Skip to content

Creating new Apple connection profiles with App Password broken with stronger password policies #6878

New issue
New issue
Open
Open
Creating new Apple connection profiles with App Password broken with stronger password policies#6878
Labels
bug
@jonprocter

Description

@jonprocter
jonprocter
opened on Oct 24, 2025

Contribution guidelines

Checklist prior issue creation

  • I understand that failure to follow below instructions may cause this issue to be closed.
  • I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
  • I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
  • I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
  • I confirm that I have reviewed previous issues to ensure this matter has not already been addressed.
  • I confirm that my environment meets all prerequisite requirements as specified in the official documentation.

Description

I've noticed an issue where creating a new Apple connection profile is broken for me when my password policy requires special characters and/or upper/lowercase characters. It doesn't create a new app password in the list, but it downloads a profile OK that fails to install. Disabling the requirement allows it to work. I was using 2025-10 initially, so updated to 10a and the problem still occurs.

Steps to reproduce:

  1. Make sure your password policy requires a special character and/or upper/lowercase characters (issue occurs with either or both ticked):
Image

  1. Log into Mailcow (tried directly as the user and admin -> login as user) and create an Apple connection profile with app password (both with or without contact/calendar)

  2. The profile is downloaded, but doesn't actually work when I attempt to install:Image

  3. Refreshing the Mailcow page manually shows this error in the bottom left corner:

Image
  1. Turn off the special character requirement, download again and it works and can successfully create the app password. Re-enable and it breaks again.

Logs:

Couldn't spot it in the docker logs, but found it in mailcow UI:

24/10/2025, 11:19:16	danger	9557BB	<email> user	<IP>	"password_complexity" Call ["password_check",null,null]
24/10/2025, 11:15:39	danger	2FE35D	<email>	user	<IP>	"password_complexity" Call ["password_check",null,null]
24/10/2025, 11:11:58	danger	67E289	<email>	user	<IP>	"password_complexity" Call ["password_check",null,null]
24/10/2025, 11:11:53	success	074A3B	admin	admin	<IP>	"password_policy_saved" Call ["password_complexity","edit",{"length":"10","chars":["0","1"],"special_chars":["0","1"],"lowerupper":"0","numbers":["0","1"]}]
24/10/2025, 11:10:23	success	28288C	<email>	user	<IP>	"app_passwd_added" Call ["app_passwd","add",{"app_name":"Mac","app_passwd":"*","app_passwd2":"*","active":1,"protocols":["imap_access","smtp_access"]}]
24/10/2025, 11:09:57	success	1A597E	admin	admin	<IP>	"password_policy_saved" Call ["password_complexity","edit",{"length":"10","chars":["0","1"],"special_chars":"0","lowerupper":"0","numbers":["0","1"]}]
24/10/2025, 11:09:25	danger	4255EE	admin => <email>	admin => user	<IP>	"password_complexity" Call ["password_check",null,null]

Which branch are you using?

master (stable)

Which architecture are you using?

x86_64

Operating System:

RHEL 9.6

Server/VM specifications:

8GB RAM, 4 cores

Is Apparmor, SELinux or similar active?

yes (SELinux)

Virtualization technology:

kvm

Docker version:

28.5.1

docker-compose version or docker compose version:

v2.40.1

mailcow version:

2025-10a

Reverse proxy:

none

Logs of git diff:

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
13901   11M MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
1193K 1400M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1193K 1400M DOCKER-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   23  1372 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    2   128 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    5   276 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
   73  4356 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:443
   29  1504 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    1    52 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
   16   964 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    6   344 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 DROP       all  --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  !br-4d4a3bf9d0a4 br-4d4a3bf9d0a4  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      br-4d4a3bf9d0a4  0.0.0.0/0            0.0.0.0/0           
  155  8996 DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      br-4d4a3bf9d0a4  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6955 8600K ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
1193K 1400M DOCKER-CT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 640K  643M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 640K  643M DOCKER-BRIDGE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-4d4a3bf9d0a4 *       0.0.0.0/0            0.0.0.0/0           
 6792 2341K ACCEPT     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-4d4a3bf9d0a4 !br-4d4a3bf9d0a4  0.0.0.0/0            0.0.0.0/0           
 6792 2341K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-4d4a3bf9d0a4  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       <IP>       0.0.0.0/0           
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MAILCOW    all  --  *      *       ::/0                 ::/0                 /* mailcow */
    0     0 DOCKER-USER  all  --  *      *       ::/0                 ::/0                
    0     0 DOCKER-FORWARD  all  --  *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-CT  all  --  *      *       ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       ::/0                 ::/0                
    0     0 DOCKER-BRIDGE  all  --  *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 167K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination         
18320 1044K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3741 packets, 480K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 21808 packets, 1509K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3157  243K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-4d4a3bf9d0a4  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-4d4a3bf9d0a4 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.5:3306
    6   344 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
   16   964 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    1    52 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
   29  1504 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.11:80
   75  4476 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.11:443
    5   276 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    2   128 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
   25  1492 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 9 packets, 441 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination

DNS check:

172.64.155.249
104.18.32.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions