The error message:

SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.

is not particularly helpful because it is very time consuming to determine why the connection failed as you either have to install Wireshark and retry transmission or go to Qualys and run a test against the problem mail server.

In my experience, this problem is almost always to do with an automated mail server such as a php or .net server running on a website. The most recent one, if I have understood Wireshark correctly, their website mail server application only seems to support RSA ciphersuites, whereas my Server Certificate is elliptic curve - specifically ECDSA.

It would be extremely useful if (in the event of an SSL error 0x80090331) that the logs could display what ciphersuites and TLS versions the other mail server supports), so it would be painless to determine why there is a problem. I would not advise the display for every single email that is successful - just the ones that fail with that specific error message.

In addition, I have also noticed, that I can configure Mdaemon not to send emails that are not encrypted. However, I have noticed with one or two mail servers, if they fail to send the email encrypted (because of this error), a couple of email servers, then send the email in plain text (with no encryption whatsoever). There doesn't seem to be any setting in Mdaemon to prevent receiving emails in plain text. Could that be fixed as well?

I would say 99% of emails that I get are either successful or fail as a result of spam filter, Outbreak Protection etc. It is very rare, but it does happen often enough, that an email cannot be sent/received to a specific mail server as a result of this SSL error 0x80090331. It is almost always an email generated by a website when you buy something or create an account etc. So, I suspect old PHP code etc is the issue.

Just a couple of points to consider - whilst reviewing this request. When trawling through Wireshark, I noticed something rather interesting. Some connections the Record Layer Hello sometimes shows as TLS 1.1 whereas in the handshake protocol it shows as TLS 1.2. It seems to be some compatibility configuration. I don't know if that has anything to do with sending/receiving issues as I have two different mail servers (that I have logged) with one using TLS 1.2 in the Record Layer Hello and the other using TLS 1.1 in the Record layer hello and both are failing.

The second point to consider is that one of the mail servers that I have had trouble sending to, according to Wireshark, we both support TLS 1.2 and both support a matching ciphersuite, so in theory I should be able to send to them. For some reason, that I have never been able to determine, I can't send to them (unless I turn off tls encryption) temporarily when sending to them. They did say that their server was very old and is due to be replaced and I so rarely need to email them, so I wasn't worried. I am merely mentioning this, because I have never been able to determine why the connection fails despite matching ciphersuite.

Thank you