I can’t send emails from either my iPhone or iPad. Get a message saying the email address isn’t recognised by the server. I have tried deleting and reinstalling. It started a month ago and I’m fed up of having to use webmail. Plus net help is non existent. 
What can I do? Just about to change email address to something more usable. 

@gareththered 

Do you advocate lowering the security integrity to accommodate vendors who have not kept their devices updated?

The issue with that strategy is it’s a point fix for this occasion but not the next occasion / service provider who issues a security certificate to the target standard.  The right and proper solution is for platform vendors to sort out their maintenance programme.  I believe this standard has been around since 2021.

I'm getting the same message on my Macbook running macOS 10.15.7 (Catalina) and Apple Mail client.

I'm not currently seeing the same message on my iPad, running iOS 18.6 (up-to-date). 

The Mac was running fine last week, it's only just started since Monday this week, same as others have reported.

Any ideas?

I advocate a controlled transition to newer standards and not a knee-jerk reaction.

Single purpose root certificates were discussed around 2021 as you say, but the G5 root in question was not necessarily in all root certificate programmes at that point. That's only four years ago.  Not everyone wants (or can afford) to replace devices every two or three years, so five year old phones are still around. If that particular model was released a year or two earlier, then it could be out of vendor support by 2021 and therefore not receive the new root.

You're absolutely right that vendors should support devices for longer, but that's not going to happen realistically, without simultaneous laws or pressure by all major markets - so is unlikely in my opinion.

In that case, the only option then is to provide cross-signed certificates for older(ish) devices while consumers slowly replace their devices.  The cross-signed expires in 2031 (9 years away) which is plenty of time for the majority of consumers to replace, while the G5 root is valid until 2046.

The alternative is a screw you attitude to whoever hasn't got the latest and greatest devices, or isn't IT literate enough to install trust anchors (in this case).

@Townman 

Top line can be ignored, it's just reporting an error because no command was entered for the server (same thing appears at the end of your email diagnostic command if you don't add user ID).

Interpreting the output is simple enough knowing that there will be two certificates printed out. Certificate has the structure; information - public key - cryptographic signature (used to checksum the certificate) - certificate.

My take on the G5 Root certificate. See the quote from the link provided by @j123 in post #75

---

"However, even once the roots have been added to the trust stores, you can’t guarantee that users will immediately update their systems, browsers, or applications to the latest versions. To ensure your certificates are trusted even when the new G5 root is missing from a needed trust store, DigiCert recommends installing a DigiCert G5 cross-signed root CA certificate."

---

My bold added to quote.

I don't quite understand the point of view with regards to somehow adding this cross-signed certificate lowers or breaks security standards, unless the older root certificates have been compromised (no signs that this has happened as of yet). The newer PlusNet certificate is the main one controlling security and that does not change by adding the cross-signed G5 to it.

It is a simple choice as to whether to add said certificate or not:

• Don't add and expect many customers complaining with lots of confusion - increased workload for phone call centre - breaks connectivity for all device that have not received trust store updates that include the DigiCert G5 root CA.
• Add and forget - job done.

I know what I would choose, path of lease resistance.

---

@MacOS10 wrote:

I'm getting the same message on my Macbook running macOS 10.15.7 (Catalina) and Apple Mail client.

 

I'm not currently seeing the same message on my iPad, running iOS 18.6 (up-to-date). 

 

The Mac was running fine last week, it's only just started since Monday this week, same as others have reported.

Any ideas?

---

You need to either add the G5 root certificate to you Macbook, or wait until PlusNet add the cross-signed certificate to their mail servers.

Please share how you achieved this on your iphone.

I downloaded the certificate as flagged by j123 onto my iPhone.  It came up as a message in Settings somewhere (I didn't notice where, but it was obvious).  I opened this, which gave me the option to verify.  This I did, and then then went to Settings/General/About/Certificate Trust Settings and enabled the new certificate.

Sorry if this seems a little vague, but I was floundering around not having a clue what I was doing.  It worked, however, and I wish you good luck in your attempt.

Dave 

@RPMozley 

Whilst I would maintain the disposition that vendors should uphold a "gold standard" to keep their devices current in respect of security considerations (to avoid intentional obsolescence) I do recognise the pragmatism of your reflections.  That does though impose a burden on every issuer of a security certificate ... rather than the vendor fixing the issues they have created.

This matter does (now) have very senior visibility.

Thinking about this issue, now I realise that Microsoft "inflicted" this on mature Apple platforms some while ago.  My iPad mini-2 (iOS 12) stopped signing into my Microsoft email account neigh on two years ago.  Also cannot install Outlook as the OS is deemed too old.  Safari is lumpy, but Opera seems fine.  Unfortunately, otherwise serviceable hardware stops 'working' because software moved on.

This is a foretaste of things to come ... this October thousands of users with perfectly serviceable hardware running Win10 but will not support Win11 are going to be in a similar boat to this: what worked yesterday, will not work to day because of 'progressive' standards.  To some extent, it is all a con to sell new hardware.

---

I don't quite understand the point of view with regards to somehow adding this cross-signed certificate lowers or breaks security standards...

 

---

I think the argument is that by adding the cross-signed certificate you're reverting to a multi-purpose root CA (the one which cross-signed), whereas by sticking to your guns and only using the chain the which ends in the new G5 you're forcing the use of a single-purpose root CA.

In the big scheme of things, moving to a single-purpose root CA isn't worth getting excited about, especially in the TLS arena.  If this was a code-signing or S/MIME service you could argue the case that detaching from the TLS world is a security improvement, but I'd argue that it's less of a concern in the other direction (this one).

The security benefits of single-purpose root CAs don't justify upsetting the cart.  This should be a gradual transition in the background over years.

I had same issue Yesterday and been driving me crazy, anyway for anyone interested I resolved the issue by changing the Imap port setting from 993 for incoming mail to 143 and SSL off, this is in the advanced section in setting on your iPhone, my iPad uses incoming port 110, and I have no idea why that works.

Plusnet in their infinite wisdom are changing mail provider and didn’t bother emailing people.

anyway rant over, hope this helps someone.

@Myhom Two totally different issues there (1) The email 'trust certificate' one - the subject of this topic, and (2) the transfer of the email service to Greenby, which you will receive a notification of - roughly one month prior to it actually affecting you.