Configuring Windows Mail with IMAP

Posted on by

Windows Mail would not allow me to add an IMAP account. It would allow me to enter, and all the details looked correct, but then would fail with ‘INVALIDCREDENTIALS INTERACTIONREQUIRED’. This might be due to

  • username that is different from what your IMAP authentication expects (user vs. user@example.org),
  • invalid password,
  • mismatch in password encryption during transmission,
  • mismatch between plain, ssl, or tls expected by either side,
  • certificates not listing the hostnames being contacted,

or some other problem. Stumbling through the interwebs I found many people struggling here, and most people calling the people at Micro$oft dumb. They are not, they are just arrogant and ignore all open standards, inventing their own along the way, AND integrating all their old rubbish as well. They are very smart, but the problems they are solving are complex as well. AND they provide only generic feedback, something that is acceptable to their userbase, which is not very sophisticated.

Please note that this is not a step-by-step list of instructions. I stumbled through this problem, and in the end got things working. So this is just a list of starting points to help you figure out why things are not working for you.

My setup

  • dovecot IMAP server with TLS (no POP3),
  • postfix SMTP server with TLS,
  • nginx web server,
  • FreeBSD server,
  • Let’s Encrypt Certificates with weekly, automatic renewal using certbot,
  • Transip DNS provider,
  • 2 domains,
  • Windows 11 laptop with Windows Mail,
  • macOS laptop to compare with.

Things I tried

  1. I use dovecot, so I had to fix the username provided by some mail tools to drop the domain part from the user@example.org. Add/change the following statement in dovecot.conf:
    auth_username_format = %n
  2. I added a config-v1.1.xml file in the web server for all domains I server mail for on the web server:
    /.well-known/autoconfig/mail/config-v1.1.xml, so Thunderbird autoconfigures properly. You can find more information on the format of this file at the Mozilla Wiki.
    Make sure the password authentication method is set correctly. I copied password-encrypted, but it should have been password-cleartext.
  3. I also added the recommend SRV records to indicate where to find the imap and smtp/submission servers:
    _imap._tcp.example.org. 14400 IN SRV 0 10 143 imap.example.org.
    _imap._tcp.example.org. 14400 IN SRV 0 10 993 imap.example.org.
    _submission._tcp.example.org. 14400 IN SRV 0 10 587 smtp.example.org.
    _smtp._tcp.example.org. 14400 IN SRV 0 20 2525 smtp.example.org.
    _smtp._tcp.example.org. 14400 IN SRV 0 10 25 smtp.example.org.
  4. I’ve also corrected the MX records to point at host with an A / AAAA record, not a CNAME record.
  5. I’ve updated my certificates to include all the hostnames that are possible being used to access IMAP -and- SMTP. I am using dovecot and its authentication service, so I use 1 certificate to serve mail.example.org, smtp.example.org and imap.example.org.

Debugging suggestions

  1. You should be able to see the user@example.org username in the dovecot log files (/var/log/maillog on FreeBSD)., which indicates that the username is wrong. You can test it by installing a web mail tool, like roundcube, and use first the ‘user’ username, and subsequently ‘user@example.org’. Both should work with the same password.
  2. Check /var/log/maillog for errors and possible errors. Check back to see whether the error or problem you are seeing is actually a problem, and not just some glitch or probe.
  3. Use openssl s_client to test the TLS connection:
    openssl s_client -connect imap.example.org:993
    openssl s_client -connect imap.example.org:143 -starttls imap
    openssl s_client -connect smtp.example.org:587 -starttls smtp
  4. Use openssl x509 to test the certificate. If you see a block enclosed in ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE—–‘, copy that section including the header and footer lines into a file called bla.crt, and run the following command to see the hostnames that are validated by the certificate:
    openssl x509 -text -noout -in bla.crt
    The hostnames you are trying to connect to should be in there. Otherwise the certificate is unacceptable and you will get some error somewhere.

Tips for debugging this:

  • Use Thunderbird to configure all of the above. When a fresh install of Thunderbird, after filling in e-mail address and password, autoconfigured your account properly you should have a working setup.
  • Hit my domain to see my config.
  • Send me an e-mail if you need help. See this other post on this site on what I expect from you when you do ask for my help.

Leave a Reply