[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

I changed the preferred chain here, and for all my domains (thx o/ !). it certainly didn't hurt. Presumably you then also *force* renewed the certificate chain. yes After the dns cleanup, switching BACK the preferred chain didn't reinit the issue. Did you *force* renewal at that point?

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

On Tue, May 02, 2023 at 07:03:55PM -0400, PGNet Dev via Postfix-users wrote: > > Also look into other possibilities, the DST Root issue is a bit of a > > longshot. If you can get an account on Outlook.com, send mail and > > see if it bounces with usable diagnostics in the bounce. > > I changed

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

Also look into other possibilities, the DST Root issue is a bit of a longshot. If you can get an account on Outlook.com, send mail and see if it bounces with usable diagnostics in the bounce. i changed the preferred chain here, and for all my domains (thx o/ !). it certainly didn't hurt.

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

On Tue, May 02, 2023 at 11:54:00AM -0400, PGNet Dev wrote: > > The DST root, that issued the ISRG X1 cross cert. > > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > > yikes. missed that by a mile! > > >>From my renewal.conf file: > > > > [renewalparams] > >

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

Original Message From: Viktor Dukhovni via Postfix-users [mailto:postfix-users@postfix.org] Sent: Tuesday, May 2, 2023 at 11:32 AM EDT To: postfix-users@postfix.org Subject: [pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log? On Tue

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

On Tue, May 02, 2023 at 11:09:59AM -0400, PGNet Dev wrote: > what root CA expiry are you referring to? The DST root, that issued the ISRG X1 cross cert. > > The "ISRG Root X1" CA no longer needs a cross cert. > > it seems that LE still provides them, > >

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

What are some domains your server accepts mail for? Do you perhaps publish DANE TLSA records and have botched certificate rotation? See if dropping the DST cross cert from your certificate chain will help. That root CA has long ago expired. nothing in that cert chain reports a past date.

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

On Tue, May 02, 2023 at 09:54:48AM -0400, Viktor Dukhovni via Postfix-users wrote: > What are some domains your server accepts mail for? Do you perhaps > publish DANE TLSA records and have botched certificate rotation? See if dropping the DST cross cert from your certificate chain will help.

[pfx] Re: inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

On Tue, May 02, 2023 at 09:41:50AM -0400, PGNet Dev via Postfix-users wrote: > a server that i don't have shell access to atm has, today, started > seeing undelivered mail from only one domain -- > *outbound.protection.outlook.com. apparently, everything else inbound > is flowing. a

[pfx] inbound failures only from outbound.protection.outlook.com. Cert issue in this log?

a server that i don't have shell access to atm has, today, started seeing undelivered mail from only one domain -- *outbound.protection.outlook.com. apparently, everything else inbound is flowing. and, i'm told, inbound from outlook.com was working yesterday. all i've got so far is this log

RE: outbound.protection.outlook.com

: outbound.protection.outlook.com On 2019/10/02 16:13, Henrik K wrote: > On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > >

Re: outbound.protection.outlook.com

On 2019/10/02 16:13, Henrik K wrote: > On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > > > > > I got rid of it, since of too many false

Re: outbound.protection.outlook.com

Dnia 2.10.2019 o godz. 11:05:31 ratatouille pisze: > > Do I really have to whitelist all the IPs of outbound.protection.outlook.com > in postgrey? I just put the domain name outbound.protection.outlook.com into /etc/postgrey/whitelist_clients.local and it works for me. -- Regards,

Re: outbound.protection.outlook.com

* ratatouille : > Hello! > > Do I really have to whitelist all the IPs of outbound.protection.outlook.com > in postgrey? Yes. There's a script for that: # Postwhite - Automatic Postcreen Whitelist / Blacklist Generator # # https://github.com/stevejenki

Re: outbound.protection.outlook.com

On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote: > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > > > I got rid of it, since of too many false positives related to outlook, > > > gmail > > > etc.

Re: outbound.protection.outlook.com

Henrik K schrieb am 02.10.19 um 15:46:18 Uhr: > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > > > I got rid of it, since of too many false positives related to outlook, gmail > > etc. > > Why would you greylist something that's easily skipped using DNSWL etc?

Re: outbound.protection.outlook.com

On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote: > > I got rid of it, since of too many false positives related to outlook, gmail > etc. Why would you greylist something that's easily skipped using DNSWL etc?

Re: outbound.protection.outlook.com

On 2019-10-02 ratatouille wrote: > Do I really have to whitelist all the IPs of > outbound.protection.outlook.com in postgrey? Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr: No. You could simply stop graylisting and instead use spam protection measures without its side effect

Re: outbound.protection.outlook.com

Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr: > On 2019-10-02 ratatouille wrote: > > Do I really have to whitelist all the IPs of > > outbound.protection.outlook.com in postgrey? > > No. You could simply stop graylisting and instead use spam protection > m

Re: outbound.protection.outlook.com

On 2019-10-02 ratatouille wrote: > Do I really have to whitelist all the IPs of > outbound.protection.outlook.com in postgrey? No. You could simply stop graylisting and instead use spam protection measures without its side effects (e.g. postscreen). Regards Ansgar Wiechers -- "Abstra

outbound.protection.outlook.com

Hello! Do I really have to whitelist all the IPs of outbound.protection.outlook.com in postgrey? Oct 2 10:57:28 bitclusive1 postfix/smtpd[20061]: NOQUEUE: reject: RCPT from mail-eopbgr680083.outbound.protection.outlook.com[40.107.68.83]: 450 4.2.0 : Recipient address rejected: Greylisted

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

PGNet Dev: > > That should be safe, because the OK here cannot affect how a recipient > > will be evaluated. > > Do you have any reasonable advice as to a better approach to share? Well you can drop the initial .* and you may want to end the pattern in '$' as in

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

That should be safe, because the OK here cannot affect how a recipient will be evaluated. Do you have any reasonable advice as to a better approach to share?

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

PGNet Dev: > currently, my config does include > > smtpd_helo_required = yes > smtpd_helo_restrictions = > permit_mynetworks > check_helo_access pcre:${config_directory}/helo_access.pcre > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > permit > > is adding

Re: intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

currently, my config does include smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access pcre:${config_directory}/helo_access.pcre reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit is adding to head of helo_access.pcre

intermittent "cannot find your reverse hostname" for outbound.protection.outlook.com senders. Best workaround?

, here "them @theirdomain.com", in my logs postfix.log:Apr 24 13:18:19 mx postfix/postscreen-internal/smtpd[6816]: NOQUEUE: client=mail-eopbgr770049.outbound.protection.outlook.com[40.107.77.49] postfix.log:Apr 26 11:15:00 mx postfix/postscreen-internal/smtpd[18428]: NOQUEU

Re: SSL_accept error from ...outbound.protection.outlook.com

e") that's also likely not the problem, but just in case: http://dilbert.com/strip/1995-06-24 The outlook.com email servers are fully able to support modern TLS ciphersuites, and do not object to my self-signed cert. Nov 7 16:34:41 amnesiac postfix/smtpd[6205]: connect from

Re: SSL_accept error from ...outbound.protection.outlook.com

On 7 Nov 2016, at 9:26, Florian Piekert wrote: Hello everybody, another issue around TLS/SSL from me. I see tons of ==> mail/mail.log <== [...] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: TLS cipher list

SSL_accept error from ...outbound.protection.outlook.com

Hello everybody, another issue around TLS/SSL from me. I see tons of ==> mail/mail.log <== Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW [2a01:111:f400:fe1f::32d]:56472 Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from [187.58.37.29]:62661 to [85.214.17.19]:25 Nov

Postscreen and *outbound.protection.outlook.com

that incoming email that comes from *.outbound.protection.outlook.com servers seem to not be handled properly. Here is a snippet from the logs: Dec 1 01:05:59 shenandoah postfix/postscreen[21329]: CONNECT from [157.56.112.120]:28475 to [REMOVED_IP]:25 Dec 1 01:05:59 shenandoah postfix

Re: Postscreen and *outbound.protection.outlook.com

On Wed, Dec 02, 2015 at 12:28:33PM -0500, Bill Cole wrote: > >Questions: > >1. Why is this message getting a 450 message? Is the outlook mail server > >speaking out of turn here? > > Since you didn't bother providing 'postconf -n' output, which would provide > useful clues, we are left with

Re: Postscreen and *outbound.protection.outlook.com

On 2 Dec 2015, at 12:48, Bryan K. Walton wrote: On Wed, Dec 02, 2015 at 12:28:33PM -0500, Bill Cole wrote: Questions: 1. Why is this message getting a 450 message? Is the outlook mail server speaking out of turn here? Since you didn't bother providing 'postconf -n' output, which would

Re: Postscreen and *outbound.protection.outlook.com

, we have recently discovered an issue where it seems that incoming email that comes from *.outbound.protection.outlook.com servers seem to not be handled properly. [...] Questions: 1. Why is this message getting a 450 message? Is the outlook mail server speaking out of turn here? Since you

Re: Postscreen and *outbound.protection.outlook.com

On Wed, Dec 2, 2015 at 9:54 AM, Bryan K. Walton wrote: > On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote: > > Alternative (and I think better) random guess: you've enabled one or more > > "after 220 server greeting" test. See the postscreen man page for the > >

Re: Postscreen and *outbound.protection.outlook.com

On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote: > Alternative (and I think better) random guess: you've enabled one or more > "after 220 server greeting" test. See the postscreen man page for the > consequences of such configuration and note that there's no law requiring > retry

Re: Postscreen and *outbound.protection.outlook.com

On Wed, Dec 02, 2015 at 01:55:01PM -0500, Bill Cole wrote: > My mistake: I didn't look carefully enough at what > postscreen_dnsbl_whitelist_threshold is supposed to do. Sorry for the > rapid-fire noise. > > Theory: Your 8 DNSBL lookups are not all completing fast enough for > postscreen to make

Re: Postscreen and *outbound.protection.outlook.com

On 2 Dec 2015, at 12:54, Bryan K. Walton wrote: On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote: Alternative (and I think better) random guess: you've enabled one or more "after 220 server greeting" test. See the postscreen man page for the consequences of such configuration and

Re: Postscreen and *outbound.protection.outlook.com

On Wed, Dec 02, 2015 at 10:10:27AM -0800, Steve Jenkins wrote: > At the risk of sounding spammy for my latest pet project, Bryan's use case > is exactly the type of issue an SPF-based whitelist for known senders (such > as outlook.com) would fix. > > Bryan: grab the postwhite script