Hi,
I can no longer connect to Dovecot (IMAP). The connection is terminated
by Dovecot after Client Helo.
My server:
Dovecot 2.3.3
Debian buster/sid
Architecture: ppc
My problems started in late August after upgrading Dovecot.
SSL settings:
ssl_dh = </etc/ssl/dh2048.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers = yes
Client:
OS Android 6.0.1
Aquamail
Log from Dovecot:
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1: before SSL initialization
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL alert:
where=0x4008, ret=598: fatal unknown
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1: error
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:14209175:SSL
routines:tls_early_post_process_client_hello:inappropriate fallback
Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error:
SSL_accept() syscall failed: Invalid argument
Sep 15 23:19:02 debian2 dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX,
lip=XXX.XXX.XXX.XXX,TLS handshaking: SSL_accept() syscall failed:
Invalid argument, session=<XXXXXXXXXXX>
Log from client (Aquamail) is a bit longer (see attachment).
I have also listened to the communication using Wireshark. The last
piece of communication is Client Helo. After the client sends Client
Helo, there is no reply from Dovecot and the server closes the
communication.
This is the Client Helo, in the "structured view" iin Wireshark:
|Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client
Hello Content Type: Handshake (22) Version: TLS 1.0
(0x0301) Length: 176 Handshake Protocol: Client Hello
Handshake Type: Client Hello (1) Length: 172
Version: TLS 1.2 (0x0303) Random:
2b7af5ba92040f081a5a3621e9d9cbab2d50b829b7fe755f... Session
ID Length: 0 Cipher Suites Length: 62 Cipher
Suites (31 suites) Cipher Suite:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher
Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(0x009f) Cipher Suite:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher
Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher
Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher
Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xc013) Cipher Suite:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher
Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher
Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher
Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher
Suite: TLS_FALLBACK_SCSV (0x5600) Compression Methods
Length: 1 Compression Methods (1 method)
Extensions Length: 69 Extension: server_name (len=17)
Extension: extended_master_secret (len=0) Extension:
signature_algorithms (len=22) Type: signature_algorithms
(13) Length: 22 Signature Hash
Algorithms Length: 20 Signature Hash Algorithms (10
algorithms) Signature Algorithm: rsa_pkcs1_sha512
(0x0601) Signature Algorithm: ecdsa_secp521r1_sha512
(0x0603) Signature Algorithm: rsa_pkcs1_sha384
(0x0501) Signature Algorithm: ecdsa_secp384r1_sha384
(0x0503) Signature Algorithm: rsa_pkcs1_sha256
(0x0401) Signature Algorithm: ecdsa_secp256r1_sha256
(0x0403) Signature Algorithm: SHA224 RSA (0x0301)
Signature Algorithm: SHA224 ECDSA (0x0303)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Algorithm: ecdsa_sha1 (0x0203) |
|What I tried: |
* |change all possible settings in Dovecot (ssl_min_protocol,
ssl_cipher_list ...)|
* |change certificate I use|
|I also got in touch with the developer of Aquamail (see our discussion
here: https://www.aqua-mail.com/forum/index.php?topic=6824.0 ).|
|The developer was able to reproduce the handshake error. We believe
that the problem is that Dovecot rejects ClientHello as long as it is
wrapped in the TLSv1 Record Layer (see the second lilne in the Wireshark
log). According to the developer, Dovecot should accept Client Helo
wrapped in the TLSv1 Record Layer.|
|Thank you very much for your help. Best regards VB |
2018.09.15 23:27:57.268 +0200 [EXEC.2652] Executing task
[org.kman.AquaMail.mail.imap.ImapTask_Sync@4988403, u =
content://org.kman.AquaMail.data/accounts/2, t = 86965199, a =
[org.kman.AquaMail.mail.MailAccount@1206fe7: id = 2, username = XXXXXXX, email
= x...@xxxxxx.xxx, name = x...@xxxxxx.xxx]] on Executor_Network#0
2018.09.15 23:27:57.269 +0200 [EXEC.2652] Executing task
[org.kman.AquaMail.mail.imap.ImapTask_Sync@4988403, u =
content://org.kman.AquaMail.data/accounts/2, t = 86965199, a =
[org.kman.AquaMail.mail.MailAccount@1206fe7: id = 2, username = XXXXXXX, email
= x...@xxxxxx.xxx, name = x...@xxxxxx.xxx]]
2018.09.15 23:27:57.270 +0200 [MDATR.2652] Using WiFi sync policy values
2018.09.15 23:27:57.270 +0200 [SYNC.2652] SyncPolicy: mSyncByCount = 100,
mCommandBatchSize = 25
2018.09.15 23:27:57.271 +0200 [LOCKS.2652] acquire for 2,
[org.kman.AquaMail.mail.imap.ImapTask_Sync@4988403, u =
content://org.kman.AquaMail.data/accounts/2, t = 86965199, a =
[org.kman.AquaMail.mail.MailAccount@1206fe7: id = 2, username = XXXXXXX, email
= x...@xxxxxx.xxx, name = x...@xxxxxx.xxx]] on thread =
Thread[Executor_Network#0,5,main], tid = 2652, thash = 02c90ff4
2018.09.15 23:27:57.272 +0200 [LOCKS.2652] AccountSyncLock after pass:
Active: 1
Index = 0, lock = org.kman.AquaMail.core.AccountSyncLock$b@2c38e98, accountId =
2, thread = Thread[Executor_Network#0,5,main], tid = 2652, thash = 02c90ff4,
since = 2018-09-15 23:27:57:272
Queue: 0
2018.09.15 23:27:57.272 +0200 [NETWRK.2652] Request for connection
content://org.kman.AquaMail.data/accounts/2/in to [XXXXXX.XXX:143, tlsStrict,
login = 0, pass = true, cert = false]
2018.09.15 23:27:57.273 +0200 [POWER.2652] >>>>> Acquiring wake lock for
MailConnectionManager
2018.09.15 23:27:57.273 +0200 [POWER.2652] Acquired wake lock flag
0x01000000, result 0x05000000
2018.09.15 23:27:57.273 +0200 LockManager ... Wake lock already held
2018.09.15 23:27:57.274 +0200 [NETWRK.2652] Semaphore acquire for
[XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.274 +0200 [NETWRK.2652] Connecting to [XXXXXX.XXX:143,
tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.274 +0200 [NETWRK.2652] Resolving address for XXXXXX.XXX
2018.09.15 23:27:57.280 +0200 [CONCTR.1] Service state change: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 160, aux =
0x1234abcd
2018.09.15 23:27:57.281 +0200 AccountListShard Send state: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 160, aux =
0x1234abcd
2018.09.15 23:27:57.281 +0200 [CONCTR.1] Service state change: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 160, aux =
0x1234abcd
2018.09.15 23:27:57.282 +0200 [CONCTR.1] Service state change: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 161, aux =
0x001a
2018.09.15 23:27:57.282 +0200 AccountListShard Send state: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 161, aux =
0x001a
2018.09.15 23:27:57.283 +0200 [CONCTR.1] Service state change: uri:
content://org.kman.AquaMail.data/accounts/2/out/231588601, what: 161, aux =
0x001a
2018.09.15 23:27:57.283 +0200 AsyncDataLoaderImpl Submit
org.kman.AquaMail.data.AsyncDataLoader@274dc81 item
org.kman.AquaMail.view.d$c@44636f1
2018.09.15 23:27:57.283 +0200 AsyncDataLoaderWorker_CONTACTS Submit
org.kman.AquaMail.data.AsyncDataLoader@274dc81 item
org.kman.AquaMail.view.d$c@44636f1
2018.09.15 23:27:57.285 +0200 AsyncDataLoaderWorker_CONTACTS Loading
org.kman.AquaMail.view.d$c@44636f1
2018.09.15 23:27:57.288 +0200 AsyncDataLoaderWorker_CONTACTS Loading
org.kman.AquaMail.view.d$c@44636f1 took 3 ms
2018.09.15 23:27:57.298 +0200 AsyncDataLoaderImpl Delivering
org.kman.AquaMail.data.AsyncDataLoader@274dc81 item
org.kman.AquaMail.view.d$c@44636f1
2018.09.15 23:27:57.354 +0200 [NETWRK.2652] IPv4: XXXXXX.XXX/XXX.XXX.XXX.XXX
2018.09.15 23:27:57.355 +0200 [NETWRK.2652] Trying:
XXXXXX.XXX/XXX.XXX.XXX.XXX:143
2018.09.15 23:27:57.373 +0200 [NETWRK.2652] Socket connection completed
2018.09.15 23:27:57.374 +0200 [NETWRK.2652] Connection to [XXXXXX.XXX:143,
tlsStrict, login = 0, pass = true, cert = false] completed:
XXXXXX.XXX/XXX.XXX.XXX.XXX:143, time = 0.10 sec
2018.09.15 23:27:57.374 +0200 [NETWRK.2652] Buffer sizes: 524288 send,
1132800 receive
2018.09.15 23:27:57.449 +0200 [IMAP_RAW.2652] Data is <124>:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+
STARTTLS LOGINDISABLED] Dovecot (Debian) ready.
2018.09.15 23:27:57.449 +0200 [IMAP.2652] Server greeting: * OK
[CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS
LOGINDISABLED] Dovecot (Debian) ready.
2018.09.15 23:27:57.450 +0200 [IMAP.2652] Server is Dovecot
2018.09.15 23:27:57.450 +0200 [NETWRK.2652] Semaphore release for
[XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.451 +0200 [IMAP.2652] Sending: kman1 CAPABILITY
2018.09.15 23:27:57.455 +0200 [IMAP_RAW.2652] Data is <171>:
* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS
LOGINDISABLED
kman1 OK Pre-login capabilities listed, post-login capabilities have more.
2018.09.15 23:27:57.455 +0200 [IMAP_RAW.2652] Line: * CAPABILITY IMAP4rev1
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED
2018.09.15 23:27:57.456 +0200 [IMAP.2652] Pre-login capabilities:
CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS
LOGINDISABLED
2018.09.15 23:27:57.456 +0200 [IMAP_RAW.2652] Line: kman1 OK Pre-login
capabilities listed, post-login capabilities have more.
2018.09.15 23:27:57.456 +0200 [IMAP.2652] Result for kman1: 0 Pre-login
capabilities listed, post-login capabilities have more., traffic: 171 read, 18
write
2018.09.15 23:27:57.456 +0200 [IMAP.2652] Sending: kman2 STARTTLS
2018.09.15 23:27:57.459 +0200 [IMAP_RAW.2652] Data is <37>:
kman2 OK Begin TLS negotiation now.
2018.09.15 23:27:57.460 +0200 [IMAP_RAW.2652] Line: kman2 OK Begin TLS
negotiation now.
2018.09.15 23:27:57.460 +0200 [IMAP.2652] Result for kman2: 0 Begin TLS
negotiation now., traffic: 37 read, 16 write
2018.09.15 23:27:57.475 +0200 [NETWRK.2652] Request for startTls
content://org.kman.AquaMail.data/accounts/2/in to [XXXXXX.XXX:143, tlsStrict,
login = 0, pass = true, cert = false]
2018.09.15 23:27:57.475 +0200 [NETWRK.2652] Semaphore acquire for
[XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.475 +0200 [NETWRK.2652] Reconnecting to
[XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.476 +0200 [NETWRK.2652] Using strict SSL/STARTTLS
factory
2018.09.15 23:27:57.476 +0200 SSLHardening Setting SSL ciphers:
[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA,
TLS_PSK_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA,
TLS_PSK_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
TLS_FALLBACK_SCSV]
2018.09.15 23:27:57.476 +0200 SSLHardening Setting SSL protocols:
[TLSv1.2, TLSv1.1, TLSv1]
2018.09.15 23:27:57.490 +0200 [NETWRK.2652] Closing socket SSL socket over
Socket[unconnected]
2018.09.15 23:27:57.490 +0200 [NETWRK.2652] Semaphore release for
[XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
2018.09.15 23:27:57.494 +0200 [NETWRK.2652] ***** ERROR: Unable to
reconnect to [XXXXXX.XXX:143, tlsStrict, login = 0, pass = true, cert = false]
javax.net.ssl.SSLHandshakeException: Connection closed by peer
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native
Method)
at
com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
at
com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:629)
at
com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:591)
at org.kman.AquaMail.net.h.a(SourceFile:301)
at org.kman.AquaMail.net.e.a(SourceFile:364)
at org.kman.AquaMail.mail.imap.ImapTask.a(SourceFile:57)
at org.kman.AquaMail.mail.imap.ImapTask_ConnectLogin.ac(SourceFile:106)
at org.kman.AquaMail.mail.imap.ImapTask_Sync.a(SourceFile:123)
at org.kman.AquaMail.core.k.a(SourceFile:77)
at org.kman.AquaMail.core.l$b.run(SourceFile:621)
at java.lang.Thread.run(Thread.java:818)
Last data:
kman2 STARTTLS
Result for kman2: 0 Begin TLS negotiation now.
Thread: Thread[Executor_Network#0,5,main], id: 2652
2018.09.15 23:27:57.495 +0200 [POWER.2652] >>>>> Releasing wake lock for
MailConnectionManager
2018.09.15 23:27:57.500 +0200 [POWER.2652] Released wake lock flag
0x01000000, result 0x04000000
2018.09.15 23:27:57.501 +0200 MailStateWatcher Service state change
uri: content://org.kman.AquaMail.data/accounts/2, what: 121, aux = 0xffffffff
2018.09.15 23:27:57.527 +0200 KeepAliveService Facade: stop
2018.09.15 23:27:57.527 +0200 MailStateWatcher Removed default
notificaiton
2018.09.15 23:27:57.528 +0200 MailStateWatcher Showing account error
notification, acct x...@xxxxxx.xxx, id 0x1000002, message Trvalé síťové chyby
příchozího serveru
2018.09.15 23:27:57.542 +0200 KeepAliveService
gNotificationManager.cancel
2018.09.15 23:27:57.550 +0200 KeepAliveService onDestroy
2018.09.15 23:27:57.613 +0200 [TASKS.2652] ***** ERROR: IOException caught
in processTask for [org.kman.AquaMail.mail.imap.ImapTask_Sync@4988403, u =
content://org.kman.AquaMail.data/accounts/2, t = 86965199, a =
[org.kman.AquaMail.mail.MailAccount@1206fe7: id = 2, username = XXXXXXX, email
= x...@xxxxxx.xxx, name = x...@xxxxxx.xxx]]
javax.net.ssl.SSLHandshakeException: Connection closed by peer
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native
Method)
at
com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
at
com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:629)
at
com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:591)
at org.kman.AquaMail.net.h.a(SourceFile:301)
at org.kman.AquaMail.net.e.a(SourceFile:364)
at org.kman.AquaMail.mail.imap.ImapTask.a(SourceFile:57)
at org.kman.AquaMail.mail.imap.ImapTask_ConnectLogin.ac(SourceFile:106)
at org.kman.AquaMail.mail.imap.ImapTask_Sync.a(SourceFile:123)
at org.kman.AquaMail.core.k.a(SourceFile:77)
at org.kman.AquaMail.core.l$b.run(SourceFile:621)
at java.lang.Thread.run(Thread.java:818)
Last data:
kman2 STARTTLS
Result for kman2: 0 Begin TLS negotiation now.
Thread: Thread[Executor_Network#0,5,main], id: 2652
2018.09.15 23:27:57.613 +0200 [NETWRK.2652] Aborting the connection
[content://org.kman.AquaMail.data/accounts/2/in, not conn]
