Avast describe the problem as "The Mail Shield in Avast uses advanced scanning method for incoming and outgoing e-mails over SSL/TLS secured connections".

The reality is they perform a man in the middle hack of your connection using SSL certificates by making themselves a top level certifying authority. As Thunderbird, like all quality mail clients, maintains it's own certificate store the Avast hack does not work. There are instructions on the Avast site explaining how to make them a trusted certificate authority. If you want to go that route, I'd hope you do have a lot of faith in Avast. https://support.avast.com/en-ww/article/91/#artTitle

Alternatively I'd disable Mail Shield in Avast, or get rid of Avast altogether and stick with Windows Defender. It can't be a good thing to allow them to spy on all your encrypted communication with the mail server.

Thank you. Unfortunately, removing Avast entirely has not corrected the problem:

----removed Avast entirely, rebooted, running naked: pop3.server1.1: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server1.1: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server1.1: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22 pop3.server4.3: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server4.3: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server4.3: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22

----enabled Windows Defender, rebooted: pop3.server1.1: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server1.1: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server1.1: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22 pop3.server4.3: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server4.3: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server4.3: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22

So I went to the Avast article linked above and got the bright idea of deleting the named certificate(s) from the list. This shortened the error message list, though the "GeoTrust TLS RSA CA G1" continues to show up in the errors:

----whacked the certificates in TB settings matching GeoTrust TLS RSA CA G1

NotFoundError: No such JSProcessActor 'BrowserToolboxDevToolsProcess'

pop3.server1.12: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server1.12: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server1.12: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22

-----Selected "ask me every time" ---> no download, no dialog and these same errors: pop3.server1.13: SecurityError: a SecurityCertificate error occurred Pop3Client.sys.mjs:380:18 pop3.server1.13: SecurityError info: SSL_ERROR_BAD_CERT_DOMAIN Pop3Client.sys.mjs:422:20 pop3.server1.13: SecurityError cert chain: securepop.siteprotect.com; serial# 0F:F0:5D:99:50:38:74:73:10:57:9F:F7:75:85:06:4A <- GeoTrust TLS RSA CA G1; serial# 0D:07:78:2A:13:3F:C6:F9:A5:72:96:E1:31:FF:D1:79 Pop3Client.sys.mjs:427:22

So siteprotect.com is your email provider? From those logs it looks like they do use GeoTrust as their Certificate Authority, which sounds reasonable. Did siteprotect.com recently renew their certificate? Do you still get a certificate exception prompt? If so, please post a screenshot. https://support.mozilla.org/kb/how-do-i-create-screenshot-my-problem

Can you also post your Troubleshooting Information please? At the top right of the Thunderbird window, click the menu button ≡, then select Help > More Troubleshooting Information. Press the "Copy text to clipboard button" and paste the information into your reply.

So, I exported the certificate from the working installation on my tablet PC and imported it into the troubled machine. No change in the error console message and no prompts or test at all when I "Get new mail for."

Here is the requested troubleshooting information:

 Application Basics

   Name: Thunderbird
   Version: 128.3.1esr
   Build ID: 20241009142959
   Distribution ID:

   Update Channel: esr
   User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Thunderbird/128.3.1
   OS: Windows_NT 10.0 19045
   OS Theme:

   Launcher Process: Enabled
   Multiprocess Windows: 0/0
   Fission Windows: 0/0
             Enabled by default
   Remote Processes: 1
   Enterprise Policies: Inactive
   Google Location Service Key: Missing
   Google Safebrowsing Key: Missing
   Mozilla Location Service Key: Missing
   Safe Mode: false
   Memory Size (RAM): 15.9 GB
   Disk Space Available: 138 GB

 Mail and News Accounts
   account1:
     INCOMING: account1, , (pop3) pop.vikingsword.com:110, alwaysSTARTTLS, passwordCleartext
     OUTGOING: , smtp.vikingsword.com:587, alwaysSTARTTLS, passwordEncrypted, true

   account2:
     INCOMING: account2, , (none) Local Folders, 0, passwordCleartext

   account3:
     INCOMING: account3, , (pop3) mail.twc.com:995, SSL, passwordCleartext
     OUTGOING: , smtp-server.twcny.rr.com:587, 0, 1, true

   account4:
     INCOMING: account4, , (pop3) pop.vikingsword.com:110, alwaysSTARTTLS, passwordCleartext
     OUTGOING: , smtp.vikingsword.com:587, alwaysSTARTTLS, passwordEncrypted, true

 Libraries

     Library
     Status
     Expected minimum version
     Version in use
     Path

       RNP (OpenPGP)
       OK
       0.17.1
       0.17.1.MZLA.128.3.1esr.botan
       C:\Program Files (x86)\Mozilla Thunderbird\rnp.dll

       OTR
       Failed to load. OTR chat encryption will not work.
       -
       -
       -

 Calendar Settings

     Work

       Name
       Value

       Name:
       Type: storage
       Disabled:
       Username:
       URI:
       Refresh Interval:
       Read-only:
       Suppress Alarms:
       Cache Enabled: false
       iMIP Identity: id1
       iMIP Disabled:
       iMIP Account:
       Organizer Id:
       Force Email Scheduling:
       Popup Alarms Supported:
       Alarms on Invitation Supported:
       Max Alarms Per Event:
       Attachment Supported:
       Max Categories:
       Privacy State Supported:
       Priority Supported: true
       Event Supported:
       Task Supported:
       Local Time Supported:
       UTC/GMT Supported:
       Auto-Scheduling Supported:

     Other

       Name
       Value

       Name:
       Type: storage
       Disabled: false
       Username:
       URI:
       Refresh Interval:
       Read-only: false
       Suppress Alarms: false
       Cache Enabled: false
       iMIP Identity: id1
       iMIP Disabled:
       iMIP Account:
       Organizer Id:
       Force Email Scheduling:
       Popup Alarms Supported:
       Alarms on Invitation Supported:
       Max Alarms Per Event:
       Attachment Supported:
       Max Categories:
       Privacy State Supported:
       Priority Supported: true
       Event Supported:
       Task Supported:
       Local Time Supported:
       UTC/GMT Supported:
       Auto-Scheduling Supported:

     Home

       Name
       Value

       Name:
       Type: storage
       Disabled:
       Username:
       URI:
       Refresh Interval:
       Read-only:
       Suppress Alarms:
       Cache Enabled:
       iMIP Identity: id1
       iMIP Disabled:
       iMIP Account:
       Organizer Id:
       Force Email Scheduling:
       Popup Alarms Supported:
       Alarms on Invitation Supported:
       Max Alarms Per Event:
       Attachment Supported:
       Max Categories:
       Privacy State Supported:
       Priority Supported: true
       Event Supported:
       Task Supported:
       Local Time Supported:
       UTC/GMT Supported:
       Auto-Scheduling Supported:

     Play

       Name
       Value

       Name:
       Type: storage
       Disabled:
       Username:
       URI:
       Refresh Interval:
       Read-only:
       Suppress Alarms:
       Cache Enabled: false
       iMIP Identity: id1
       iMIP Disabled:
       iMIP Account:
       Organizer Id:
       Force Email Scheduling:
       Popup Alarms Supported:
       Alarms on Invitation Supported:
       Max Alarms Per Event:
       Attachment Supported:
       Max Categories:
       Privacy State Supported:
       Priority Supported: true
       Event Supported:
       Task Supported:
       Local Time Supported:
       UTC/GMT Supported:
       Auto-Scheduling Supported:

     Medical

       Name
       Value

       Name:
       Type: storage
       Disabled:
       Username:
       URI:
       Refresh Interval:
       Read-only:
       Suppress Alarms:
       Cache Enabled: false
       iMIP Identity: id1
       iMIP Disabled:
       iMIP Account:
       Organizer Id:
       Force Email Scheduling:
       Popup Alarms Supported:
       Alarms on Invitation Supported:
       Max Alarms Per Event:
       Attachment Supported:
       Max Categories:
       Privacy State Supported:
       Priority Supported: true
       Event Supported:
       Task Supported:
       Local Time Supported:
       UTC/GMT Supported:
       Auto-Scheduling Supported:

 Crash Reports for the Last 3 Days

 Remote Processes

   Type: Count

   GPU: 1

 Add-ons

     Name
     Type
     Version
     Enabled
     ID

       System theme — auto
       theme
       1.3
       true
       default-theme@mozilla.org

       Amazon.com
       extension
       1.1
       false
       amazondotcom@search.mozilla.org

       Bing
       extension
       1.0
       false
       bing@search.mozilla.org

       DuckDuckGo
       extension
       1.0
       false
       ddg@search.mozilla.org

       Google
       extension
       1.0
       false
       google@search.mozilla.org

       Wikipedia (en)
       extension
       1.0
       false
       wikipedia@search.mozilla.org

       Dark
       theme
       1.3
       false
       thunderbird-compact-dark@mozilla.org

       Light
       theme
       1.3
       false
       thunderbird-compact-light@mozilla.org

 Security Software

   Type: Name

     Antivirus: Microsoft Defender Antivirus
     Antispyware:
     Firewall: Windows Firewall

 Legacy User Stylesheets

   Active: false
   Stylesheets: No stylesheets found

and the rest:

 Graphics

     Features
     Compositing: WebRender
     Font Visibility Debug Info: Windows Platform
     Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled; smooth pinch-zoom enabled
     WebGL 1 Driver WSI Info: outOfProcess: false

inProcess: true EGL_VENDOR: Google Inc. (NVIDIA) EGL_VERSION: 1.5 (ANGLE 2.1.19739 git hash: 419cd2c3213b) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_ANGLE_windows_ui_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_display_semaphore_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_KHR_no_config_context EGL_KHR_create_context_no_error EGL_KHR_reusable_sync EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_device_query EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_platform_angle_d3d11on12 EGL_ANGLE_platform_angle_device_id EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_feature_control

     WebGL 1 Driver Renderer: Google Inc. (NVIDIA) -- ANGLE (NVIDIA, NVIDIA GeForce GTX 1050 Ti Direct3D11 vs_5_0 ps_5_0, D3D11-31.0.15.3623)
     WebGL 1 Driver Version: OpenGL ES 2.0.0 (ANGLE 2.1.19739 git hash: 419cd2c3213b)
     WebGL 1 Driver Extensions: GL_AMD_performance_monitor GL_ANGLE_base_vertex_base_instance GL_ANGLE_base_vertex_base_instance_shader_builtin GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_get_serialized_context_string GL_ANGLE_get_tex_level_parameter GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_EGL_imag

Mail and News Accounts

  account1:
    INCOMING: account1, , (pop3) pop.vikingsword.com:110, alwaysSTARTTLS, passwordCleartext
    OUTGOING: , smtp.vikingsword.com:587, alwaysSTARTTLS, passwordEncrypted, true

  account2:
    INCOMING: account2, , (none) Local Folders, 0, passwordCleartext

  account3:
    INCOMING: account3, , (pop3) mail.twc.com:995, SSL, passwordCleartext
    OUTGOING: , smtp-server.twcny.rr.com:587, 0, 1, true

  account4:
    INCOMING: account4, , (pop3) pop.vikingsword.com:110, alwaysSTARTTLS, passwordCleartext
    OUTGOING: , smtp.vikingsword.com:587, alwaysSTARTTLS, passwordEncrypted, true

The Account Settings show the SMTP servers are using: 'Authentication Method: passwordEncrypted' Is that correct ? It usually uses 'Normal Password'.

However, you mention one accountis not working but have not said which account is not working.

account3: INCOMING: account3, , (pop3) mail.twc.com:995, SSL, passwordCleartext OUTGOING: , smtp-server.twcny.rr.com:587, 0, 1, true

What comes after the @ in the email address for this account.

https://www.spectrum.net/support/internet/email-settings It says..twcny.rr.com should be using mail.twc.com

these are setting to use. POP

• The incoming mail server: mail.twc.com
• Incoming server port:995
• Connection Security:SSL/TLS
• Authentication Method: Normal Password
• User name : full email address

SMTP

• Outgoing mail server (SMTP): mail.twc.com
• Outgoing server port: 587
• Connection Security: STARTLS
• Authentication Method: Normal Password
• User name : full email address

Thank you.

#1 and #4 are both targeting the same Hostway server (with @vikingsword.com following the username in both instances) and both of these are not working for receiving mail. (#1 was tested and will send mail).

Looking at account server settings from the panel on the left side for both of these accounts (#1 and #4), 'Normal Password' is shown as is STARTLS.

1. 3 has @twcny.rr.com following the username. Receiving works but sending on this one has not worked for a long time and went bad sometime after Spectrum took over from Time Warner Road Runner. I tried the settings suggested above, but it still rejects outgoing mail complaining the username is wrong and I am pretty sure this is a Spectrum problem rather than TB.

I see so many non standard settings for vikingsword.com that I figure there is a need to revert to fundamentals.

The domain viking sword.com appear to be registered by the following company for an undisclosed individual or organization. Domainpeople Inc Located in: Bentall 5 Address: Bentall 5, 550 Burrard St, Vancouver, BC V6C 3A8, Canada Hours: Open 24 hours Phone: +1 604-639-1680 Province: British Columbia

So I tested the mail server provided https://www.immuniweb.com/ssl/pop.vikingsword.com/SkDpDzvL/

Surprise surprise the server sends no certificates on the 110 port. Not really surprising as 110 is an unencrypted pop port, but as there are no certificates there can be no SSL/TLS/STARTTLS. Your only choice with that server is "connection security none". So your configuration is destined for failure.

Testing the outgoing server yielded a slightly more positive result https://www.immuniweb.com/ssl/smtp.vikingsword.com/6NzOxuPC/ in that the SMTP server is issuing a certificate, but the bad news is it is for DNS:securesmtp.siteprotect.com, DNS:smtp.siteprotect.com I do not know who siteprotect are, but they are not vikingsword.com. You might be able to use this certificate if you add appropriate exceptions in Thunderbird.

So #1 and #4 both need to to reappraise the connection encryption. Unless you provider offers encrypted connections on another port you need to drop it. It is not supported by your provider.

You need to change the outgoing server in your road runner account to the one supported by Spectrum. Ergo

   Outgoing mail server (SMTP): mail.twc.com
   Outgoing server port: 587
   Connection Security: STARTLS
   Authentication Method: Normal Password
   User name : full email address 

Next you need to look at who is providing your internet access. Historically road runner and TWC did not allow you to send mail unless you connected to the internet using their service. Was a royal pain for those popping to Florida for a break, they ended up here complaining their mail was broken, they could not send. It is possible that limitation extends to Spectrum. It is one of the things with legacy items. Nothing is really understood by the provider as they inherited the setup, let alone those trying to interpret their procedures.

Note this part well. A VPN is also going to cause sending where this sort of checking is active as it hides who you are connected to the internet with. That is it's whole purpose. VPN's have their place, but email with US based ISP's is not one of them.

Also sounds like https://support.mozilla.org/en-US/questions/1469120

I sincerely appreciate the community's serious and attentive attempts to help solve my issue. I am away from the afflicted machine today and so I cannot immediately explore those, but I have made an experiment that I could do where I am.

Using those same settings I have successfully used for years on the afflicted machine: 110 port, normal password and STARTLS, I can download the emails from the account on my Windows 10 Microsoft surface tablet PC.

Today, I downloaded TB and made an inaugural install on a Windows 11 machine used mostly for gaming. Exact same settings and the TB download function again works perfectly for this same account.

Which has me wondering if the update might have glitched in some strange way on just my one machine. Should my next step be to secure the profile folder and reinstall TB? Is there a better way to repair a possibly corrupted installation?

Turning off the encryption as suggested by Matt to Connection security: "None" and "Password, transmitted insecurely" allowed download though there were strange flashes of the screen. Why STARTLS works on the other machine, I do not understand. Thank you very much for the assistance.

What a mess. Does someone need to contact vikingsword.com or twc.com?