SSL/TLS Connection Issue in Windows 10 Mail

Email Tutorials - Herong's Tutorial Examples

∟Email Client Tools - Mail User Agents (MUA)

∟SSL/TLS Connection Issue in Windows 10 Mail

This section provides a tutorial example on troubleshot the root cause of Windows 10 Mail connection issue. It could be the SSL protocol version or self-signed server certificate.

To troubleshot the root cause of Windows 10 Mail connection issue, I did the following.

1 . Go to the system Event Viewer on the Windows 10 computer. I see a number of identical errors:

    Event ID: 36871
      Source: SChannel
       Level: Error
        User: SYSTEM
 Description: A fatal error occurred while creating a TLS client credential.
               The internal error state is 10013.

2. Turn on SSL logging and increase logging level on both Postfix server and Dovecot server.

3. Go back to the Windows 10 computer and send a test message to SMTPS service on port 465. Server log messages show that the TLS connection was established. But it was dropped immediately. I don't know why.

postfix/smtps/smtpd[]: initializing the server-side TLS engine
postfix/smtps/smtpd[]: connect from unknown[192.168.1.11]
postfix/smtps/smtpd[]: setting up TLS connection from unknown[192.168.1.11]
postfix/smtps/smtpd[]: unknown[192.168.1.11]: TLS cipher list "aNULL:-aNULL:HIGH:..."
postfix/smtps/smtpd[]: SSL_accept:before SSL initialization
...
postfix/smtps/smtpd[]: SSL_accept:before SSL initialization
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read client hello
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server hello
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write certificate
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write key exchange
...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server done
postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => -1 (...))
...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write server done
postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => 5 (0x5))
...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read client key exchange
postfix/smtps/smtpd[]: read from 55655A6A42C0 [55655A6AC663] (5 bytes => 5 (0x5))
...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read change cipher spec
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS read finished
postfix/smtps/smtpd[]: unknown[192.168.1.11]: Issuing session ticket, key expiration: ...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write session ticket
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write change cipher spec
postfix/smtps/smtpd[]: write to 55655A6A42C0 [55655A6B4810] (242 bytes => 242 (0xF2))
...
postfix/smtps/smtpd[]: SSL_accept:SSLv3/TLS write finished
postfix/smtps/smtpd[]: Anonymous TLS connection established from unknown[192.168.1.11]:
                       TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/smtps/smtpd[]: lost connection after CONNECT from unknown[192.168.1.11]
postfix/smtps/smtpd[]: disconnect from unknown[192.168.1.11] commands=0/0

4. Comparing with log messages list below from a Thunderbird SMTPS connection, a SMTPS session should be created after the TLS connection established to deliver the outgoing email.

postfix/smtps/smtpd[]: Anonymous TLS connection established from unknown[192.168.1.22]:
                       TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
postfix/smtps/smtpd[]: CA40C266002F: client=unknown[192.168.1.22]
postfix/cleanup[]: CA40C266002F: message-id=<3ed8f312-3c0e-3b6b-fdaa-...@herongyang.com>
postfix/smtps/smtpd[]: disconnect from unknown[192.168.1.22] ehlo=1 mail=1 rcpt=1 data=1 ...
postfix/qmgr[]: CA40C266002F: from=<herong@example.com>, size=678, nrcpt=1 (queue active)
postfix/local[]: CA40C266002F: to=<herong@example.com>, relay=local, delay=0.37, ...
postfix/qmgr[]: CA40C266002F: removed

5. On Windows 10 computer, click the "Sync" email icon to connect to the POP3S service on port 995. Log messages show that the SSL negotiation was finished. But the connection was reset by peer immediately. I don't know why.

dovecot[]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
dovecot[]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
dovecot[]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
dovecot[]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
dovecot[]: auth: Debug: auth client connected (pid=27839)
dovecot[]: pop3-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
dovecot[]: pop3-login: Debug: SSL_get_servername() failed
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done
...
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
dovecot[]: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
dovecot[]: pop3-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully
dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
dovecot[]: pop3-login: Debug: SSL error: read(size=780) failed: Connection reset by peer
dovecot[]: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.1.11,
           lip=192.168.1.100, TLS: read(size=780) failed: Connection reset by peer, ...
dovecot[]: pop3-login: Debug: SSL alert: close notify

6. Comparing with log messages list below from a Thunderbird POP3S connection, a SSL session should be created after the SSL negotiation finished to perform user authentication and retrieve emails.

dovecot[]: pop3-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
dovecot[]: auth: Debug: client in: AUTH#0111#011PLAIN#011service=pop3#011secured=tls#011
           session=OONzGV20l+bAqAG/#011lip=192.168.1.100#011rip=192.168.1.22#011l
           port=995#011rport=59031#011ssl_cipher=TLS_AES_128_GCM_SHA256#011
           ssl_cipher_bits=128#011ssl_pfs=KxANY#011
           ssl_protocol=TLSv1.3
dovecot[]: auth: Debug: client passdb out: CONT#0111
dovecot[]: auth: Debug: client in: CONT<hidden>
dovecot[]: auth: Debug: pam(herong,192.168.1.22,<OONzGV20l+bAqAG/>): Performing passdb lookup
dovecot[]: auth-worker(22782): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
...

Based on above log messages, possible root causes of the Windows 10 Mail connection issue are:

SSL Protocol Version - Windows 10 Mail failed to handle TLSv1.3.
Server Certificate - Windows 10 Mail failed to handle the self-signed root certificate with common name not matching the server name.