OS X Server and iOS 7 are surprisingly unfriendly

Actually, that’s iOS versions up to and including iOS 7.1, and OS X Server 3 (3.03 to be precise). I.e. Mavericks.

I have a home server, just for the family. It’s got the family mail accounts, which over the years adds up to many GB of mail. There are also iCloud accounts (and various others), but for all sorts of reasons I’m quite happy to have this email on our home server (backed up regularly and frequently by the way).

I also have a personal domain—this one as it happens, although the web host is not on the home server, it’s an external service provider that specialises in web hosting. Of course I also have another set of email addresses with them.

This all works splendidly when we are at home, but we’d also like to be able to access the home server on the go, from a laptop or a smart phone. And that’s where I run into some troubles.

I have a company provided iPhone, which is a delight to use. I can access my work email, and also my iCloud email. The obvious next step would be to add my home email (on the home server) and my email through my hosting provider.

This doesn’t work.

iOS is very particular in two respects about email.

  1. It doesn’t like using untrusted SSL certificates (and the profile installed by my company locks down this requirement)
  2. It has a restricted list of CA root certificate providers that it trusts.

OS X Server then weighs in with its own preferences, in that it really wants you to use SSL, and will refuse to allow a plaintext login (password) unless you use SSL.

These are all very worthy restrictions, but they add up to inconvenience and expense.

No iOS email access to my hosted email

I can’t access my email from iOS at my hosting provider, because they use a generic SSL certificate (hostingdirect.co.nz) rather than my domain. They say on their instructions for setting up mail access:

Please note that it is currently not possible to configure custom SSL certificates for secure email connections.

Please ignore any certificate warnings you receive.

Your connection will still be encrypted to prevent eavesdropping if using SSL and STARTTLS.

No iOS email access to my home email

I can’t use plaintext authentication, even over a fully encrypted IPSEC tunnel (i.e. OS X Server VPN) because OS X Server won’t let me, and I can’t use a self-signed SSL certificate because it’s not in the trusted list. I can’t even add the certificate to the trusted list via a profile because the company imposed restrictions don’t trust my additions.

In fact, to keep iOS happy, I’m pretty much restricted to the list of Apple blessed CA Root providers. And they want quite a lot of money, per year.

If you go to the cheap SSL providers, you’ll find that not only is CACert.org not in the (current) iOS list, neither are some of the other budget providers. The magic phrase to look for is mobile support.

Note that this means I can’t even access the home server, at home, over WiFi, from iOS, without paying fees to an organisation that assumes I’m doing e-commerce and charges accordingly.

Help!

If anyone knows a solution to this, I’d love to know, but thus far the interwebs have not been encouraging. Bearing in mind that this is a company phone, with pretty reasonable restrictions

allowUntrusted-TLSPrompt

Boolean

 

Optional

When false, automatically rejects untrusted HTTPS certificates without prompting the user.
Availability: Available in iOS 5.0 and later.

All I want is for OS X Server and iOS to figure out that they are ‘locally’ connected (e.g. LAN or VPN) and talk accordingly.