Ever since I updated iOS to 18.2, incoming emails would either arrive after a long delay or the Mail app would show me badges without displaying the emails in the inbox. I don't really understand the connection between Apple Relay (never had it enabled), Push and Pihole, but I found two workarounds to solve the problem.
Either you put mask.icloud.com mask-h2.icloud.com
on the whitelist, or you add
BLOCK_ICLOUD_PR=false to pihole-FTL.conf.
Currently, I have added both iCloud domains to the whitelist and Push is working again.
However, I am wondering which workaround is better in terms of privacy, if there is any difference at all. Either way, Apple Relay will be able to bypass Pihole, won't it?
I did the change in the FTL file since my exchange emails ceased working. I’m unsure why Apple is forcing this on users and it was frustrating attempting to debug this.
You should do neither if you want Pi-hole to keep filtering your iOS client's DNS traffic.
According to Apple, this is caused by a feature of Apple's Mail app:
When you receive an email in the Mail app or Mail on iCloud.com rather than only downloading remote content when you open an email, Protect Mail Activity downloads remote content in the background by default — regardless of whether you engage with the email. (…)
In addition, Protect Mail Activity routes all remote content downloaded by Mail through two separate relays operated by different entities.
Instead of allowing your clients to by-pass Pi-hole, you could consider to switch off Hide IP Address in your Apple Mail app, either via Settings > Apps > Mail > Privacy Protection, then tapping to turn off Hide IP Address on iOS, or via Mail > Settings > Privacy on MacOS.
Note that this may reveal your current public IP if your mail app allows accessing external content and a mail actually contains links to such external content (like pictures) served by domains that Pi-hole wouldn't block.
Interesting information @Bucking_Horn. Unfortunately, that does not appear to be the case for my setup. I have Hide IP address turned off already, and was experiencing issue.
The only thing that has appeared to work is setting BLOCK_ICLOUD_PR=false. Have not tried whitelisting the above mentioned domains.
I currently have an open case with Apple over this, and the last indication I had was they had identified an issue based on diagnostic data I provided. Supposedly, a correction will be made available. I will not hold my breath…
In looking into this earlier, people started experiencing Apple Mail app issues with the initial iOS 18. In my case, I had no issues until updating to 18.2.
Anyhow, I am going to verify by switching/removing the BLOCK_ICLOUD_PR setting, and toggling Hide IP Address to see if my experience holds.
From the docs I've linked and quoted, I'd gather that Hide IP address is an app specific setting, i.e. similar options would be also present for other programs like Apple's Safari browser.
Are you positive you've turned it off for Apple's Mail app?
@nosugref42 This issue is not related to Pi-hole. With the release of iOS 18.2 Apple somehow broke IMAP on iOS. See here.
I'm running iOS 18.2 , iPadOS 18.2 and macOS 15.2 with BLOCK_ICLOUD_PR=true. I also have Protect Mail Activity turned on and no problems. Sometimes iOS takes it's sorry time to retrieve emails, but that is an Mail.app issue on iOS.
All good @stonerl, never thought it was related to Pi-hole, and agree that it is 100% in Apples camp. Other than recently, mail performance on my iPad has been acceptable. The last update I got from Apple regarding the issue was that their engineers are aware of the issue and investigating. What ever that actually means…
I have also just updated to iOS 18.2.1 and removed the two domains from the whitelist to check if the issue still persists. No luck for me (even after restarting Pihole).
This has been a very frustrating issue that does not seem to be fixed in 18.2.1, but from what I've read elsewhere it is in 18.3, so we've got that to look forward to.
I have had no success with Mail Privacy Protection disabled or even iCloud Private Relay switched off altogether (not just at Wi-Fi network level). So it seems there are really only 2 options:
Allow Private Relay by setting BLOCK_ICLOUD_PR=false;
Whitelist mask.icloud.com and mask-h2.icloud.com.
In my mind the whitelist option makes more sense at this time. It seems that outside of Mail, iOS is respecting the fact that Private Relay is disabled on the Wi-Fi network, so whitelisting simply allows Mail to function (ignoring the fact that this is technically incorrect) and all other traffic still benefits from the Pi-hole blocking.
I’ve updated my Apple devices to 18.2.1, and removed the BLOCK_ICLOUD_PR=false setting, and restarted Pi-hole DNS. The Apple mail app appears to be functioning fine again for me.
Agreed even with all the options turned off it’s still fails to pick up email properly on iOS 18.2 and 18.2.1
Strangely, it’s working fine on my iPad but not on my iPhone and all settings are identical. However, I have an iPhone 16 so that might be the difference.
Whatever is happening here, is definitely to do with iOS
I have temporarily set the FTL setting to false just so I can work.
I hope Apple sort this out as it’s annoying.