Outlook cannot log in to the mail server account deployed in Stawart.

Question

Outlook cannot log in to the mail server account deployed in Stawart.

StephenJose_Dai 0

I deployed a mail server using Stawart. I can log in to my account normally using 163, Thunderbird, Tencent, and the email client that comes with my Android phone. However, when I try to log in with Outlook, it keeps giving me an error. I've tried using both my regular password and the application password, but I get the same error each time. I don't know what the problem is!

I've looked at similar articles, but it seems no one has solved this problem. What should I do? Can you help me?

我使用Stalwart部署了一个邮件服务器，我使用163、雷鸟、腾讯以及安卓手机自带的邮件客户端都可以正常登陆我的账号，但是当我使用Outlook登录它时，它一直报错，我尝试使用了普通密码和应用程序密码，都会得到相同的报错，我不知道这是什么问题！

我查看了相同的文章，似乎都没有任何人解决了这个问题，我该怎么做？可以帮助我吗？

{"SessionId":"4ad192c3-ebde-d743-bfd1-2e341ac4f611","Timestamp":1765602851541,"Error":"INVALIDCREDENTIALS TEMPORARILYUNAVAILABLE"}

User's image

2 answers

Your answer

Answer 1

Emmanuel Santana 33,875 Independent Advisor

Hello. Outlook is never getting past the TLS handshake. Authentication is not even starting:

DEBUG TLS handshake error (tls.handshake-error) reason = "Connection reset by peer (os error 104)"

When this happens, Outlook surfaces INVALIDCREDENTIALS / TEMPORARILYUNAVAILABLE because it cannot establish a secure session. It uses a generic auth error even when TLS fails. That’s expected behavior.

Can you please check your Stalwart configuration file (mail.toml or equivalent) and confirm whether TLS 1.2 and TLS 1.3 are enabled, with older versions such as TLS 1.1 or below disabled? Also, if you have explicitly defined cipher suites, can you temporarily comment them out to let Stalwart use its default modern cipher list, or verify that the configured ciphers support forward secrecy?

StephenJose_Dai 0 Reputation points

2025-12-13T09:58:01.48+00:00

According to the official documentation, these are the known supported versions of the protocol. I wonder if Outlook also supports them?

https://stalw.art/docs/server/tls/overview
StephenJose_Dai 0 Reputation points

2025-12-13T10:05:49.9033333+00:00

I haven't selected any protocols or suites yet, which means that all the protocols and suites shown in the image are currently supported and in use.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T10:14:42.3533333+00:00
I’ve read the documentation you shared, and while it should work with Outlook in theory, the problem seems to be how your server is interacting with it.

When adding the account in Outlook, are you using a hostname (for example, mail.yourdomain.com) for the IMAP incoming server, rather than an IP address?

Also, please run this command:

openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com -tls1_2

The connection should stay open and you should see certificate details.
StephenJose_Dai 0 Reputation points

2025-12-13T10:23:32.5833333+00:00

CONNECTED(000001AC)

3C2B0000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:../openssl-3.5.4/ssl/record/methods/tls_common.c:662:

3C2B0000:error:0A000139:SSL routines::record layer failure:../openssl-3.5.4/ssl/record/rec_layer_s3.c:696:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 226 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Protocol: TLSv1.2

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1765621321

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

Yes, I passed in the domain name, not the IP address.

It appears that my certificate supports TLSv1.2.

Answer 2

Emmanuel Santana 33,875 Independent Advisor

Thanks for the update. In that case, the TLS protocols and cipher suites themselves are fine.

You are running IMAP on port 993 while Implicit TLS is disabled. Port 993 requires implicit TLS, meaning the TLS handshake must start immediately when the client connects. Outlook expects this and will abort the connection if it does not happen, which matches the TLS handshake reset shown in your logs.

Enable Implicit TLS on the IMAP listener bound to port 993, or alternatively move the listener to port 143 and use STARTTLS instead. Do not mix port 993 with explicit TLS.

Also note that the listener is currently bound only to [::]:993 (IPv6). For compatibility, especially with Outlook, you should also bind 0.0.0.0:993 to allow IPv4 connections.

StephenJose_Dai 0 Reputation points

2025-12-13T10:27:30.6533333+00:00

Let me try binding to the IPv4 address; hopefully that will solve my problem.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T10:32:11.0766667+00:00

Also enable implicit TLS on the IMAP listener bound to port 993, or move the listener to port 143 and use STARTTLS. Port 993 should not be used without Implicit TLS, that's why it shows "packet length too long".
StephenJose_Dai 0 Reputation points

2025-12-13T10:35:36.4766667+00:00

Unfortunately, the problem remains unresolved. I don't think it's an IPv4 binding issue, because I've tried email clients from 163, Thunderbird, and Tencent, and none of them have this problem.
StephenJose_Dai 0 Reputation points

2025-12-13T10:38:24.75+00:00

If I switch to 143, I'm worried about security issues. I trust 993 more than 143.
StephenJose_Dai 0 Reputation points

2025-12-13T10:40:45.9+00:00

If I use implicit TLS on my 993, do my 587 and 465 also need to enable implicit TLS?
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T10:41:39.7266667+00:00

Thanks for the logs. The server is still treating port 993 as plaintext IMAP.

The “Tag is not a valid UTF-8 string” error shows that encrypted TLS data is being parsed as IMAP commands, which means Implicit TLS is not active on this listener.

Can you confirm what your current Stalwart IMAP listener configuration is?

Also, it works in other mail clients because they are more tolerant of IMAPS misconfigurations and may still connect, but Outlook strictly enforces IMAPS behavior on port 993 and will immediately abort the connection if TLS does not start on connect.”
StephenJose_Dai 0 Reputation points

2025-12-13T10:44:23.35+00:00

This time I used implicit TLS on ports 993, 465, and 587, but the problem seems to persist.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T10:45:45.7766667+00:00

Port 143 with enforced STARTTLS is just as secure as port 993 since the security comes from TLS, not the port number.

Enabling implicit TLS on IMAP 993 doesn’t affect SMTP. Port 587 should use STARTTLS, while port 465 should use implicit TLS. If the client enforces STARTTLS on port 143, the resulting security level is the same, though 993 is often preferred for securing the connection from the very first packet.

For the other question, each port has its own independent rules, so there’s no need to enable it on other ports.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T10:48:24.33+00:00

Just remove the implicit TLS on port 587.
StephenJose_Dai 0 Reputation points

2025-12-13T10:57:15.2866667+00:00
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T11:00:34.6066667+00:00

Run this command so we can check the output as well:

openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com
StephenJose_Dai 0 Reputation points

2025-12-13T11:03:25.21+00:00

CONNECTED(000001B4)

depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1

verify return:1

depth=1 C=US, O=Let's Encrypt, CN=R13

verify return:1

depth=0 CN=abc.com

verify return:1

---

Certificate chain

0 s:CN=abc.com

i:C=US, O=Let's Encrypt, CN=R13

a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption

v:NotBefore: Dec 11 07:04:05 2025 GMT; NotAfter: Mar 11 07:04:04 2026 GMT

1 s:C=US, O=Let's Encrypt, CN=R13

i:C=US, O=Internet Security Research Group, CN=ISRG Root X1

a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption

v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFADCCA+igAwIBAgISBXmnFkV8ZOOIS9bJ/+CZxqiPMA0GCSqGSIb3DQEBCwUA

MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD

EwNSMTMwHhcNMjUxMjExMDcwNDA1WhcNMjYwMzExMDcwNDA0WjAZMRcwFQYDVQQD

Ew56d3lrLmRwZG5zLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AJ0pgoJ1qo5OgHlFWxNAc5QZ7jY3puKPqAxtdh4YV8qQndB3hmo89QEMkRPokgkc

sOEoMLDDC0IHUBl7U9FwmCC0ACn+ZB1lFbhW5NDOzHTfq09Ig78D8fjWiwsWudG5

eaNfavJZvMDoGkfa5kIwEsjXI7BYXZ99Y4JKAVxRjYnj8FEo5x/FaqY8cFIEG1JF

NQUhRwoLeP50nTUWj47z27WkyL9EnU9lXamQ6YL772Zheo3AZKGK2zraf3RQ3Pdz

oGRJChTkTnwdQt3jy3SzKeOsNVc9acVkj02Jst1ZqsEoUc+KtESK+5S/gGjhAfN5

u9udeh8Ehalhxbe6Bs7GygcCAwEAAaOCAiYwggIiMA4GA1UdDwEB/wQEAwIFoDAd

BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV

HQ4EFgQU1w+5JJPWK+UuasH/XnA/PKUyMf4wHwYDVR0jBBgwFoAU56ufDywzoFPT

Xk94yLKEDjvWkjMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRwOi8v

cjEzLmkubGVuY3Iub3JnLzAZBgNVHREEEjAQgg56d3lrLmRwZG5zLm9yZzATBgNV

HSAEDDAKMAgGBmeBDAECATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vcjEzLmMu

bGVuY3Iub3JnLzE2LmNybDCCAQwGCisGAQQB1nkCBAIEgf0EgfoA+AB+AHF+lfPC

OIptseOEST0x4VqpYgh2LUIA4AUM0Ge1pmHiAAABmwxu7qsACAAABQAD3mXpBAMA

RzBFAiEAtX9iPQ6Gb88aJXXZ9CTlXhO5gQwtPaBdSJUJWeI4uEECIC1YZn9vcW0o

1iIGiq12qz6JoZCdM03jU8AmV/hyHhg3AHYASZybad4dfOz8Nt7Nh2SmuFuvCoeA

GdFVUvvp6ynd+MMAAAGbDG712QAABAMARzBFAiBxWwim+fRm20PMbqPE0+hN1pIm

vqQ7ibU/qFaLeWyGmQIhAKZCiCVINzuyKbD3qMsCqazFr5Nvm+R7MtWQJR5c22S0

MA0GCSqGSIb3DQEBCwUAA4IBAQCam3qcm8wb99RzSfzc3w6DOEt1qQvP3ZNJL8lr

dsfXyEeHyste91537i76lSrt3LauFd1J/67q89i1NoI4onG+j443dQQ0dH5dJueP

eimu1Tsys0YzRo5qti+z9ODrlMTsBepWluTYf1eqxlvDlhnrS0KQo8ub6XMdkzZR

JWIusWKxQ6+53635gC6SbGKb1HONbbIWYMHfpq8JuFuKAvNacxNia3Jne/2YG4NN

R7iWJrG3Lem6AKfnDe5ESPWTsWlTiMRi/d/kFi800b6k731dQsQ829d0T1ztzPXG

RSrPPOgjPl9x3rt7Q0pCvqr4UOiNonETOysqSa89p5QyX4EQ

-----END CERTIFICATE-----

subject=CN=abc.com

issuer=C=US, O=Let's Encrypt, CN=R13

---

No client certificate CA names sent

Peer signing digest: SHA512

Peer signature type: rsa_pss_rsae_sha512

Peer Temp Key: X25519, 253 bits

---

SSL handshake has read 3072 bytes and written 1634 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Protocol: TLSv1.3

Server public key is 2048 bit

This TLS version forbids renegotiation.

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

Protocol : TLSv1.3

Cipher : TLS_AES_256_GCM_SHA384

Session-ID: 0999193130644576938B967F8631E694FBC356AB00B843739C4280F592D53A3E

Session-ID-ctx:

Resumption PSK: D7C3BA02309981EE4FB4BBF7D1056A7F9FD6DC18ACE5593640D6102D9DC1B3C3788B94692166832D03F25991BF44D80C

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 86400 (seconds)

TLS session ticket:

0000 - 7a 75 6b 5f ae 9f ba b5-dc 78 c5 5f 94 5b 42 77 zuk_.....x._.[Bw

0010 - ee 46 2b d2 ed b3 5a 3b-7f 02 ce fb 3c 98 68 7b .F+...Z;....<.h{

Start Time: 1765623687

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

Max Early Data: 0

---

read R BLOCK

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

Protocol : TLSv1.3

Cipher : TLS_AES_256_GCM_SHA384

Session-ID: EDAEB1878D394E290502161A0D65E513179269DD7A643069A10B3E012D45377B

Session-ID-ctx:

Resumption PSK: 442332F4C106FE55FBB5B426E24A4401B93E9EBF7324F959CF260DF5D56EB67577E9D61E250413EC0BE0165F9F5CAC79

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 86400 (seconds)

TLS session ticket:

0000 - 35 ee 72 dc 72 49 9d f5-d6 f5 e8 23 df 96 36 4b 5.r.rI.....#..6K

0010 - a0 91 a8 af 1f f9 e0 b4-29 cb 6f 46 42 5e df b3 ........).oFB^..

Start Time: 1765623687

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

Max Early Data: 0

---

read R BLOCK

* OK [CAPABILITY IMAP4rev2 IMAP4rev1 ENABLE SASL-IR LITERAL+ ID UTF8=ACCEPT JMAPACCESS AUTH=PLAIN AUTH=OAUTHBEARER AUTH=XOAUTH2] Stalwart IMAP4rev2 at your service.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T11:24:41.07+00:00

Thanks for the logs, yeah now everything looks fine, at least from POV.

The TLS handshake succeeds, a valid Let’s Encrypt certificate is presented, TLS 1.3 is negotiated, and the server immediately returns a proper IMAP greeting.
StephenJose_Dai 0 Reputation points

2025-12-13T11:33:51.45+00:00

However, in reality, I still cannot log in to Stawart using Outlook.
StephenJose_Dai 0 Reputation points

2025-12-13T11:35:12.1833333+00:00

I need to confirm something with you: Does Outlook require an application password to log in to Stawart? Or is a regular password sufficient?
StephenJose_Dai 0 Reputation points

2025-12-13T11:38:55.5166667+00:00

2025-12-13T11:37:34Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.100.24.132

remotePort = 12042

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:36Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.20.133

remotePort = 6250

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:41Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.22.85

remotePort = 24564

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:45Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.86.173

remotePort = 13161

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:47Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 52.97.87.45

remotePort = 52961

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:51Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 52.98.55.21

remotePort = 31156

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:57Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.20.37

remotePort = 40033

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:37:59Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.120.85

remotePort = 59121

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:38:04Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.99.83.85

remotePort = 49126

reason = "Connection reset by peer (os error 104)"

2025-12-13T11:38:07Z DEBUG TLS handshake error (tls.handshake-error)

listenerId = "imaptls"

localPort = 993

remoteIp = 40.100.25.12

remotePort = 19276

reason = "Connection reset by peer (os error 104)"

Based on my Stawart logs, the TLS handshake is still failing.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T11:39:29.7633333+00:00

--- replied below, repetitive...
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T11:47:35.0966667+00:00

Yeah, I'm baffled. As long as 2FA is not enabled a regular password would suffice.

I'm thinking two things you can do, one is to temporarily disable the IPv6 binding ([::]:993 and [::]:465) to force Outlook to use IPv4, or vice versa, to isolate a network layer problem. The other one is using port 143 with STARTTLS for IMAP, and port 587 with STARTTLS for SMTP.
StephenJose_Dai 0 Reputation points

2025-12-13T12:04:06.36+00:00

2025-12-13T12:00:24Z DEBUG IMAP connection started (imap.connection-start)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

2025-12-13T12:00:24Z TRACE Raw IMAP input received (imap.raw-input)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

size = 399

contents = base64:FgMBAYoBAAGGAwP/ppLNi+rwazldKIGT5pb9yth4JLTgZHuF+GfhalJAVSAjjVvn2Ap9fVMHu5rumEKh7FkfWZ1bnphoYcGbP5Ek9QAoEwITAcAwwC/AKMAnwCzAK8AkwCPAFMATwArACQCdAJwAPQA8ADUALwEAARUAAAATABEAAA56d3lrLmRwZG5zLm9yZwArAAUEAwQDAwANABoAGAgECAUIBgQBBQECAQQDBQMCAwICBgEGAwAjAAAACgAGAAQAGAAXAAsAAgEAADMArACqABgAYQTjUOljSFYW+1ms1YkZW16MR+1z5L8IMYloU2ZUpkvcdWmHVULKLunUvuVNz0Qc1sOgE1UP4k68Sc5Ym9bVzMz4RdKs23w271JKmLVPe5M5RMZ4tJf4ebJjugwksFnzfkoAFwBBBA2PYu7/Smv9vUSY3N3R8XCRODpg9245G56zIy8KAdRUWrLXIaz+bF4LmOjmQzrUzV5ce8xJqsXAtTiYZ6nBGuQAMQAAABcAAP8BAAEAAC0AAgEB

2025-12-13T12:00:24Z TRACE Write batch operation (store.data-write)

elapsed = 0ms

total = 2

2025-12-13T12:00:24Z DEBUG IMAP error occurred (imap.error)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

details = "Tag is not a valid UTF-8 string."

type = "BAD"

code = "PARSE"

2025-12-13T12:00:24Z TRACE Raw IMAP output sent (imap.raw-output)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

size = 48

contents = "* BAD [PARSE] Tag is not a valid UTF-8 string.\r\n"

2025-12-13T12:00:24Z TRACE Network write error (network.write-error)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

reason = "Connection reset by peer (os error 104)"

details = "Failed to write to stream"

2025-12-13T12:00:24Z DEBUG IMAP connection ended (imap.connection-end)

listenerId = "imap"

localPort = 143

remoteIp = 40.100.24.162

remotePort = 11278

elapsed = 4ms

I'm using STARTTLS 143 for IMAP and STARTTLS 587 for SMTP, but it still doesn't work. Strangely, however, the same protocol and port work fine with Gmail.

I need to clarify here that my domain name dnot resolve to any IPv6 address, and my server does not have an IPv6 address either. Therefore, I believe that even if it is listening on IPv6, it will not affect its normal operation.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-13T12:07:53.5333333+00:00

Can you try with classic Outlook?
StephenJose_Dai 0 Reputation points

2025-12-13T12:13:02.5266667+00:00

Is this what you're talking about?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
StephenJose_Dai 0 Reputation points

2025-12-13T12:21:10+00:00

It's strange, both my application password and my regular password failed to log in.
StephenJose_Dai 0 Reputation points

2025-12-13T12:24:06.9133333+00:00
StephenJose_Dai 0 Reputation points

2025-12-13T12:24:12.7033333+00:00

I tried STARTTLS 143, 587 and SSL/TLS 993, 465, but encountered the same problem.
StephenJose_Dai 0 Reputation points

2025-12-13T16:47:54.8+00:00

I can log in normally using Outlook on Windows 10, but Mail on Windows 10 still reports a TLS handshake failure error.
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-14T05:59:35.6933333+00:00

If you’re able to sign in with Outlook (Classic) on Windows 10, that means your server, TLS, and certificate setup are all correct, there’s nothing more you need to tweak on the Stalwart side.

The issue with the Windows 10 Mail app is, unfortunately, a common one. The Mail app relies on an outdated IMAP and TLS stack, which isn’t as robust or up-to-date as what Outlook uses. Because of this, it tends to have trouble connecting with custom IMAP servers, newer TLS 1.3 encryption, or any mail server using stricter security, even when everything is set up properly.

Given that the Mail app's support ended in December 2024, any remaining failure is irrelevant as the application is officially obsolete and non-functional for mail.
StephenJose_Dai 0 Reputation points

2025-12-14T06:12:22.86+00:00

Can I understand this to mean that, from a security perspective, Stallwart's configuration is already relatively secure and stringent, and due to issues with the Mail application, it might be incompatible with more custom, strictly secure servers like Stallwart;

However, since Mail has stopped receiving updates, all its current problems and malfunctions are meaningless, and I might need to try to find other alternatives?

For example, clients like 163, Tencent, Thunderbird, or Outlook?
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-14T06:27:15.7333333+00:00

Yes, that’s a correct takeaway.

Your Stalwart setup is already secure and properly configured.

The TLS errors you see in the Windows Mail app are due to the app itself, it’s no longer actively maintained and doesn’t handle stricter, modern mail servers very well. Because of that, its failures aren’t a reliable signal of a security issue on your server.

From the official notes on this:

Support for Windows Mail, Calendar, and People ended on December 31, 2024. You can no longer able to send and receive emails or events using Windows Mail and Calendar. We recommend you move to new Outlook or Outlook.com. https://support.microsoft.com/en-us/office/outlook-for-windows-the-future-of-mail-calendar-and-people-on-windows-11-715fc27c-e0f4-4652-9174-47faa751b199

The most practical approach is to use a supported client such as Outlook, Thunderbird, or other actively maintained email applications.
StephenJose_Dai 0 Reputation points

2025-12-14T09:41:57.48+00:00

I have one last question: Is the image of the latest version of Outlook?
StephenJose_Dai 0 Reputation points

2025-12-14T09:54:06.3766667+00:00

It does look like the new version of Outlook, judging from the name in the upper left corner.

Furthermore, when I tried opening my Outlook from the Microsoft Store, it opened the same app shown in the image. This means the new version of the app is experiencing a TLS handshake failure.

https://apps.microsoft.com/detail/9nrx63209r7b?hl=zh-CN&gl=US
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-14T13:20:51.5933333+00:00

Yes, that’s correct. The screenshots show the New Outlook for Windows (the Microsoft Store version), and as discussed earlier, this version still has known TLS handshake issues with some custom/self-hosted IMAP servers. That’s exactly why I asked you to test with Outlook classic (Win32), which connects successfully and confirms your Stalwart setup is correct.

I’ve done a very thorough review and research on this, and at the moment I’m not seeing a reliable fix on the client side for New Outlook. This appears to be a limitation or bug in New Outlook rather than a server or security issue.

To be extra sure, I’ll set up a Stalwart server myself in the next few days and test it specifically with New Outlook. If I find anything useful or a workaround, I’ll come back to you with an update.
StephenJose_Dai 0 Reputation points

2025-12-14T14:07:27.5866667+00:00

Based on the documentation you provided, it seems the official team is guiding users to migrate from older versions of the Mail application to the new Outlook. My current system is already running the latest Outlook, but the problem persists. Perhaps, as you said, this is an issue inherent in the new Outlook version, but the official team doesn't seem to have stopped updating it. Is there any hope that this problem will be resolved in the next version? Or are there other methods to solve it?

Looking forward to your test results!

If necessary, I can assist you in trying to resolve this issue.

To ensure timely communication and discussion on how to resolve this problem, besides posting on the current forum, are there other channels to maintain our communication? For example, Skype or any other instant messaging tool?
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-15T05:27:27.69+00:00

You’re right that Microsoft is encouraging users to move to the new Outlook as part of a broader effort to modernize the platform and apply stricter security and protocol handling by default. TLS negotiation is intentionally strict for security reasons, and in some cases the new Outlook is still refining compatibility with more customized or tightly secured mail server configurations.

For now, the best workaround is to keep using Outlook classic or another compatible client. I’ll also continue testing on my side (including setting up a similar server) and will post any findings or updates here so we can revisit this if something changes.
StephenJose_Dai 0 Reputation points

2025-12-16T08:20:02.9766667+00:00

I tried tracking the Outlook logs and found some issues. You can refer to them; the logs are in JSON format.

It seems to be telling us that an HTTP 400 error occurred when accessing Stawart.

log.txt
Emmanuel Santana 33,875 Reputation points Independent Advisor

2025-12-16T13:35:54.82+00:00

I'm wondering... I haven't had time to configure Stawart myself but from your logs, the network trace shows that Outlook is successfully sending your account details to Microsoft, but the connection fails when Microsoft tries to securely connect to your mail server.

This means your username and password are not the issue; instead, the mail server is rejecting or blocking the secure (TLS) connection from Microsoft’s cloud. New Outlook relies on this cloud-to-server connection, so it will fail unless the mail server allows it.

Using Classic Outlook (desktop) works because it connects directly from your PC.
StephenJose_Dai 0 Reputation points

2025-12-17T01:43:40.55+00:00

I don't seem to see any settings targeting Microsoft. This situation is somewhat different from IP locking because the Stawart logs only tell me that the TLS handshake failed, not that the IP was locked. I have seen the IP locking logs, which are triggered when I fail a certain number of times.

I don't know where to start troubleshooting this problem.

Share via

Outlook cannot log in to the mail server account deployed in Stawart.

2 answers

Your answer