"TLS is not available" error when configuring Mailspring

Sync Issues
#1

Hi. I’m trying to configure Mailspring to connect to my email server (dovecot… works fine with Thunderbird). The IMAP server is configured to listen on port 143, and to require STARTTLS before logins. However, when I enter all that in the Mailspring config wizard and select “Next”, I get an “TLS not available error”. But the logs show:

----------IMAP----------
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
1 STARTTLS
1 OK Begin TLS negotiation now.

It seems it should be Mailspring’s turn to start TLS negotiation, no? Is there a way to get more logging to see what Mailspring does in the TLS negotiation, and why it seems to give up (or not even try?).

This is with Mailspring 1.5.5 on MacOS Movaje. Thanks!

(Originally posted by chrish42 on GitHub.)

#2

Hey! Thanks for reporting this - it looks like Mailspring is correctly identifying that the server advertises the STARTTLS capability, and that command 1 STARTTLS is being sent from the client to the server. The server response (1 OK Begin TLS negotiation now.) also seems fine. I’m reading through the IMAP library code and it looks like the possible error states are all rolled up in to that single error code (that prints “TLS not available”) which makes this a bit harder to nail down.

It’s possible that the failure occurred after the negotiation phase and Mailspring doesn’t trust your server’s SSL certificate. To test that, you can actually connect via STARTTLS from the command line:

openssl s_client -starttls imap -crlf -connect yourserver.com:143

(Originally posted by bengotow on GitHub.)

#3

Thank you! The certificate is self-signed, but I had checked off the box saying “authorize non-secured SSL” (or something like that), which I assumes allows me to look at the certificate and accept it if it’s the right one. Or is my assumption wrong?

Connecting with openssl, the connection goes through fine, and I can talk to the IMAP server. Here’s some of what openssl outputs:

No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2818 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
[snip TLS session ticket, etc.]
. OK Pre-login capabilities listed, post-login capabilities have more.

Does that help to narrow things down?

(Originally posted by chrish42 on GitHub.)