That’s exactly what I’d also expect. Simply open a new connection even in case the old one should have died to whatever reason and everyone will be happy 
OK, got into this state pretty quick. Calendar sync completely stopped working. My log shows this:
10:41:11.492|001| eM Client 9.2.2157+5b4954246f (Windows)
10:41:11.492|001| Account's UID is 4cbdf8b9-acf1-4f0d-89db-26d8c9dab907
10:41:11.492|001| AccountBase.ChangeOnlineState : State changed to ONLINE due User
10:41:11.493|067| BOOTSTRAP Updating account properties https://xxxx.de/SOGo/dav/[email protected]/
10:41:11.494|067| Request:
10:41:11.495|067| Method: PROPFIND, RequestUri: 'https://xxxx.de/SOGo/dav/[email protected]/', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
10:41:11.495|067| {
10:41:11.495|067| Accept: text/xml
10:41:11.495|067| Brief: t
10:41:11.495|067| Depth: 0
10:41:11.495|067| User-Agent: eMClient/9.2.2157.0
10:41:11.495|067| Content-Type: text/xml; charset=utf-8
10:41:11.495|067| }
10:41:11.496|067| <?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop><D:displayname /><schedule-inbox-URL xmlns="urn:ietf:params:xml:ns:caldav" /><schedule-outbox-URL xmlns="urn:ietf:params:xml:ns:caldav" /><calendar-user-address-set xmlns="urn:ietf:params:xml:ns:caldav" /><default-calendar-URL xmlns="http://icewarp.com/ns/" /><default-tasks-URL xmlns="http://icewarp.com/ns/" /><default-contacts-URL xmlns="http://icewarp.com/ns/" /><default-notes-URL xmlns="http://icewarp.com/ns/" /><calendar-home-set xmlns="urn:ietf:params:xml:ns:caldav" /><addressbook-home-set xmlns="urn:ietf:params:xml:ns:carddav" /><conference-support xmlns="http://icewarp.com/ns/" /></D:prop></D:propfind>
10:41:11.496|067|
10:41:11.496|067| Exception: MailClient.Accounts.ConnectionException: The SSL connection could not be established, see inner exception.
10:41:11.590|067| ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
10:41:11.590|067| ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'IllegalParameter'.
10:41:11.591|067| ---> System.ComponentModel.Win32Exception (0x80090326): Das Format der empfangenen Nachricht war unerwartet oder fehlerhaft.
10:41:11.591|067| --- End of inner exception stack trace ---
10:41:11.591|067| at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
10:41:11.591|067| at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
10:41:11.591|067| --- End of inner exception stack trace ---
10:41:11.591|067| at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
10:41:11.591|067| at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.InteractionController.HttpClientCertificationValidationMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.Common.HttpClientHandlers.HttpClientLoggingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.Common.HttpClientHandlers.HttpClientBackoffHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
10:41:11.591|067| at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
10:41:11.591|067| at MailClient.Protocols.CalDav.ProtocolCommands.Connector.RunCommand(CalDavAccount account, ICommand command, CancellationToken cancellationToken)
10:41:11.591|067| --- End of inner exception stack trace ---
10:41:11.591|067| at MailClient.Protocols.CalDav.ProtocolCommands.Connector.RunCommand(CalDavAccount account, ICommand command, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.CalDav.FolderSynchronizer.UpdatePrincipalProperties(Uri baseUri, Boolean retryOnNotFound, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.CalDav.FolderSynchronizer.Bootstrap(WorkerStatus status, CancellationToken cancellationToken)
10:41:11.591|067| at MailClient.Protocols.CalDav.CalDavGenericCommand.Execute(WorkerStatus status)
10:41:11.591|067| at MailClient.Commands.Command.Process(WorkerStatus status)
10:41:11.592|007| AccountBase.ChangeOnlineState : State changed to OFFLINE due BrokenConnection
So, emClient is complaining about a TLS issue. But TLS is fine (ran a testtls.com check). Also, if the TLS config would be a problem, the connection issue would persist.
Second serious and also main issue: emClient does not retry in 5 Minutes (my sync interval). It stays forever in this error state until it’s restarted.
After restarting emClient it’s simply happy again (until it gets again into that state)
11:10:49.197|00F| eM Client 9.2.2157+5b4954246f (Windows)
11:10:49.197|00F| Account's UID is 4cbdf8b9-acf1-4f0d-89db-26d8c9dab907
11:10:49.197|00F| AccountBase.ChangeOnlineState : State changed to ONLINE due User
11:10:49.204|029| BOOTSTRAP Updating account properties https://mail.xxxx.de/SOGo/dav/[email protected]/
11:10:49.213|029| Request:
11:10:49.214|029| Method: PROPFIND, RequestUri: 'https://mail.xxxx.de/SOGo/dav/[email protected]/', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
11:10:49.214|029| {
11:10:49.214|029| Accept: text/xml
11:10:49.222|029| Brief: t
11:10:49.222|029| Depth: 0
11:10:49.222|029| User-Agent: eMClient/9.2.2157.0
11:10:49.222|029| Content-Type: text/xml; charset=utf-8
11:10:49.222|029| }
11:10:49.224|029| <?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop><D:displayname /><schedule-inbox-URL xmlns="urn:ietf:params:xml:ns:caldav" /><schedule-outbox-URL xmlns="urn:ietf:params:xml:ns:caldav" /><calendar-user-address-set xmlns="urn:ietf:params:xml:ns:caldav" /><default-calendar-URL xmlns="http://icewarp.com/ns/" /><default-tasks-URL xmlns="http://icewarp.com/ns/" /><default-contacts-URL xmlns="http://icewarp.com/ns/" /><default-notes-URL xmlns="http://icewarp.com/ns/" /><calendar-home-set xmlns="urn:ietf:params:xml:ns:caldav" /><addressbook-home-set xmlns="urn:ietf:params:xml:ns:carddav" /><conference-support xmlns="http://icewarp.com/ns/" /></D:prop></D:propfind>
11:10:49.224|029|
11:10:49.224|029| Response:
11:10:50.048|01B| StatusCode: 207, ReasonPhrase: 'Multi-Status', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
11:10:50.049|01B| {
11:10:50.049|01B| Server: nginx
11:10:50.049|01B| Date: Tue, 16 Jan 2024 10:10:50 GMT
11:10:50.049|01B| x-dav-error: 200 No error
11:10:50.049|01B| ms-author-via: DAV
11:10:50.049|01B| Pragma: no-cache
11:10:50.049|01B| Cache-Control: no-cache
11:10:50.049|01B| X-Frame-Options: SAMEORIGIN
11:10:50.049|01B| Content-Type: text/xml; charset=utf-8
11:10:50.049|01B| Content-Length: 984
11:10:50.049|01B| }
11:10:50.049|01B| <?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:c="urn:ietf:params:xml:ns:carddav" xmlns:D="DAV:" xmlns:a="urn:ietf:params:xml:ns:caldav" xmlns:b="http://icewarp.com/ns/"><D:response><D:href>/SOGo/dav/[email protected]/</D:href><D:propstat><D:status>HTTP/1.1 200 OK</D:status><D:prop><D:displayname>Marco Jakobs</D:displayname><a:schedule-inbox-URL><D:href xmlns:D="DAV:">/SOGo/dav/[email protected]/Calendar/inbox/</D:href></a:schedule-inbox-URL><a:schedule-outbox-URL><D:href xmlns:D="DAV:">/SOGo/dav/[email protected]/Calendar/personal/</D:href></a:schedule-outbox-URL><a:calendar-user-address-set><D:href xmlns:D="DAV:">mailto:[email protected]</D:href><D:href xmlns:D="DAV:">/SOGo/dav/[email protected]/</D:href></a:calendar-user-address-set><a:calendar-home-set><D:href xmlns:D="DAV:">/SOGo/dav/[email protected]/Calendar/</D:href></a:calendar-home-set><c:addressbook-home-set><D:href xmlns:D="DAV:">/SOGo/dav/[email protected]/Contacts/</D:href></c:addressbook-home-set></D:prop></D:propstat></D:response></D:multistatus>
11:10:50.049|01B|
11:10:50.049|01B| Request:
11:10:50.083|029| Method: OPTIONS, RequestUri: 'https://mail.xxxx.de/SOGo/dav/[email protected]/Calendar/', Version: 1.1, Content: <null>, Headers:
11:10:50.083|029| {
11:10:50.084|029| User-Agent: eMClient/9.2.2157.0
11:10:50.084|029| }
11:10:50.084|029|
11:10:50.084|029| Response:
11:10:50.169|01B| StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
11:10:50.169|01B| {
11:10:50.169|01B| Server: nginx
11:10:50.169|01B| Date: Tue, 16 Jan 2024 10:10:50 GMT
11:10:50.169|01B| dav: 1, 2, access-control, calendar-access, calendar-schedule, calendar-auto-schedule, calendar-proxy, calendar-query-extended, extended-mkcol, calendarserver-principal-property-search
11:10:50.169|01B| Strict-Transport-Security: max-age=15768000;
11:10:50.169|01B| X-Content-Type-Options: nosniff
11:10:50.170|01B| X-XSS-Protection: 1; mode=block
11:10:50.170|01B| x-robots-tag: none
11:10:50.170|01B| x-download-options: noopen
11:10:50.170|01B| X-Frame-Options: SAMEORIGIN
11:10:50.170|01B| x-permitted-cross-domain-policies: none
11:10:50.170|01B| Referrer-Policy: strict-origin
11:10:50.170|01B| Content-Type: text/plain; charset=utf-8
11:10:50.170|01B| Content-Length: 0
11:10:50.170|01B| Allow: GET, HEAD, POST, OPTIONS, MKCOL, MKCALENDAR, DELETE, PUT, LOCK, UNLOCK, COPY, MOVE, REPORT, PROPFIND, SEARCH
11:10:50.170|01B| }
11:10:50.171|01B|
11:10:50.171|01B|
11:10:50.171|01B| Request:
11:10:50.184|029| Method: PROPFIND, RequestUri: 'https://mail.xxxx.de/SOGo/dav/[email protected]/Calendar/inbox/', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
11:10:50.184|029| {
11:10:50.184|029| Accept: text/xml
11:10:50.184|029| Brief: t
11:10:50.184|029| Depth: 0
11:10:50.184|029| User-Agent: eMClient/9.2.2157.0
11:10:50.184|029| Content-Type: text/xml; charset=utf-8
11:10:50.184|029| }
11:10:50.185|029| <?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop><schedule-default-calendar-URL xmlns="urn:ietf:params:xml:ns:caldav" /><schedule-default-tasks-URL xmlns="http://calendarserver.org/ns/" /></D:prop></D:propfind>
11:10:50.185|029|
11:10:50.185|029| Response:
11:10:50.258|01C| StatusCode: 207, ReasonPhrase: 'Multi-Status', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
11:10:50.259|01C| {
11:10:50.259|01C| Server: nginx
11:10:50.259|01C| Date: Tue, 16 Jan 2024 10:10:50 GMT
11:10:50.259|01C| x-dav-error: 200 No error
11:10:50.259|01C| ms-author-via: DAV
11:10:50.259|01C| Pragma: no-cache
11:10:50.259|01C| Cache-Control: no-cache
11:10:50.259|01C| X-Frame-Options: SAMEORIGIN
11:10:50.259|01C| Content-Type: text/xml; charset=utf-8
11:10:50.259|01C| Content-Length: 500
11:10:50.259|01C| }
11:10:50.259|01C| <?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:a="urn:ietf:params:xml:ns:caldav" xmlns:b="http://calendarserver.org/ns/"><D:response><D:href>/SOGo/dav/[email protected]/Calendar/inbox/</D:href><D:propstat><D:status>HTTP/1.1 200 OK</D:status><D:prop><n1:schedule-default-calendar-URL xmlns:n1="urn:ietf:params:xml:ns:caldav" xmlns:D="DAV:"><D:href>/SOGo/dav/[email protected]/Calendar/personal/</D:href></n1:schedule-default-calendar-URL></D:prop></D:propstat></D:response></D:multistatus>
11:10:50.259|01C|
11:10:50.259|01C| BOOTSTRAP finished
That’s definitely an emClient issue IMHO.
I’ll open a support case …
I can say, that this problem also still persists in our environment.
After discussing in my support ticket, Gary assumed it might be related to issues in some TLSv1.3 ciphers.
My HAProxy supports for TLSv1.3 these ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
For testing I’ve disabled TLSv1.2 temporarily, so emClient is forced to use TLSv1.3. Then I’ve limited the ciphers one by one to force it also to use one specific cipher.
My result:
The first two ciphers are working properly.
TLS_CHACHA20_POLY1305_SHA256 does give an error, unfortunately it’s slightly different:
14:14:09.242|026| Exception: MailClient.Accounts.ConnectionException: The SSL connection could not be established, see inner exception.
14:14:09.315|026| ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
14:14:09.315|026| ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'.
It says “Handshake failure” instead of “IllegalParameter”.
@dirk_e Can you double check if you have TLSv1.3 enabled and in case yes, is TLS_CHACHA20_POLY1305_SHA256 in your cipher list?
I’ve disabled that cipher for now and continue testing. The slightly different error message worries me, maybe the issue is in a different (TLSv1.2) cipher …
The global configuration in HAProxy I’m running currently for further testing is:
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
@dirk_e @Holger_Brinkhaus As you both use Mailcow (as I do everywhere), what’s your setup at the port 443 path?
Does your server have a dedicated IP and is SoGo served directly via the Mailcow Docker NGINX container, or do you have any kind of additional Proxy (HAProxy, NGINX, Traefik) in between here?
Hi, I use Mailcow with standard setup in a VM with fixed IP and no additional Proxy. The VM is just used for mailcow and there is no special setup for the ports…
@Holger_Brinkhaus Try to disable TLSv1.3 on your server as recommended by @Gary.
In Mailcow go to /opt/mailcow-dockerized/data/conf/nginx/includes/site-defaults.conf
Here change the line
ssl_protocols TLSv1.2 TLSv1.3;
to
ssl_protocols TLSv1.2;
Then do a
docker compose restart nginx-mailcow
Let us know if this fixes the issue … at least as long as there is a fix in emClient.
The config is overwritten with Mailcow updates of the NGINX container … so you need to check this after each update unfortunately.
I have the same problem with the calendar with mailbox.org.
You can solve the problem once with the repair function.
right-click on the calendar → properties → repair
Then the red chevron appears again immediately.
Best Regards!
