On 15.06.25 10:40, D.M. Procida wrote:

Last night, I changed the password of an email account at https://www.openprovider.com, and after applying it in Apple Mail, Mail was no
longer able to connect to the server.

After a lot of fiddling with ports and settings in Mail, I realised it was timing out and not actually getting a response from the server:

✗ telnet mail.op-email.eu 993
Trying 34.13.213.173...
telnet: connect to address 34.13.213.173: Operation timed out
telnet: Unable to connect to remote host

If I switch to mobile data via my iPhone it works:

✗ telnet mail.op-email.eu 993
Trying 34.13.213.173...
Connected to mail.op-email.eu.
Escape character is '^]'.

I get the same results on two almost identical MacBooks here, side-by-side.

Must be a weird networking issue - the broadband provider's fault, that just coincendentally struck at the moment I was changing an email password, right?

But! On one of the MacBooks, I can reach the same server's web interface over HTTPS, at https://mail.op-email.eu, and on the other I can't - it times out trying to get a response, just like Apple Mail does (unless I switch to the mobile data network, and then it does work).

So there's definitely something different between the two networks: connections to the email server mail.op-email.eu time out in Mail, telnet etc on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

You think this is a Mac issue?


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks: connections to the email server mail.op-email.eu time out in Mail, telnet etc on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too
many failed login attempts. But that doesn't explain the https difference. Their setup doesn't look like it's using a CDN or anything complicated for
web. Maybe local cookies are a way to bypass the blacklist?

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2025 at 09:47:50 BST, "Jörg Lorenz" <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

You think this is a Mac issue?

I don't know what it is.

In the case of the first difference above, I am pretty sure it's nothing to do with the Macs (I didn't mention it, but telnet from a Linux box on the same network also fails).

In the case of the second difference, there seems to be a problem localised to just one of the Macs.

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Last night, I changed the password of an email account at https://www.openprovider.com, and after applying it in Apple Mail, Mail was no longer able to connect to the server.

After a lot of fiddling with ports and settings in Mail, I realised it was timing out and not actually getting a response from the server:

✗ telnet mail.op-email.eu 993
Trying 34.13.213.173...
telnet: connect to address 34.13.213.173: Operation timed out
telnet: Unable to connect to remote host

If I switch to mobile data via my iPhone it works:

✗ telnet mail.op-email.eu 993
Trying 34.13.213.173...
Connected to mail.op-email.eu.
Escape character is '^]'.

I get the same results on two almost identical MacBooks here, side-by-side.

Must be a weird networking issue - the broadband provider's fault, that just coincendentally struck at the moment I was changing an email password, right?

But! On one of the MacBooks, I can reach the same server's web interface over HTTPS, at https://mail.op-email.eu, and on the other I can't - it times out trying to get a response, just like Apple Mail does (unless I switch to the mobile data network, and then it does work).

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2025 at 10:01:34 BST, "Theo" <[email protected]> wrote:

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too
many failed login attempts. But that doesn't explain the https difference.

Some more data:

wget https://mail.op-email.eu from a Linux box on the network also timed out, so on the Mac where https://mail.op-email.eu I tried that in Chrome instead of Safari - which timed out too.

So the fact that it appears to work on that Mac could be due to some very aggressive caching, but I am really not sure of what.

For example, in Safari, I can log out and log in again, and click through various new pages on https://mail.op-email.eu.

In Chrome, I can't even get any response from it.

Their setup doesn't look like it's using a CDN or anything complicated for web. Maybe local cookies are a way to bypass the blacklist.

On that machine, it works just fine in Private browsing mode.

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

D.M. Procida <[email protected]> wrote:

On 15 Jun 2025 at 10:01:34 BST, "Theo" <[email protected]> wrote:

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can >> reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too many failed login attempts. But that doesn't explain the https difference.

Some more data:

wget https://mail.op-email.eu from a Linux box on the network also timed out, so on the Mac where https://mail.op-email.eu I tried that in Chrome instead of
Safari - which timed out too.

So the fact that it appears to work on that Mac could be due to some very aggressive caching, but I am really not sure of what.

For example, in Safari, I can log out and log in again, and click through various new pages on https://mail.op-email.eu.

In Chrome, I can't even get any response from it.

It's possibly a web app like Google Docs, which are designed to stay working even if the network goes away. Obviously they can't communicate back to the mothership, but the local UI will carry on working via heavy client-side caching.

Ah yes, looks like they're using SOGo:
https://www.sogo.nu/

although I tried their demo then turned off network and things mostly
stopped working (couldn't check inbox, write a new email, etc). But perhaps op-email host their SOGo backend on a different server that's not subject to the blacklist?

On that machine, it works just fine in Private browsing mode.

Hmm, so less likely to be caching then. And cookies would require at least handling HTTPS requests. Puzzling.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <[email protected]>,
D.M. Procida <[email protected]> wrote:

For example, in Safari, I can log out and log in again, and click through >various new pages on https://mail.op-email.eu.

In Chrome, I can't even get any response from it.

You don't have any proxies configured in either browser do you?

Does traceroute get through?

Or, on the theory that it's always DNS, what happens if you use an
IP address instead of the name?

Oh, and do you have IPv6 enabled? If so, try turning it off.

-- Richard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Theo wrote:

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too
many failed login attempts. But that doesn't explain the https difference. Their setup doesn't look like it's using a CDN or anything complicated for web. Maybe local cookies are a way to bypass the blacklist?

I suspect 2 problems.

Ignoring "something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot." for the moment...

I suspect an IP blacklist or routing issue.

From, here:
Telnet mail.op-email.eu
Telnet 34.13.213.173
... both fail with "Could not open connection to host on port 23", but
clearly my DNS gives the same IP address that you see.

Telnet 34.13.213.173 993
... just hangs

Traceroute shows three hops through the Zen network then times out. I
have a static IP with Zen.

Who are you with for your home broadband?

I'm aware that O2 had a problem on about 4 June where they blocked some
Plusnet addresses, thereby preventing access to their network from
people trying to use WiFi calling from a Plusnet connection. It took a
few days for somebody within O2 to understand the issue, but they then corrected their firewall misconfiguration.

I've seen a similar problem where a user connects to a mobile or
satellite provider which uses CGNAT. This means that many (hundreds or thousands of) users appear to come from the same public IP address, and
it only takes one to abuse that connection for it to be blocked in a
reputation checker such as <https://check.spamhaus.org/>

So complain to <https://www.openprovider.com> but you may have to work
very hard to get anybody there to understand the issue ...


--
Graham J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15/06/2025 12:52, Graham J wrote:

Theo wrote:

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail,
telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one
can
reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too
many failed login attempts. But that doesn't explain the https
difference.
Their setup doesn't look like it's using a CDN or anything complicated
for
web. Maybe local cookies are a way to bypass the blacklist?

Just adding a bit to Graham's answer...

I suspect 2 problems.

Ignoring "something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot." for the moment...

The different responses from different Macs is a red-herring. Https is connecting on port 443, not 993, and any blocking rules at op-email.eu's
end could be port specific.

I suspect an IP blacklist or routing issue.

From, here:
Telnet mail.op-email.eu
Telnet 34.13.213.173
... both fail with "Could not open connection to host on port 23", but clearly my DNS gives the same IP address that you see.

Telnet 34.13.213.173 993
... just hangs

IP blacklist seems most likely because from my ISP I can connect
successfully:

$ nc -vz 34.13.213.173 993
Connection to 34.13.213.173 port 993 [tcp/imaps] succeeded!

Traceroute shows three hops through the Zen network then times out.  I
have a static IP with Zen.

Who are you with for your home broadband?

I'm aware that O2 had a problem on about 4 June where they blocked some Plusnet addresses, thereby preventing access to their network from
people trying to use WiFi calling from a Plusnet connection.  It took a
few days for somebody within O2 to understand the issue, but they then corrected their firewall misconfiguration.

I've seen a similar problem where a user connects to a mobile or
satellite provider which uses CGNAT.  This means that many (hundreds or thousands of) users appear to come from the same public IP address, and
it only takes one to abuse that connection for it to be blocked in a reputation checker such as <https://check.spamhaus.org/>

So complain to <https://www.openprovider.com> but you may have to work
very hard to get anybody there to understand the issue ...

Or maybe just use phone data (i.e. tether the Mac just for email) for a
day or two as often these blocks are often temporary.

Regards,
--
Bruce Horrocks
Hampshire, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2025 at 11:57:08 BST, "Richard Tobin" <Richard Tobin> wrote:

In article <[email protected]>,
D.M. Procida <[email protected]> wrote:

For example, in Safari, I can log out and log in again, and click through
various new pages on https://mail.op-email.eu.

In Chrome, I can't even get any response from it.

You don't have any proxies configured in either browser do you?

No proxies anywhere.

Does traceroute get through?

No - this is from the same MacBook that *can* load it perfectly well in
Safari:

% traceroute mail.op-email.eu
traceroute to mail.op-email.eu (34.13.213.173), 64 hops max, 40 byte packets
1 skysr213.home (192.168.0.1) 76.232 ms 2.583 ms 2.530 ms
2 176.25.18.199 (176.25.18.199) 2.474 ms 2.886 ms 2.414 ms
3 * * *
4 * * *
5 2.120.11.146 (2.120.11.146) 13.533 ms
2.120.13.42 (2.120.13.42) 8.931 ms
2.120.13.46 (2.120.13.46) 9.026 ms
6 72.14.219.96 (72.14.219.96) 10.019 ms
2.127.241.181 (2.127.241.181) 8.062 ms 10.022 ms
7 * * *
8 * * *
9 * * *
10 * * * [and on it goes]

Or, on the theory that it's always DNS, what happens if you use an
IP address instead of the name?

Works where the name works, and doesn't where the name doesn't.

Oh, and do you have IPv6 enabled? If so, try turning it off.

Nice idea! Now turned off on the router, set to Link-local Only on my
MacBook's Wi-Fi settings... and it doesn't appear to make any difference.

Limit IP address tracking and Private Relay are also off.

I think that the mail server is probably running in a Docker container behind an ingress controller at 34.13.213.173. I can vaguely imagine how an ingress controller might decide to allow traffic from some devices on my LAN but not others.

But, I simply can't understand how the web-based mail client running in Safari could be able to speak to mail.op-email.eu/34.13.213.173 to get the data, when telnet can't even reach the same server.

In Safari can see the POST requests and the responses containing the actual email messages from the SOGo mail client, all made to mail.op-email.eu.

And yet in Chrome (I actually wrote Explorer, a Freudian slip) those requests also seem never to reach the server.

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2025 at 09:40:23 BST, "D.M. Procida" <[email protected]> wrote:

So there's definitely something different between the two networks: connections to the email server mail.op-email.eu time out in Mail, telnet etc on home broadband, but not on mobile data.

I am going to follow up here, because I think I have the answer now.

I can connect successfully using a mobile network or a VPN - and as a couple
of people suggested, that sounds like my home IP address has found itself on a blocklist.

And there is definitely something different between the two Macs: one can reach https://mail.op-email.eu and one cannot.

And only Safari on the other Mac could reach it, and not Chrome, or Mail, or commandline tools - which completely baffled me.

Until I realised that iCloud Private Relay was on, on the other machine -
which *only* affects Safari's traffic! And that was how https://mail.op-email.eu worked there and only there.

Thanks a lot everyone for your advice and help, I would have battered my head into the wall by now if it were not for the insights and intelligent suggestions pointing in the right directions.

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2025 at 12:52:21 BST, "Graham J" <[email protected]> wrote:

Theo wrote:

D.M. Procida <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

And there is definitely something different between the two Macs: one can >>> reach https://mail.op-email.eu and one cannot.

Any idea WTF might be going on?

Your broadband IP could have been blacklisted by the IMAP server for too
many failed login attempts. But that doesn't explain the https difference. >> Their setup doesn't look like it's using a CDN or anything complicated for >> web. Maybe local cookies are a way to bypass the blacklist?

I suspect 2 problems.

Ignoring "something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot." for the moment...

I suspect an IP blacklist or routing issue.

From, here:
Telnet mail.op-email.eu
Telnet 34.13.213.173
... both fail with "Could not open connection to host on port 23", but clearly my DNS gives the same IP address that you see.

Telnet 34.13.213.173 993
... just hangs

Traceroute shows three hops through the Zen network then times out. I
have a static IP with Zen.

Who are you with for your home broadband?

Mine is Sky (i.e. BT I think).

I've seen a similar problem where a user connects to a mobile or
satellite provider which uses CGNAT. This means that many (hundreds or thousands of) users appear to come from the same public IP address, and
it only takes one to abuse that connection for it to be blocked in a reputation checker such as <https://check.spamhaus.org/>

Nothing unusual for https://check.spamhaus.org/results?query=176.25.18.199.

But - I think you may be right that my IP address is the issue.

I already tried with a VPN and that made no difference, but I just did it
again with a different endpoint - and this time I was able to hit mail.op-email.eu immediately.

So complain to <https://www.openprovider.com> but you may have to work
very hard to get anybody there to understand the issue ...

Well, they are Dutch, so I have good hopes.

But I am still unable to fathom how it could be that on the other Mac, Safari can reach mail.op-email.eu while Chrome and commandline tools cannot.

Daniele

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <[email protected]>,
D.M. Procida <[email protected]> wrote:

[still no success]

Try wget -d, to see if it connects at the TCP level and then fails
during the SSL handshake or anything like that.

-- Richard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

D.M. Procida wrote:

On 15 Jun 2025 at 09:40:23 BST, "D.M. Procida" <[email protected]> wrote:

So there's definitely something different between the two networks:
connections to the email server mail.op-email.eu time out in Mail, telnet etc
on home broadband, but not on mobile data.

I am going to follow up here, because I think I have the answer now.

I can connect successfully using a mobile network or a VPN - and as a couple of people suggested, that sounds like my home IP address has found itself on a
blocklist.

And there is definitely something different between the two Macs: one can
reach https://mail.op-email.eu and one cannot.

And only Safari on the other Mac could reach it, and not Chrome, or Mail, or commandline tools - which completely baffled me.

Until I realised that iCloud Private Relay was on, on the other machine - which *only* affects Safari's traffic! And that was how https://mail.op-email.eu worked there and only there.

Thanks a lot everyone for your advice and help, I would have battered my head into the wall by now if it were not for the insights and intelligent suggestions pointing in the right directions.

I only thought later to ask whether you had inadvertently enabled a VPN
or similar. I've seen several people recently with AVG or Norton on a
PC, and the VPN gets enabled without the user being aware of it. They
then suffer strange loss of access to some sites. But in your case the
iCloud Private Relay gives access where otherwise it would fail.

Your Sky connection is probably not static, so rebooting the router
might get you a different IP. Or it might not!

--
Graham J

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Graham J <[email protected]> wrote:

Your Sky connection is probably not static, so rebooting the router
might get you a different IP. Or it might not!

I think it will, especially if you leave it off for a while.

But if the IP has become blacklisted for too many failed login attempts, I expect it to age out of the blacklist after a while - maybe a day or two.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)