Configuring Windows Mail with IMAP

Posted on by
Reply

Windows Mail would not allow me to add an IMAP account. It would allow me to enter, and all the details looked correct, but then would fail with ‘INVALIDCREDENTIALS INTERACTIONREQUIRED’. This might be due to

  • username that is different from what your IMAP authentication expects (user vs. user@example.org),
  • invalid password,
  • mismatch in password encryption during transmission,
  • mismatch between plain, ssl, or tls expected by either side,
  • certificates not listing the hostnames being contacted,

or some other problem. Stumbling through the interwebs I found many people struggling here, and most people calling the people at Micro$oft dumb. They are not, they are just arrogant and ignore all open standards, inventing their own along the way, AND integrating all their old rubbish as well. They are very smart, but the problems they are solving are complex as well. AND they provide only generic feedback, something that is acceptable to their userbase, which is not very sophisticated.

Please note that this is not a step-by-step list of instructions. I stumbled through this problem, and in the end got things working. So this is just a list of starting points to help you figure out why things are not working for you.

My setup

  • dovecot IMAP server with TLS (no POP3),
  • postfix SMTP server with TLS,
  • nginx web server,
  • FreeBSD server,
  • Let’s Encrypt Certificates with weekly, automatic renewal using certbot,
  • Transip DNS provider,
  • 2 domains,
  • Windows 11 laptop with Windows Mail,
  • macOS laptop to compare with.

Things I tried

  1. I use dovecot, so I had to fix the username provided by some mail tools to drop the domain part from the user@example.org. Add/change the following statement in dovecot.conf:
    auth_username_format = %n
  2. I added a config-v1.1.xml file in the web server for all domains I server mail for on the web server:
    /.well-known/autoconfig/mail/config-v1.1.xml, so Thunderbird autoconfigures properly. You can find more information on the format of this file at the Mozilla Wiki.
    Make sure the password authentication method is set correctly. I copied password-encrypted, but it should have been password-cleartext.
  3. I also added the recommend SRV records to indicate where to find the imap and smtp/submission servers:
    _imap._tcp.example.org. 14400 IN SRV 0 10 143 imap.example.org.
    _imap._tcp.example.org. 14400 IN SRV 0 10 993 imap.example.org.
    _submission._tcp.example.org. 14400 IN SRV 0 10 587 smtp.example.org.
    _smtp._tcp.example.org. 14400 IN SRV 0 20 2525 smtp.example.org.
    _smtp._tcp.example.org. 14400 IN SRV 0 10 25 smtp.example.org.
  4. I’ve also corrected the MX records to point at host with an A / AAAA record, not a CNAME record.
  5. I’ve updated my certificates to include all the hostnames that are possible being used to access IMAP -and- SMTP. I am using dovecot and its authentication service, so I use 1 certificate to serve mail.example.org, smtp.example.org and imap.example.org.

Debugging suggestions

  1. You should be able to see the user@example.org username in the dovecot log files (/var/log/maillog on FreeBSD)., which indicates that the username is wrong. You can test it by installing a web mail tool, like roundcube, and use first the ‘user’ username, and subsequently ‘user@example.org’. Both should work with the same password.
  2. Check /var/log/maillog for errors and possible errors. Check back to see whether the error or problem you are seeing is actually a problem, and not just some glitch or probe.
  3. Use openssl s_client to test the TLS connection:
    openssl s_client -connect imap.example.org:993
    openssl s_client -connect imap.example.org:143 -starttls imap
    openssl s_client -connect smtp.example.org:587 -starttls smtp
  4. Use openssl x509 to test the certificate. If you see a block enclosed in ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE—–‘, copy that section including the header and footer lines into a file called bla.crt, and run the following command to see the hostnames that are validated by the certificate:
    openssl x509 -text -noout -in bla.crt
    The hostnames you are trying to connect to should be in there. Otherwise the certificate is unacceptable and you will get some error somewhere.

Tips for debugging this:

  • Use Thunderbird to configure all of the above. When a fresh install of Thunderbird, after filling in e-mail address and password, autoconfigured your account properly you should have a working setup.
  • Hit my domain to see my config.
  • Send me an e-mail if you need help. See this other post on this site on what I expect from you when you do ask for my help.

How to contact me if you need help with a problem

Posted on by
Reply

I am happy to help if I can. But my time is limited. Even I (*gasp*!) need some downtime. As you are taking the time to read this, you are already ahead.

Things I appreciate:

  • Be polite. Be positive.
  • If you ask for my help, you need to be stuck. Being lazy is not a reason to ask for help. Having tried everything 4 times and still ending up in the same place is.
  • Ask yourself: What’s in it for the person I am asking for help? Learning is my goal in life, so when I help you, I want to learn something too, whatever that may be. I looooove complicated setups and puzzles. Not just technical stuff.
  • You have to have a learning mindset. I liked to educate. I hate copy&paste.
  • I am fine with an initial question, like ‘This is my problem. Can you help?’ if you want to avoid writing an essay that ends up in the spam box.
  • When you mail me your problem, try to explain the context of why you are doing things, what you have done, what has failed, and what you’re next steps would be.
  • You are in the driver’s seat. I am just helping you to find your heading. So, don’t wait for me.

I absolutely looooove hearing that you solved your problem, what the problem was, and how you got there.

My e-mail address is … well … I am sure you can figure that out.

Nick

EasyControl wants room 30 degrees no matter what

Posted on by
Reply

For some reason my living room was 30 degrees in the morning. No matter what I tried on the EasyControl in the living room it wouldn’t go down.

I factory reset my EasyControl (loosing all my energy usage data along the way…), reset all my radiator fobs. Reinstalled them, set up the schedules from scratch… A lot of work.

And then my daughters bedroom all of a sudden went to 30 degrees…

In the end it was corrosion on one of the fobs that caused the plus button to be triggered continuously. Once I replaced the fob with a spare one the problem went awway.