Email Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
SSL/TLS Connection Issue in Windows 10 Mail
This section provides a tutorial example on troubleshot the root cause of Windows 10 Mail connection issue. It could be the SSL protocol version or self-signed server certificate.
To troubleshot the root cause of Windows 10 Mail connection issue, I did the following.
1 . Go to the system Event Viewer on the Windows 10 computer. I see a number of identical errors:
Event ID: 36871 Source: SChannel Level: Error User: SYSTEM Description: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
2. Turn on SSL logging and increase logging level on both Postfix server and Dovecot server.
3. Go back to the Windows 10 computer and send a test message to SMTPS service on port 465. Server log messages show that the TLS connection was established. But it was dropped immediately. I don't know why.
postfix/smtps/smtpd[]: initializing the server-side TLS engine postfix/smtps/smtpd[]: connect from unknown[192.168.1.11] postfix/smtps/smtpd[]: setting up TLS connection from unknown[192.168.1.11] postfix/smtps/smtpd[]: unknown[192.168.1.11]: TLS cipher list "aNULL:-aNULL:HIGH:..." postfix/smtps/smtpd[]: SSL_accept:before SSL initialization ... postfix/smtps/smtpd[]: SSL_accept:before SSL initialization postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read client hello postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server hello postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write certificate postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write key exchange ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server done postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => -1 (...)) ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server done postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => 5 (0x5)) ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read client key exchange postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => 5 (0x5)) ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read change cipher spec postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read finished postfix/smtps/smtpd[]: unknown[192.168.1.11]: Issuing session ticket, key expiration: ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write session ticket postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write change cipher spec postfix/smtps/smtpd[]: write to 55655A6A42C0 [55655A6B4810] (242 bytes => 242 (0xF2)) ... postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write finished postfix/smtps/smtpd[]: Anonymous TLS connection established from unknown[192.168.1.11]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) postfix/smtps/smtpd[]: lost connection after CONNECT from unknown[192.168.1.11] postfix/smtps/smtpd[]: disconnect from unknown[192.168.1.11] commands=0/0
4. Comparing with log messages list below from a Thunderbird SMTPS connection, a SMTPS session should be created after the TLS connection established to deliver the outgoing email.
postfix/smtps/smtpd[]: Anonymous TLS connection established from unknown[192.168.1.22]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) postfix/smtps/smtpd[]: CA40C266002F: client=unknown[192.168.1.22] postfix/cleanup[]: CA40C266002F: message-id=<3ed8f312-3c0e-3b6b-fdaa-...@herongyang.com> postfix/smtps/smtpd[]: disconnect from unknown[192.168.1.22] ehlo=1 mail=1 rcpt=1 data=1 ... postfix/qmgr[]: CA40C266002F: from=<herong@example.com>, size=678, nrcpt=1 (queue active) postfix/local[]: CA40C266002F: to=<herong@example.com>, relay=local, delay=0.37, ... postfix/qmgr[]: CA40C266002F: removed
5. On Windows 10 computer, click the "Sync" email icon to connect to the POP3S service on port 995. Log messages show that the SSL negotiation was finished. But the connection was reset by peer immediately. I don't know why.
dovecot[]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth dovecot[]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so dovecot[]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so dovecot[]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat dovecot[]: auth: Debug: auth client connected (pid=27839) dovecot[]: pop3-login: Debug: SSL: where=0x10, ret=1: before SSL initialization dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization dovecot[]: pop3-login: Debug: SSL_get_servername() failed dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done ... dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished dovecot[]: pop3-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully dovecot[]: pop3-login: Debug: SSL error: read(size=780) failed: Connection reset by peer dovecot[]: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.1.11, lip=192.168.1.100, TLS: read(size=780) failed: Connection reset by peer, ... dovecot[]: pop3-login: Debug: SSL alert: close notify
6. Comparing with log messages list below from a Thunderbird POP3S connection, a SSL session should be created after the SSL negotiation finished to perform user authentication and retrieve emails.
dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully dovecot[]: auth: Debug: client in: AUTH#0111#011PLAIN#011service=pop3#011secured=tls#011 session=OONzGV20l+bAqAG/#011lip=192.168.1.100#011rip=192.168.1.22#011l port=995#011rport=59031#011ssl_cipher=TLS_AES_128_GCM_SHA256#011 ssl_cipher_bits=128#011ssl_pfs=KxANY#011 ssl_protocol=TLSv1.3 dovecot[]: auth: Debug: client passdb out: CONT#0111 dovecot[]: auth: Debug: client in: CONT<hidden> dovecot[]: auth: Debug: pam(herong,192.168.1.22,<OONzGV20l+bAqAG/>): Performing passdb lookup dovecot[]: auth-worker(22782): Debug: Loading modules from directory: /usr/lib64/dovecot/auth ...
Based on above log messages, possible root causes of the Windows 10 Mail connection issue are:
Table of Contents
Postfix - Mail Transport Agent (MTA)
SSL/TLS Secure Connections with Postfix Server
Dovecot - IMAP and POP3 Server
SSL/TLS Secure Connections with Dovecot Server
►Email Client Tools - Mail User Agents (MUA)
"mailx" Command - Send and Read Emails
"Alpine" - Terminal-Based Email Client
macOS Mail Manual Configuration
Accept Certificate Exception in macOS Mail
Windows 10 Mail Configuration Failed
►SSL/TLS Connection Issue in Windows 10 Mail