was implemented in OS X 10.11. Some non-authoritative posts on the web would suggest not. You might get some more hints if you browse to the following test page using Safari. https://browserleaks.com/tls > as you notice I already have a newer version installed which seems to > work. What do you suggest as stunnel? SSH proxying a port or something > more transparent? If you have a pointer somewhere.. maybe somebody > already attempted something similar. I think stunnel (from MacPorts) should work. stunnel will allow Apple Mail to talk plaintext IMAP/SMTP on one end, then it will wrap the IMAP/SMTP protocol messages up in modern crypto and talk TLS with Apple's iCloud servers. iCloud should be fine with this because stunnel can negotiate TLS 1.3. Apple Mail ---> stunnel ------------> iCloud IMAP IMAP over TLS (I'm not sure whether Apple Mail supports plaintext imap://. Let's hope it does.) If you have configured an iCloud account in Apple Mail, you will need to disable that and configure a plain IMAP account in its place. (This will let you point Apple Mail at stunnel.) You will also need to configure what Apple call an 'app-specific password' to log in using a standards-based IMAP auth flow. https://support.apple.com/en-au/102654 Start by installing curl, curl-ca-bundle, and stunnel from MacPorts. Here is a sample stunnel configuration. The configuration file may be written anywhere you like. You will need to tweak this sample: I tested against Fastmail, not iCloud, but the principle is the same. The stunnel manual gave me everything I needed; please read the manual. -- 8< -- foreground = yes output = /dev/stderr syslog = no [imap] client = yes # stunnel will listen here for connections # point Apple Mail at this address and port # you can pick a different port number if you like accept = 127.0.0.1:10143 # change to iCloud endpoints # https://support.apple.com/en-au/102525 connect = imap.fastmail.com:993 checkHost = imap.fastmail.com # this is very important # please read the manual :) verifyChain = yes # from MacPorts port curl-ca-bundle CAfile = /opt/local/etc/openssl/cert.pem # [smtp] # add another service for SMTP here # use above as guide -- >8 -- You can test with curl before you test with Apple Mail. curl is nice because it is fast and should give clear error messages if something is wrong. Search the web for 'curl imap'. -- 8< -- unset HISTFILE curl -u username:password imap://127.0.0.1:10143 -X 'STATUS INBOX (MESSAGES)' -- >8 -- Output should look like this: * STATUS INBOX (MESSAGES 12345) (where the number represents a message count) If that works, fire up Apple Mail and see whether it works in there. Repeat for SMTP. Once everything seems to be working, arrange for stunnel to start automatically when your Mac boots. You could use launchd. stunnel will secure your mail in transit, however I trust you are aware that an old release of Apple Mail may be more easily compromised by opening malicious e-mail content. (Everyone knows you are vulnerable now. ;) I also have a soft spot for old Macs, so more power to you. Good luck!
