Monterey Mail.app: "Your network preferences prevent content from loading privately."

[svenmany]

You might be on to something. I have Private Internet Access on my MBA, and for work stuff I have FortiClient (not entirely sure how that works, as it doesn't seem to be a true VPN, it just allows me to access a work server remotely). I get the Mail issue.

My wife's absolutely identical MBA, also on Monterey, does NOT have the Mail issue. That machine has never had a VPN or anti-virus installed.

So the question is, how can I look at my packet filter firewall settings and compare it with my wife's MBA?

Edit: Actually, looking at your post above, it seems you've already tried this, and the problem persists?

I find the packet firewall hard to use. It's configured and its state is queried from the command line. You have to be root to do that. I suspect the firewall on your wife's computer is not even enabled. It would be interesting to see if yours is.

I'd start by running, on both machines,

sudo pfctl -s info

One of the lines output is prefixed with "Status". It will either show as "Enabled" or "Disabled".

I did run through the exercise of quitting PIA and disabling the firewall; it didn't fix the problem. But, these things can be finicky. I had already run Mail with the firewall enabled before I disabled it. Maybe a logout / login was required. Unfortunately, I have scripts in place that re-enable the firewall when I log in. So I have more work to do if I want to pursue this.

 

[mikehalloran]

I don't think it is working as intended. The error you get in an email is:

Your network preferences prevent content from loading privately (my emphasis).

From their description which you posted:

When you receive an email in the Mail app, rather than downloading remote content when you open an email, Mail Privacy Protection downloads remote content in the background by default — regardless of how you do or don’t engage with the email.

To me, this means that remote content in an email - images, etc - should be ready to view when you look at the email, as it has been downloaded in the background by default.

Therefore it should not require you to click a "load" button with a message saying that your network preferences are preventing private loading. There's either an incorrect setting, or a bug, that is (as the error message says) preventing remote content from being loaded privately - which is what the privacy setting is supposed to do, going by the exact wording of their description.

Apparently, you have a reading comprehension problem. Apple has described exactly what has happened, I quoted it as did you, then emboldened a word yet you still don’t understand.

Apple explained it petty well in clear, easy to comprehend English (your emphasis) shows that you don’t get it. Other than suggesting that you reread their explanation and look up any words you don’t understand, I can’t help you.

 

[Aggedor]

Apparently, you have a reading comprehension problem. Apple has described exactly what has happened, I quoted it as did you, then emboldened a word yet you still don’t understand.

Apple explained it petty well in clear, easy to comprehend English (your emphasis) shows that you don’t get it. Other than suggesting that you reread their explanation and look up any words you don’t understand, I can’t help you.

You're the odd one out in this thread, mate. I love how you don't seem to be reading any other posts here. Including @SW3029's reply to you.

 

[nationalscot]

I had parental controls set at a network (ISP) level, so all connected devices were affected. Certain iCloud domains are now blocked by default in parental controls as enabling Private Relay (Beta), another privacy service from Apple, would enable a user to bypass parental controls.

I fixed the issue by adding the relevant iCloud subdomains to my domain exemptions.

 

[svenmany]

I had parental controls set at a network (ISP) level, so all connected devices were affected. Certain iCloud domains are now blocked by default in parental controls as enabling Private Relay (Beta), another privacy service from Apple, would enable a user to bypass parental controls.

I fixed the issue by adding the relevant iCloud subdomains to my domain exemptions.

I had queried about VPN and anti-virus. Add to that DNS manipulation or blocking.

I think I understand why DNS changes would cause things to fail. I am surprised that the parental controls design doesn't cater for that. I started writing down my speculation for how the whole relay thing works, which lead me to believe that a failure to cater for parental controls is a bug. But, my speculation wouldn't add much to the discussion.

I definitely don't think that problems with non-Apple DNS manipulation is an Apple bug.

 

[svenmany]

Apparently, you have a reading comprehension problem. Apple has described exactly what has happened, I quoted it as did you, then emboldened a word yet you still don’t understand.

Apple explained it petty well in clear, easy to comprehend English (your emphasis) shows that you don’t get it. Other than suggesting that you reread their explanation and look up any words you don’t understand, I can’t help you.

I read Aggedor's post carefully and his analysis seems accurate to me.

 

[nationalscot]

I had queried about VPN and anti-virus. Add to that DNS manipulation or blocking.

I think I understand why DNS changes would cause things to fail. I am surprised that the parental controls design doesn't cater for that. I started writing down my speculation for how the whole relay thing works, which lead me to believe that a failure to cater for parental controls is a bug. But, my speculation wouldn't add much to the discussion.

I definitely don't think that problems with non-Apple DNS manipulation is an Apple bug.

As far as the parental controls/network blocking goes, it's almost certainly by design. Effectively these new features bypass network blocking by routing DNS and traffic over Apple's partner networks, thus rendering any network blocking ineffective. So the only way to prevent that is to block Apple's service from establishing a connection in the first place.

 

[svenmany]

As far as the parental controls/network blocking goes, it's almost certainly by design. Effectively these new features bypass network blocking by routing DNS and traffic over Apple's partner networks, thus rendering any network blocking ineffective. So the only way to prevent that is to block Apple's service from establishing a connection in the first place.

I'm not convinced.

I have a mental model of the relay which could be wrong.

1. An email references xyz.com
2. Apple resolves the name to an IP address using its own name servers. The name resolves to an Apple relay.
3. Apple sends the request to the Apple relay which forwards the request to the real IP address of xyz.com

I would have thought parental controls would be applied at step 1 and it would apply to the name xyz.com. It seems strange that Apple applies parental controls when accessing its own name server or relay.

Actually I have no experience with parental controls, but I'm always ready to learn. I don't even know how to set them up.

 

[eyvind]

I'd start by running, on both machines,

sudo pfctl -s info

One of the lines output is prefixed with "Status". It will either show as "Enabled" or "Disabled".

I'm not Aggedor, but thanks for the pointer! I discovered that pf was enabled on my Mac, and subsequently that macOS Server includes an adaptive firewall that uses it.

After I'd followed Apple's instructions for removing Server.app and rebooted the machine, the Mail app rediscovered how to download images.

Now I need to figure out how to disable Private Relay. I enabled it while I was trying to get the Mail app to download images, but now it re-enables itself every time I try to disable it. Oh well.

 

[0128672]

I just received a message that Private Relay is temporarily down due to a technical issue, although at the moment, it's not showing on the Apple System Status site.

I'm able to turn off and on Private Relay and it stays on or off. I haven't seen it automatically re-enable itself unless I've had it enabled and the service went down. In that event it re-enables itself when the service is restored.

 

[svenmany]

I'm not Aggedor, but thanks for the pointer! I discovered that pf was enabled on my Mac, and subsequently that macOS Server includes an adaptive firewall that uses it.

After I'd followed Apple's instructions for removing Server.app and rebooted the machine, the Mail app rediscovered how to download images.

That's great news and useful information.

Now I need to figure out how to disable Private Relay. I enabled it while I was trying to get the Mail app to download images, but now it re-enables itself every time I try to disable it. Oh well.

That's not great news, but par for the course with Apple.

 

[eyvind]

That's not great news, but par for the course with Apple.

Never mind, I worked it out: unticking the "Private Relay (Beta)" box on the Apple ID page didn't take, but it stayed off after I clicked the off button in the Private Relay options.

 

[uburoibob]

Apparently, you have a reading comprehension problem. Apple has described exactly what has happened, I quoted it as did you, then emboldened a word yet you still don’t understand.

Apple explained it petty well in clear, easy to comprehend English (your emphasis) shows that you don’t get it. Other than suggesting that you reread their explanation and look up any words you don’t understand, I can’t help you.

Perhaps you can take a look at others who have posted about the settings NOT causing problems on iOS devices, and some other Macs. If this crippled way of working was 'correct', then it would be correct across all devices, not just a subset of Mac Monterrey devices.

 

[crimlarks]

I had the same issue, that just started happening a little while ago (within the hour). Bu now it seems to be working correctly again, without any changes on my part. Strange.

Oh - I see on the Apple System Status Page that it was resolved about 15 minutes ago...

iCloud Private Relay - Resolved Issue​

Today, 1:40 PM - 9:14 PM

Some users were affected

Users may have been unable to use this service.

Thanks for your post on the Apple System Status Page, WildSky

 

[utahcamera]

I have had this same issue in the Mail app, since upgrading to Monterey. I fixed it by going into Mail/Preferences and Privacy and disabling all tick boxes. Restarting the Mail app and fixed it.

Worked like a charm! Thank you!

 

[SW3029]

Worked like a charm! Thank you!

That doesn't fix the bug. All it does is disable the privacy feature (which does not work as it should).

 

[nationalscot]

I'm not convinced.

I have a mental model of the relay which could be wrong.

1. An email references xyz.com
2. Apple resolves the name to an IP address using its own name servers. The name resolves to an Apple relay.
3. Apple sends the request to the Apple relay which forwards the request to the real IP address of xyz.com

I would have thought parental controls would be applied at step 1 and it would apply to the name xyz.com. It seems strange that Apple applies parental controls when accessing its own name server or relay.

Actually I have no experience with parental controls, but I'm always ready to learn. I don't even know how to set them up.

Apple doesn't apply the parental controls. Rather the parental controls prevent step 2 i.e. the connection to the Apple relay (as the Apple relay in effect allows bypassing of all rules set at network level).

 

[svenmany]

Apple doesn't apply the parental controls. Rather the parental controls prevent step 2 i.e. the connection to the Apple relay (as the Apple relay in effect allows bypassing of all rules set at network level).

I find that surprising. I think I agree with your analysis, but not your conclusion that it's not a bug.

You had some iCloud domains blocked. By unblocking them you got the error to go away. Your analysis, that the blocking occurred at step 2, says that the iCloud domains blocking prevented mail from reaching the Apple name server and Apple relay. You feel that if Apple had allowed access to the relay, that would have opened the door for everything the relay sends through. In my opinion that's a bug, or at least a serious design flaw.

I've designed and set up many firewalls in my 30 years in tech. It has always been the ultimate destination that is considered by the rules, not the various intermediate proxies that transfer the traffic. The decision to allow the traffic takes place before address translation. In the language of the current problem, the relay functionality should execute after parental controls have allowed or blocked the traffic. You are saying that instead the relay functionality is executed before parental controls are applied.

I can't imagine myself sitting in a room with other architects (being fully aware of parental control requirements and private relay requirements) and concluding, as a group, that it's OK to allow parental controls to influence operating system level functionality. It's almost as if we all said "heck, it's OK to do it that way because no one would ever block Apple domains".

Anyway, it's all guesswork on my part. You had the problem and you found a solution. And, I think your analysis is likely correct.

 

[Wizec]

This article should help. Apple is giving final control of the feature to the network layer. See under the audit section:

Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer

iCloud Private Relay is a new internet privacy service built into iCloud that allows users to connect to and browse the web more privately and securely.

developer.apple.com

 

[svenmany]

This article should help. Apple is giving final control of the feature to the network layer. See under the audit section:

Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer

iCloud Private Relay is a new internet privacy service built into iCloud that allows users to connect to and browse the web more privately and securely.

developer.apple.com

Thanks for that. It's very interesting.

Here's what we probably have in the network layer:

relay -> parental controls -> enterprise rules

I would have wanted:

parental controls -> relay -> enterprise rules

I guess something Apple might have done in the past, and maybe for some good reason, was to tie parental controls to a point very far along in the processing, such that the relay functionality couldn't be inserted after it. So it would be easy to argue that the relay functionality didn't introduce a bug, but the parental controls design had introduced some inflexibility for this future requirement.

 

[Smacky]

I had this same issue. Monterey on my MBP, Protect Mail Activity and iCloud Relay enabled, but the message about network preferences preventing content from loading properly.
I did have PIA app installed, but it was not being used / was not running. I uninstalled the PIA app completely using instructions from here: https://www.privateinternetaccess.c...installing-the-pia-app-using-the-mac-terminal
then after reboot images loaded in Mail as expected with both protections still enabled. I don't use PIA anymore, so I am happy with this solution for now.

Hope this helps others out there with the same problem

 

[Aggedor]

I had this same issue. Monterey on my MBP, Protect Mail Activity and iCloud Relay enabled, but the message about network preferences preventing content from loading properly.
I did have PIA app installed, but it was not being used / was not running. I uninstalled the PIA app completely using instructions from here: https://www.privateinternetaccess.c...installing-the-pia-app-using-the-mac-terminal
then after reboot images loaded in Mail as expected with both protections still enabled. I don't use PIA anymore, so I am happy with this solution for now.

Hope this helps others out there with the same problem

I'd say that's exactly what my issue is, given my MBA with PIA has the issue and my wife's MBA which has never had PIA installed does not. Unfortunately, I do use PIA a lot, so I'll have to just disable the Mail privacy settings. Bit of a shame, that was a selling point of Monterey for me.

 

[Yptcn]

I had never even heard of PIA ... I tried deleting any ad blocker I had , tested and nothing is different.
I really wonder why there is no problem on iPhone and iPad , only on my MBA with Monterey ??

 

[pickerin]

The issue is the ability to reach Apple's, currently two, Mail.app proxy servers for loading remote content (specifically images and tracking pixels) when the setting "Protect Mail Activity" is enabled in Mail.app.

The way it appears to work is that if you have the setting enabled (which is the default) all images (and potentially other content) in an email will be loaded from Apple's servers and not the sender's requested host. This means the sender of the email will see ALL of the users activity coming from Apple's proxy servers and NOT your machine.

The servers in question are:
mask.icloud.com
mask-h2.icloud.com

Because this is a proxy server, if you have the setting enabled, and Mail.app cannot resolve the DNS address of the servers in question OR cannot reach those IP addresses after DNS resolution, then it will display the message in question and give you the ability to work around the issue by clicking the button (and loading the content un-masked).

Unfortunately, that means there are a number of things that could be preventing you from resolving those servers and/or connecting to them:
* Ad blockers may have those two servers listed as ad servers, in which case it will prevent DNS resolutions
* Pi-Hole will block DNS requests to those servers without a new configuration added to your FTL conf file
* Firewalls may block accessing those servers
* Virus protection may block DNS resolution and/or connecting to those servers as malicious proxies (they aren't)

So, you need to first verify if you can resolve the addresses. Then you have to see if you can connect to them by IP address. Private relay on or off shouldn't impact it. Hiding your IP or not shouldn't impact it.

Look for things like Ad Blockers, uBlock Origin, Firewalls, Anti-virus, DNS proxies, VPNs, etc. These are likely the issue.

I just wrote about this here if you want more details: https://robpickering.com/macos-monterey-and-mail-privacy/

 

[Yptcn]

The issue is the ability to reach Apple's, currently two, Mail.app proxy servers for loading remote content (specifically images and tracking pixels) when the setting "Protect Mail Activity" is enabled in Mail.app.

The way it appears to work is that if you have the setting enabled (which is the default) all images (and potentially other content) in an email will be loaded from Apple's servers and not the sender's requested host. This means the sender of the email will see ALL of the users activity coming from Apple's proxy servers and NOT your machine.

The servers in question are:
mask.icloud.com
mask-h2.icloud.com

Because this is a proxy server, if you have the setting enabled, and Mail.app cannot resolve the DNS address of the servers in question OR cannot reach those IP addresses after DNS resolution, then it will display the message in question and give you the ability to work around the issue by clicking the button (and loading the content un-masked).

Unfortunately, that means there are a number of things that could be preventing you from resolving those servers and/or connecting to them:
* Ad blockers may have those two servers listed as ad servers, in which case it will prevent DNS resolutions
* Pi-Hole will block DNS requests to those servers without a new configuration added to your FTL conf file
* Firewalls may block accessing those servers
* Virus protection may block DNS resolution and/or connecting to those servers as malicious proxies (they aren't)

So, you need to first verify if you can resolve the addresses. Then you have to see if you can connect to them by IP address. Private relay on or off shouldn't impact it. Hiding your IP or not shouldn't impact it.

Look for things like Ad Blockers, uBlock Origin, Firewalls, Anti-virus, DNS proxies, VPNs, etc. These are likely the issue.

I just wrote about this here if you want more details: https://robpickering.com/macos-monterey-and-mail-privacy/

I read your article but do not understand how to do this : " The fix is straight-forward. Unblock the servers in question, or put them on a whitelist. "