Hi,
I'm fairly sure this is a Microsoft problem, but I'm asking anyway in
case I'm doing something really dumb.
I've noticed that in the last month I can't receive email from people
using Office 365 hosted email. So, quite a few people. This is what
appears in my mail.log:
Dec 3 11:38:18 mail postfix/smtpd[15735]: lost connection after EHLO
from
mail-australiasoutheastazon11020092.outbound.protection.outlook.com[52.101.152.92]
Dec 3 11:38:28 mail postfix/smtpd[15717]: lost connection after EHLO
from mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]
Dec 3 11:39:21 mail postfix/smtpd[15826]: lost connection after EHLO
from
mail-australiasoutheastazon11020101.outbound.protection.outlook.com[52.101.152.101]
Dec 3 11:39:29 mail postfix/smtpd[15826]: lost connection after EHLO
from mail-tyzapc01on2112.outbound.protection.outlook.com[40.107.117.112]
Dec 3 11:40:05 mail postfix/smtpd[15717]: lost connection after EHLO
from mail-tyzapc01olkn2078.outbound.protection.outlook.com[40.92.107.78]
Dec 3 11:40:31 mail postfix/smtpd[15826]: lost connection after EHLO
from mail-tyzapc01on2111.outbound.protection.outlook.com[40.107.117.111]
Dec 3 11:41:34 mail postfix/smtpd[16050]: lost connection after EHLO
from mail-sg2apc01on2113.outbound.protection.outlook.com[40.107.215.113]
Dec 3 11:42:53 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-koreacentralazon11023086.outbound.protection.outlook.com[40.107.44.86]
Dec 3 11:43:49 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-australiaeastazon11022099.outbound.protection.outlook.com[40.107.40.99]
Dec 3 11:44:24 mail postfix/smtpd[16112]: lost connection after EHLO
from
mail-australiaeastazon11020119.outbound.protection.outlook.com[52.101.150.119]
Dec 3 11:46:41 mail postfix/smtpd[16050]: lost connection after EHLO
from mail-psaapc01on2136.outbound.protection.outlook.com[40.107.255.136]
Dec 3 11:47:56 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-koreacentralazon11023115.outbound.protection.outlook.com[40.107.44.115]
Dec 3 11:49:32 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-australiaeastazon11022123.outbound.protection.outlook.com[40.107.40.123]
Dec 3 11:50:13 mail postfix/smtpd[16112]: lost connection after EHLO
from mail-psaapc01olkn2015.outbound.protection.outlook.com[40.92.52.15]
Dec 3 11:51:44 mail postfix/smtpd[16050]: lost connection after EHLO
from mail-sg2apc01on2101.outbound.protection.outlook.com[40.107.215.101]
Dec 3 11:53:51 mail postfix/smtpd[16112]: lost connection after EHLO
from
mail-australiaeastazon11020136.outbound.protection.outlook.com[52.101.150.136]
Dec 3 11:54:35 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-australiaeastazon11022084.outbound.protection.outlook.com[40.107.40.84]
Dec 3 11:56:46 mail postfix/smtpd[16112]: lost connection after EHLO
from mail-tyzapc01on2134.outbound.protection.outlook.com[40.107.117.134]
Dec 3 11:57:58 mail postfix/smtpd[16050]: lost connection after EHLO
from
mail-eastasiaazon11021086.outbound.protection.outlook.com[52.101.129.86]
Dec 3 11:59:37 mail postfix/smtpd[16112]: lost connection after EHLO
from
mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
I can receive/accept email from Google and many other places just fine -
I didn't even notice the problem until it was pointed out to me by
someone.
This is the full "log" I see for a particular attempt:
Dec 3 11:59:36 mail postfix/smtpd[16112]: connect from
mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
Dec 3 11:59:37 mail postfix/smtpd[16112]: lost connection after EHLO
from
mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
Dec 3 11:59:37 mail postfix/smtpd[16112]: disconnect from
mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
ehlo=2 starttls=1 commands=3
My SSL setup is good:
Checking t...@muppetz.com from www12-azure.checktls.com(V03.79.05) at
2024-12-02T23:23:51Z:
seconds lookup result
[000.000] DNS LOOKUPS
[000.001] SEARCHLIST 168.63.129.16,1.1.1.1,8.8.8.8
[000.745] MX-->muppetz.com (10) mail.muppetz.com
[000.828] MX:A-->mail.muppetz.com 142.93.19.23
seconds test stage and result
[000.000] Trying TLS on mail.muppetz.com[142.93.19.23:25] (10)
@2024-12-02T23:23:51.941259Z
[000.077] Server answered
[000.336] <‑‑ 220 mail.muppetz.com ESMTP - Phone call for Kermit the
Frog. You Kermit the Frog?
[000.337] We are allowed to connect
[000.337] ‑‑> EHLO www12-azure.checktls.com
[000.411] <‑‑ 250-mail.muppetz.com
250-PIPELINING
250-SIZE 81920000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
[000.411] We can use this server
[000.411] TLS is an option on this server
[000.411] ‑‑> STARTTLS
[000.485] <‑‑ 220 2.0.0 Ready to start TLS
[000.485] STARTTLS command works on this server
[000.486] SSL_ocsp_mode = SSL_OCSP_FULL_CHAIN
[000.720] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve P-256 DHE(256 bits)
Certificate #1 of 3 (sent by MX):
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.muppetz.com = mail.muppetz.com |
DNS:mail.muppetz.com)
Not Valid Before: Nov 21 20:28:56 2024 GMT
Not Valid After: May 19 21:59:00 2025 GMT
subject: /CN=mail.muppetz.com
issuer: /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
Certificate #2 of 3 (sent by MX):
Cert VALIDATED: ok
Not Valid Before: May 23 12:57:38 2017 GMT
Not Valid After: May 23 12:57:38 2027 GMT
subject: /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
issuer: /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
Certificate #3 of 3 (added from CA Root Store):
Cert VALIDATED: ok
Not Valid Before: Oct 26 08:38:03 2010 GMT
Not Valid After: Oct 26 08:38:03 2040 GMT
subject: /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
issuer: /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
[001.187] ~~> EHLO www12-azure.checktls.com
[001.262] <~~ 250-mail.muppetz.com
250-PIPELINING
250-SIZE 81920000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
[001.262] TLS successfully started on this server
[001.263] ~~> MAIL FROM:<t...@checktls.com>
[001.337] <~~ 250 2.1.0 Ok
[001.338] Sender is OK
[001.338] ~~> QUIT
[001.412] <~~ 221 2.0.0 Bye
When I debugged the TLS a little more I logged this:
ec 3 11:38:28 mail postfix/smtpd[15717]: Trusted TLS connection
established from
mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-ex
change ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256
Dec 3 11:38:28 mail postfix/smtpd[15717]: lost connection after EHLO
from mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]
Trusted TLS - so I think that proves my SSL is good?
It really seems like Microsoft is connecting, doing EHLO and then going
"Sorry not interested" - but why?
Here's my main.cf
smtpd_banner = $myhostname ESMTP - Phone call for Kermit the Frog. You
Kermit the Frog?
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Send a warning if mail is delayed after 1 hour
delay_warning_time = 1h
# If mail can't be delivered after 7 days, we give up
maximal_queue_lifetime = 7d
readme_directory = no
inet_protocols = ipv4
# Incoming Mail
smtpd_tls_cert_file=/etc/letsencrypt/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/privkey.pem
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 604800
smtpd_tls_eecdh_grade = strong
smtpd_tls_security_level = may
smtpd_tls_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4
# Don't offer Auth until STARTTLS has setup
smtpd_tls_auth_only = yes
# smtpd_tls_loglevel = 2
# Add TLS Information to header
smtpd_tls_received_header = yes
# Ask for a Client Cert
smtpd_tls_ask_ccert = yes
# Outgoing Mail
smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/privkey.pem
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls=yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 604800
smtp_tls_security_level = may
smtp_tls_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_exclude_ciphers = aNULL, eNULL, RC4
# TLS Params
#tls_preempt_cipherlist = yes
# Bounce Shit
soft_bounce = yes
notify_classes=2bounce, data, delay, resource, software
# sender_bcc_maps=hash:/etc/postfix/sender_bcc
myhostname = mail.muppetz.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.muppetz.com, muppetz.com, tjharman.com, localhost
virtual_alias_domains = prontobuild.co.nz matchboxdigital.co.nz
virtual_alias_maps = hash:/etc/postfix/virtual
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 142.93.19.23
116.251.193.218 192.168.0.0/16 35.231.98.247 74.48.81.187
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = no
# PostSRSd
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient
# sasl! You want to eat it!
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
# rspamd
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_default_action = accept
milter_protocol = 6
# Proper Mail Protocol Please
strict_rfc821_envelopes = yes
# Verify? No thanks!
disable_vrfy_command = yes
# Demand a polite conversation!
smtpd_helo_required = yes
# Delay before reject
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
# reject_non_fqdn_hostname,
# reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
# reject_invalid_hostname,
# reject_unknown_recipient_domain,
# reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit
message_size_limit = 81920000
compatibility_level = 2
-!- /etc/postfix » postconf mail_version
mail_version = 3.4.23
You can see I've commented out the usual reject statements just in case
they were the cause, but they didn't make a difference (nor did
commenting out tls_preempt_cipherlist)
This is the only log/bounceback I've managed to get from someone:
Generating server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
Receiving server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
t...@muppetz.com
12/2/2024 9:00:15 PM - Server at ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
returned '550 5.4.317 Message expired, cannot connect to remote
server(451 4.4.0 Security status InvalidToken)'
12/2/2024 8:50:12 PM - Server at muppetz.com (142.93.19.23) returned
'450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security
status InvalidToken] [LastAttemptedServerName=muppetz.com]
[LastAttemptedIP=142.93.19.23:25] [SmtpSecurity=-1;-1]
[SY4AUS01FT004.eop-AUS01.prod.protection.outlook.com
2024-12-02T20:50:15.410Z 08DD12BD88CBAC7F](451 4.4.0 Security status
InvalidToken)'
I'm really at a loss. Hoping someone might be able to provide some
hints/suggestions?
Many Thanks,
Tim
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
