diff --git a/src/sbbs3/mailsrvr.c b/src/sbbs3/mailsrvr.c
index 7215f0b3ef95b9ec127a184a5a8c7b5d4df5dcec..70d490afee298b89e362a8067893b56a1561a2e4 100644
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -1132,7 +1132,11 @@ static void pop3_thread(void* arg)
 				i++;
 			}
 			else if (!stricmp(buf, "STLS")) {
-				if (get_ssl_cert(&scfg, NULL, NULL) == -1) {
+				if (get_ssl_cert(&scfg, &estr, &level) == -1) {
+					if (estr) {
+						lprintf(level, "%04d !POP3/TLS Failure getting certificate: %s", socket, estr);
+						free_crypt_attrstr(estr);
+					}
 					sockprintf(socket,session,"-ERR STLS command not supported");
 					continue;
 				}
@@ -5088,7 +5092,16 @@ static SOCKET sendmail_negotiate(CRYPT_SESSION *session, smb_t *smb, smbmsg_t *m
 				return sock;
 			case 1:
 				/* We NEVER bounce() because of TLS errors, so we don't need to set err */
-				if ((!tls_retry) && get_ssl_cert(&scfg, NULL, NULL) != -1) {
+				if (!tls_retry) {
+					char* estr = NULL;
+					int level;
+					if(get_ssl_cert(&scfg, &estr, &level) == -1) {
+						if (estr) {
+							lprintf(level, "%04d !SEND/TLS %s", sock, estr);
+							free_crypt_attrstr(estr);
+						}
+						continue;
+					}
 					sockprintf(sock, *session, "STARTTLS");
 					if (sockgetrsp(sock, *session, "220", buf, sizeof(buf))) {
 						if ((status=cryptCreateSession(session, CRYPT_UNUSED, CRYPT_SESSION_SSL)) != CRYPT_OK) {