Cannot connect with IMAP externally
I have configured a Windows 10 pc running thunderbird and a Pixel XL 2 using the default mail app to access my email server (running on a LAN) and both are setup, as far as i can tell, identically (URLs, Ports, Usernames and passwords). Both connect happily using IMAP (using StartTLS) when on an internal network (not the same subet as the email server). However, when connecting externally the phone connects using IMAP fine, however the PC says it cannot connect to IMAP.
I can see the connections coming in on the router are being forwarded to the mail server, I have created firewall rules (Windows and Router) that allow IMAP connections (and NAT traversal).
It is curious that the phone works fine externally and both work fine internally (so it cant be username/password issues)...any ideas what else I need to look at? Is there a detailed logging option in Thunderbird, so I can see where the process seems to fall-down?
Any thoughts would be appreciated.
Chosen solution
SOLVED
In the end I configured Outlook and turned on logging and could see that a TLS connection was created but then was closed at the server end.
My intial hunch was right, it turned out to be a firewall issue but not the Windows Firewall, the firewall inside the email server application itself.
When it was originally configured, it allowed IMAP connections from internal subnets and our Mobile Phone operator (based on their IP Address Range) but no IMAP from anywhere else (on the basis that the computers dont tend to roam externally).
It is interesting to note that while abroad last week my phone could still connect by IMAP which means that although it was connected via the local Mobile provider, it must still have obtained its IP address from our current UK operator.
Many thanks for your help.
Read this answer in context 👍 0All Replies (11)
Perhaps it is in the certificates being used for TLS.
Thanks for the reply and link to logging which I will look in to.
I thought about the certificate but both the url and certificate are the same whether the connection is internal or external.
Currently my best guess is the Windows firewall, since internally it will be a Private connection and externally a Public one...though on inspection I couldn't find anything amiss...and the phone connects fine.
Hopefully, with logging I can solve this and will report my findings.
In the past I have had issues with server naming local Vs internet.
Mail server was the same box, but internal addresses in DNS were a .local TLD and externally they were .com TLD's
Yes me too. However in my case my LAN is a .local but the email server sits on another subnet and is not a member of the domain. I created a DNS Stub using its .com url, which resolves to an internal ip.
Externally , my public DNS resolves the same url to a fixed Public IP address.
I apply the same technique for many other things e.g. CCTV etc.
Curiously, with logging turned on Thunderbird now seems to connect!!
I will investigate further.
Okay, so far it still mainly refuses to connect via IMAP (it did connect externally twice stragnely enough). I created a test account on the email server and tried connecting without using StartTLS (i.e. unencrypted connection) but that failed to connect as well...so I am pretty sure it is not a certificate issue.
The start of the log immediately below shows the working (internal) connection. The second log shows the failing one, the last lines shown between the two are different.
>>>>>working connection<<<<<< 2019-10-24 12:24:38.245000 UTC - [(null) 7896: Unnamed thread 27BEC2E0]: D/IMAP ImapThreadMainLoop entering [this=2857C000] 2019-10-24 12:24:38.345000 UTC - [(null) 7896: Main Thread]: I/IMAP 2857C000:mailserver.********.com:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN 2019-10-24 12:24:38.345000 UTC - [(null) 7896: Unnamed thread 27BEC2E0]: I/IMAP 2857C000:mailserver.*******.com:NA:ProcessCurrentURL: entering 2019-10-24 12:24:38.345000 UTC - [(null) 7896: Unnamed thread 27BEC2E0]: I/IMAP 2857C000:mailserver.*******.com:NA:ProcessCurrentURL:imap://***@mailserver.********.com:143/select%3E.INBOX: = currentUrl 2019-10-24 12:24:38.385000 UTC - [(null) 7896: Unnamed thread 27BEC2E0]: D/IMAP ReadNextLine [stream=2888A880 nb=29 needmore=0] 2019-10-24 12:24:38.385000 UTC - [(null) 7896: Unnamed thread 27BEC2E0]: I/IMAP 2857C000:mailserver.********.com:NA:CreateNewLineFromSocket: * OK mailserver.*******.com >>>>>>>>>>
<<<<<<<Failing connection>>>>>>>> 2019-10-24 10:58:22.704000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: D/IMAP ImapThreadMainLoop entering [this=243B6000] 2019-10-24 10:58:22.797000 UTC - [(null) 18788: Main Thread]: I/IMAP 243B6000:mailserver.******.com:NA:SetupWithUrlCallback: clearing IMAP_CONNECTION_IS_OPEN 2019-10-24 10:58:22.797000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: I/IMAP 243B6000:mailserver.*******.com:NA:ProcessCurrentURL: entering 2019-10-24 10:58:22.797000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: I/IMAP 243B6000:mailserver.*******.com:NA:ProcessCurrentURL:imap://***@mailserver.*******.com:143/select%3E.INBOX: = currentUrl 2019-10-24 10:58:23.061000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: D/IMAP ReadNextLine [stream=24AA2A10 nb=0 needmore=1] 2019-10-24 10:58:23.061000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: D/IMAP ReadNextLine [stream=24AA2A10 nb=0 needmore=0] 2019-10-24 10:58:23.092000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: I/IMAP 243B6000:mailserver.*******.com:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002 2019-10-24 10:58:23.092000 UTC - [(null) 18788: Unnamed thread 23B9CD60]: I/IMAP 243B6000:mailserver.*******.com:NA:TellThreadToDie: close socket connection >>>>>>>>>>>>>
Clearly the IMAP connection is being closed in the second log, whereas in the first log there appears to be an OK acknowledgement. I don't understand what the "clearing IMAP_CONNECTION_IS_OPEN - rv = 80470002", is that an error code that could yield some more information?
I can see via a packet capture that there is communication going both ways, even with the failing connection.
Apparently NS_BASE_STREAM_CLOSED is what that response is about.
I suggest trying the error console Ctrl+Shift+J
Clear it and check your connection. From what I have read from others with the problem it has variously been exceeding the max connections on the server and problems with the size of the Diffie-Hellman cypher
I would have said it had to be certificate related, except it does not work with no connection security. Perhaps the error console with throw up something enlightening.
Thanks for the information. I had tried increasing the connection limit on the mail server, but this had no effect.
I am suspecting that there is a network / TCP timeout that is occurring. This would explain why everything works internally (on a fast network), the phone works externally (email client probably has longer timeouts than T/B and why once in while T/B does connect externally.
The uplink WAN speed is only about 600Kb (downlink is about 8Mb), so considerably slower than the LAN speeds - one of the problems with being in a rural location in the UK!
I post the solution as soon as I have one.
Thanks again for your help.
just a random thought. anti virus.
They tend to be slow and on non "trusted" networks even slower. Do you have anything monitoring the connection or mail in general? Disabling any email scanning is generally recommended here, especially outgoing scanning as it is a complete waste of resources. If it can not find a bug on your machine, it is using the same definitions to scan your mail, so it will find nothing there either. Infected or not.
Yes, I already tried disabling anti-virus (completely turned it off) yesterday but it didn't seem to make any difference. I will keep that in mind in case I dont get anywhere with the various timeouts.
I did run the error console bu it didnt tell me anything new.
Well no luck so far. I have tried changing timeouts on:
mail.server.server2.timeout from 29 to 50 (& 75) mailnews.tcptimeout from 100 to 150 (& 200) network.tcp.tcp_fastopen_http_stalls from 20 to 40 network.websocket.timeout.close from 20 to 40 network.websocket.timeout.open from 20 to 40
None of these seemed to make any difference. I also tried again disabling antivirus on the client machine, again it didnt seem to make any difference.
For info, the ports I have open on the router are 25 and 587 (SMTP) and 143 for IMAP. I am assuming I do not need more.
The only other thing that may be different to standard is that external IMAP needs to traverse two NAT routers. I havent had issues doing this for anything else (e.g. CCTV etc) so I assume it should cause an issue here. Again the phone works fine externally.
At the moment I am out of ideas. I'll probably need to get a detailed packet capture with Fireshark and work through that
Chosen Solution
SOLVED
In the end I configured Outlook and turned on logging and could see that a TLS connection was created but then was closed at the server end.
My intial hunch was right, it turned out to be a firewall issue but not the Windows Firewall, the firewall inside the email server application itself.
When it was originally configured, it allowed IMAP connections from internal subnets and our Mobile Phone operator (based on their IP Address Range) but no IMAP from anywhere else (on the basis that the computers dont tend to roam externally).
It is interesting to note that while abroad last week my phone could still connect by IMAP which means that although it was connected via the local Mobile provider, it must still have obtained its IP address from our current UK operator.
Many thanks for your help.