Hi,
That is important information to include in an original post, since that information is critically relevant.
True :)
Did you check older logs to see how long it's been happening?
And the obligatory, did you open a ticket?
Those questions asked by Dave are also critically relevant information that needs to be included from the beginning.
It was already happening as of 22 January 2026 (oldest log I have).
I did not open a ticket yet, it's the weekend anyway so it can wait monday, but I thought I would ask about it in the commuity.
Have you triple checked your certificate implementation?
Yes, I validated that all ports using SSL are returning a valid certificate for example:
openssl s_client -crlf -connect mail01.ourhost.com:993
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 214C000047FDECD801594A9C1CC7A74C753ADFA97419CFD29464F6ED7B367408
Session-ID-ctx:
Master-Key: FE03921AE272A7266EE68085EF1F0441ABDFCA7103DCAB3442ABD5848C4954FE49C25F1721884508195B2B5494D1AE30
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1771695332
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yesHave you did a full check of the logs for ONE of the IPs to see if it is a temporary issue, or if it continues to happen?
Yes it happens everyday from around the same amount of different IP addresses but he IP addresses are not everyday the same.
For example, extracted from yesterday log 117 uniques ip addresses (obfuscated for GDPR stuff....), sorted by the number of exception occurrence (descending). For a total of 121311 occurences.
grep -i "PooledTcpItem.cs" 2026.02.20-imapLog.log | cut -d '[' -f 2 | tr -d ']' | sort | uniq -c | sort -h | sed 's/[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+/w.x.y.z/g'
10938 w.x.y.z
8768 w.x.y.z
8293 w.x.y.z
8095 w.x.y.z
7980 w.x.y.z
6598 w.x.y.z
6232 w.x.y.z
5108 w.x.y.z
5063 w.x.y.z
4800 w.x.y.z
3616 w.x.y.z
3461 w.x.y.z
3369 w.x.y.z
3296 w.x.y.z
3222 w.x.y.z
2996 w.x.y.z
2810 w.x.y.z
2494 w.x.y.z
1989 w.x.y.z
1710 w.x.y.z
1626 w.x.y.z
1567 w.x.y.z
1514 w.x.y.z
1402 w.x.y.z
1347 w.x.y.z
1329 w.x.y.z
1313 w.x.y.z
1255 w.x.y.z
1002 w.x.y.z
856 w.x.y.z
716 IP Unknown
605 w.x.y.z
483 w.x.y.z
472 w.x.y.z
390 w.x.y.z
368 w.x.y.z
333 w.x.y.z
314 w.x.y.z
287 w.x.y.z
258 w.x.y.z
240 w.x.y.z
205 w.x.y.z
199 w.x.y.z
184 w.x.y.z
164 w.x.y.z
134 w.x.y.z
126 w.x.y.z
120 w.x.y.z
108 w.x.y.z
107 w.x.y.z
102 w.x.y.z
99 w.x.y.z
79 w.x.y.z
70 w.x.y.z
67 w.x.y.z
66 w.x.y.z
63 w.x.y.z
62 w.x.y.z
60 w.x.y.z
60 w.x.y.z
60 w.x.y.z
48 w.x.y.z
48 w.x.y.z
47 w.x.y.z
44 w.x.y.z
42 w.x.y.z
38 w.x.y.z
36 w.x.y.z
35 w.x.y.z
32 w.x.y.z
31 w.x.y.z
27 w.x.y.z
27 w.x.y.z
26 w.x.y.z
20 w.x.y.z
19 w.x.y.z
18 w.x.y.z
15 w.x.y.z
12 w.x.y.z
12 w.x.y.z
8 w.x.y.z
8 w.x.y.z
8 w.x.y.z
7 w.x.y.z
5 w.x.y.z
4 w.x.y.z
3 w.x.y.z
3 w.x.y.z
3 w.x.y.z
3 w.x.y.z
2 w.x.y.z
2 w.x.y.z
2 w.x.y.z
2 w.x.y.z
2 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
1 w.x.y.z
I have around the same amount of occurrences and distribution among IPs for the oldest log I have under the hand (1 month old).
What triggers me is that it seems the IP addresses are legit IPs (local country ISPs) so it seems these are legit connections attempts.
There is around 20k mailboxes on the server but I think only around 6-7k are daily active.
So it looks more like noise.
However I don't understand if this is a SSL layer problem or an authentication problem.
My guess would be SSL layer, like some customers that are trying to connect to IMAP SSL port 993 but in plain text.
At least it seems it's not a new problem, but still as the logs are flooded I would like to get to the bottom of this and try to avoid having the logs flooded with these.
Kind regards