For years, emails flowed uninterrupted to and from the folks at a beloved animal service organization we work with. When the emails suddenly stopped, their employees were confronted by baffling error messages: “Cannot Verify Server Identity” and “Recipient Rejected By Server” mean little to people whose livelihoods focus on advocating and caring for animals, and the original creators of their website and email accounts were long gone. Restoring access to their own email servers became an urgent puzzle, and we set to the task at once.
With a bit of web sleuthing, were able to find multiple reports of similar errors happening to iOS users starting shortly after a recent software update to the operating system. Could a new version of Apple’s iOS have broken email access for our partner organization, too?
Sure enough, all of the affected personnel in their organization were using Apple devices to connect to their mail server (via POP), but the suggested remedies to the error messages we found online were varied, and few shed light on the technical specifics of the iOS update. What did Apple change that might explain the problem we were seeing?
A few reports mentioned Apple reducing its software’s tolerance for missing or broken SSL certificates, which immediately brought to mind the “Cannot Verify Server Identity” message Nexus users were seeing instead of their emails. SSL, or “Secure Sockets Layer”, is a security technology that securely encrypts data transmitted between a web server and a client’s device via third-party authentication—which relies on verifying the server’s identity.
Our partner’s website loaded via http:// (no SSL )by default, but we discovered it did actually have an SSL certificate; it just wasn’t fully implemented. Changing the WordPress settings to use https:// (SSL) by default didn’t solve the issue; it resulted in an insecure connection—it turned out some elements were loading internal resources insecurely, with hard-coded http:// links. This prevented the SSL certificate from properly validating the server, breaking the secure connection that underlies SSL… which we need to let upgraded iOS devices verify the identity of our partner’s web servers.
Inspecting the source code of the WordPress templates upon which the site is built revealed several sections modified with HTML tags linking to images hosted internally via http://, preventing successful SSL encryption. These images were added with a drag-and-drop layout editor plugin that appeared not to update links when global settings change (like the sitewide default HTTP protocol we updated above). Updating these image links to use https:// ensured that visitors to their site could effectively verify the server’s identity for SSL.
But our partners still couldn’t send or reply to email on their iPhones—either task would fail with a new message: “Recipient Rejected By Server”. The server’s identity could now be verified, but it didn’t accept any recipients from the client devices. The final piece of the puzzle was making sure the affected users could properly configure their devices to use the newly-fixed SSL. We directed them to update their mail app settings to use an https:// URL to connect to the organization’s incoming and outgoing mail servers securely, and voila! Our partner’s basic digital communications mechanism was back in action.