The newsletter issued yesterday included an advisory on Mail.app’s insecure storage of S/MIME on the email server. The main problem is that people making use of S/MIME expect encryption to protect them from a snooping mail server, and the default “store drafts on mail server” option does not respect this.

At this stage Apple did not release anything to address this issue because it might require architectural changes. I understand that - however publishing a solution to this issue does not have to consist of a patch. This is why I’m publishing the advisory and the below solutions, so that clients that are concerned about this can mitigate.

If you would like to stick to Mail.app:

• Go to the Preferences and select the account from the accounts tab
• Select the “Mailbox behaviors” tab
• Uncheck the option “Store draft messages on the server”

Otherwise some other email clients are not vulnerable because they encrypt the drafts emails before they are sent to server.