Last checked:

Why does Avira Mail Protection block SSL/TLS/STARTTLS-connections?

Out of security reasons, Avira Antivirus is blocking incoming emails via SSL/TLS/STARTTLS secure connections, if they are configured on standard ports.
Other ports that fall back on encryption may also be affected.

For example, this happens when the option SSL (TLS/STARTTLS), is active in the email client and the SSL/TLS/STARTTLS is set to use the standard port.

Because Avira Mail Protection cannot scan the emails through an encrypted connection following message is displayed:

SSL (TLS/STARTTLS)-connection detected. Incoming mails are blocked.

Configure the email traffic

You have two possibilities to fix your email traffic. Either you disable the encrypted email connection in your email program or remove the Avira Mail Protection module for email scanning.

I. Disable encrypted email connection

To fix the email traffic, check and correct the settings in your email client.
The configuration may vary due to different email programs:

  • Deactivate the option for using encrypted SSL/TLS/STARTTLS connections for incoming and outgoing server.

  • Make sure not to use the ports 25 (SMTP), 143 (IMAP) and 110 (POP3) for SSL/TLS/STARTTLS connections.

II. Remove Avira Mail Protection

If you need to receive encrypted emails via SSL/TLS/STARTTLS connections, change the Avira product installation, and deactivate the Avira Mail Protection.

If you remove the Avira Mail Protection the email traffic is no longer scanned by the Antivirus. grey-line

  1. Click Start → Settings → System → Apps & features.
  2. Perform right mouse click on “Avira Antivirus” → Modify → Next.
  3. Remove the check-mark from "Mail Protection" and click Next until finish.

  • Affected products
  • Avira Antivirus Pro
  • Avira Prime (unlimited devices)
  • Avira Internet Security Suite
  • Avira Optimization Suite
  • Avira Ultimate Protection Suite
  • Avira Total Security Suite


I have used successfully AVIRA for a long time along with my ISP e-mail client in OUTLOOK which reqiuired the use of SSL ports. However, the recent conflict between my ISP required SSL ports and the inability of AVIRA to no longer scan such ports requires me to disable mail scanning in AVIRA. I tried the suggestions in this article without success unless I disable mail scanning in AVIRA. Accordingly, I feel less protected than before and see no option but to abandon my paid AVIRA license and go to another anti-virus program.

This article is worded very strangely. Avira isn't blocking encrypted email traffic to enhance security; this doesn't make any sense. The actual issue is that Avira can't scan encrypted traffic at all, and it blindly looks at traffic on specific port numbers, then can't handle it when it encounters something other than unencrypted traffic.

And disabling encryption on email is "correcting the settings?" I don't think so!

Avira really needs to implement a main-in-the-middle (MITM) solution. Insert a local certificate so you can scan encrypted email traffic, rather than forcing customers to choose between encrypting their email traffic and being able to scan email traffic with Avira. Other AV vendors have been using a MITM solution for years.

I know all about the people who feel that scanning email is unnecessary. I could not care less. It should be an option.

Disabling email encryption just to enable AV scanning of this traffic is a terrible trade-off. I will choose encryption every time (even though I use a VPN).

Please fix this, Avira.

Although saying that the reason for this limitation is "Out of security reasons" sounds like a lame excuse, I'm guessing that's just a way to summarize a complex situation, a situation that people like you think they understand...
The whole purpose of encrypted email traffic is to protect private information from any malicious attempts to access it while it travels through the Internet, like MITM attacks. What you're saying is that Avira should create a module that acts like an attacker. Your statement lacks of common sense and just evidences your ignorant arrogance instead of any real IT security expertise.
Furthermore, you're wrong saying that it would only require a local certificate, I'm assuming that you're comparing it with HTTPS traffic. Email traffic encryption methods do not work precisely as HTTPS, you should read and investigate before publishing such lame critics.
You should also know that other manufacturers are "solving" this with email client plugins, which scan the emails after being decrypted by the email client. This is in fact a better way of accomplishing AV email filtering than MITM nonsense, but the problem for them arrises when email clients are updated and the plugins stop working until they're upgraded (sometimes email traffic gets stuck in the meanwhile).
All These are the reasons for manufacturers to promote gateway email filtering, this type of filtering is not limited to any encryption issues.
The truth is that having a good live/real-time/guard scanning should be enough, rather that wasting client resources having redundant filtering.
Nowadays there are a few manufacturers that have extra modules which are in fact better protection and not just redundant modules, e.g binaries/executables inventory, containment layers, virtualization layers, etc. It is only fair to say that Avira is not one of these manufacturers, they're still working with huge signatures databases and blacklist methods, which result in a high rate of zero day infections.
This last paragraph summarizes what Avira is really missing, let it be clear that I'm not defending them but only responding to your arrogant comment.
And yes, my reply could also be arrogant, the difference is that I do know what I'm talking about and you're just a crank.

Hi Maurizio,

because it is encrypted with SSL it is not readable for humans and computers. This is why Avira can't scan this port and it is blocked to protect you.
If you are forced to use SSL please uninstall the email protection or remove the port from the configuration. Because Avira uses a multiple security features (realtime protection, web protection) you are still safe.

I agree with @crank above
While I understand that encryption is exactly not being able to read the content, there should be some option that email is scanned for example after decrypted, or any other solution.
You can not just leave us with option to either use SSL but no antivirus protection, or no SSL with antivirus protection. A workaround must exist and be in place.

Add new comment

Your report was successfully sent.
There was an error! Please, try again later!