Re: [mailop] Microsoft/Outlook contact for *.outbound.protection.outlook.com

Fri, 28 Jun 2024 17:34:59 -0700 

On Fri, Jun 28, 2024 at 07:50:09PM -0400, Jim P. via mailop wrote:

> I just received back a bounce that was delivered to my @live.com
> address, the one that sent the test message a few days ago.  Here is
> what it contains:

Reading your first post brought to mind the recent report of potential
issues at Microsoft's outbound servers with "too many" TLSA records
(more than ~12).  I was looking at your TLSA RRset (14 TLSA records):

    _25._tcp.mx1.domainmail.net. IN CNAME _tlsa.domainmail.net.
    _tlsa.domainmail.net. IN TLSA 2 1 1 
bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
    _tlsa.domainmail.net. IN TLSA 2 1 1 
3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
    _tlsa.domainmail.net. IN TLSA 2 1 1 
d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
    _tlsa.domainmail.net. IN TLSA 2 1 1 
025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
    _tlsa.domainmail.net. IN TLSA 2 1 1 
2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
    _tlsa.domainmail.net. IN TLSA 2 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
    _tlsa.domainmail.net. IN TLSA 2 1 1 
6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
    _tlsa.domainmail.net. IN TLSA 2 1 1 
e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
    _tlsa.domainmail.net. IN TLSA 2 1 1 
f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
    _tlsa.domainmail.net. IN TLSA 2 1 1 
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
    _tlsa.domainmail.net. IN TLSA 2 1 1 
885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
    _tlsa.domainmail.net. IN TLSA 2 1 1 
919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
    _tlsa.domainmail.net. IN TLSA 2 1 1 
cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
    _tlsa.domainmail.net. IN TLSA 2 1 1 
f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2

when you also now reported:

> 6/28/2024 8:04:14 PM - Server at PH8PR20MB5100.namprd20.prod.outlook.com
> returned '550 5.7.324 dnssec-invalid: Destination domain returned
> invalid DNSSEC records(450 4.7.324 dnssec-invalid: Destination domain
> returned invalid DNSSEC records)'

Which rather suggests that indeed they're failing to handle (perfectly
valid), but somehow problematic on their end TLSA RRsets.

The response from your primary authoritative server looks fine:

    $ dig +nocmd +nocrypto +nocl +nottl +norecur +dnssec -t tlsa 
@a.ns.domainmail.net _25._tcp.mx1.domainmail.net.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146
    ;; flags: qr aa; QUERY: 1, ANSWER: 17, AUTHORITY: 5, ADDITIONAL: 2

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ; COOKIE: 702b161494dac35201000000667f5348fd60182dcd37095a (good)
    ;; QUESTION SECTION:
    ;_25._tcp.mx1.domainmail.net. IN        TLSA

    ;; ANSWER SECTION:
    _25._tcp.mx1.domainmail.net. CNAME _tlsa.domainmail.net.
    _25._tcp.mx1.domainmail.net. RRSIG CNAME 13 5 604800 20240721161048 
20240621154118 17100 domainmail.net. [omitted]
    _tlsa.domainmail.net.   TLSA    2 1 1 
919C0DF7A787B597ED056ACE654B1DE9C0387ACF349F73734A4FD7B5 8CF612A4
    _tlsa.domainmail.net.   TLSA    2 1 1 
6DDAC18698F7F1F7E1C69B9BCE420D974AC6F94CA8B2C761701623F9 9C767DC7
    _tlsa.domainmail.net.   TLSA    2 1 1 
025490860B498AB73C6A12F27A49AD5FE230FAFE3AC8F6112C9B7D0A AD46941D
    _tlsa.domainmail.net.   TLSA    2 1 1 
2BBAD93AB5C79279EC121507F272CBE0C6647A3AAE52E22F388AFAB4 26B4ADBA
    _tlsa.domainmail.net.   TLSA    2 1 1 
CBBC559B44D524D6A132BDAC672744DA3407F12AAE5D5F722C5F6C79 13871C75
    _tlsa.domainmail.net.   TLSA    2 1 1 
3586D4ECF070578CBD27AEDCE20B964E48BC149FAEB9DAD72F46B857 869172B8
    _tlsa.domainmail.net.   TLSA    2 1 1 
885BF0572252C6741DC9A52F5044487FEF2A93B811CDEDFAD7624CC2 83B7CDD5
    _tlsa.domainmail.net.   TLSA    2 1 1 
8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
    _tlsa.domainmail.net.   TLSA    2 1 1 
F1647A5EE3EFAC54C892E930584FE47979B7ACD1C76C1271BCA1C507 6D869888
    _tlsa.domainmail.net.   TLSA    2 1 1 
276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
    _tlsa.domainmail.net.   TLSA    2 1 1 
E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03
    _tlsa.domainmail.net.   TLSA    2 1 1 
BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270
    _tlsa.domainmail.net.   TLSA    2 1 1 
D016E1FE311948ACA64F2DE44CE86C9A51CA041DF6103BB52A88EB3F 761F57D7
    _tlsa.domainmail.net.   TLSA    2 1 1 
F1440A9B76E1E41E53A4CB461329BF6337B419726BE513E42E19F1C6 91C5D4B2
    _tlsa.domainmail.net.   RRSIG   TLSA 13 3 604800 20240726183256 
20240626182946 17100 domainmail.net. [omitted]

    ;; AUTHORITY SECTION:
    domainmail.net.         NS      a.ns.domainmail.org.
    domainmail.net.         NS      a.ns.domainmail.net.
    domainmail.net.         NS      b.ns.domainmail.org.
    domainmail.net.         NS      b.ns.domainmail.net.
    domainmail.net.         RRSIG   NS 13 2 604800 20240714020811 
20240625142458 17100 domainmail.net. [omitted]

    ;; ADDITIONAL SECTION:
    a.ns.domainmail.net.    A       13.39.252.35

    ;; Query time: 262 msec
    ;; SERVER: 13.39.252.35#53(a.ns.domainmail.net) (UDP)
    ;; WHEN: Sat Jun 29 10:20:56 AEST 2024
    ;; MSG SIZE  rcvd: 1220

And DNSViz reports no issues: 
https://dnsviz.net/d/_25._tcp.mx1.domainmail.net/Zn9TqA/dnssec/

That said, do you really need all 14 records?

    R3   8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
    R4   e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
    --
    E1   276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
    E2   bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
    --
    R10  2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba
    R11  6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7
    R12  919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4
    R13  025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d
    R14  f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
    ---
    E5   3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
    E6   d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
    E7   cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75
    E8   885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5
    E9   f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2

The MX host in question has RSA-only certs, and the "E*" TLSA records
are redundant.  If you force cert renewal, you'll be switched from R3
to one of R10/R11, and can then drop the R3/R4 records too.

If that helps, someone with the right contacts to escalate this, should
try to get through to Microsoft to fix what is I think a serious enough
interoperability problem.

-- 
    Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to