[mailop] Problems Receiving Email But Only from Microsoft/Outlook [lost connection after EHLO]

Tue, 03 Dec 2024 14:57:55 -0800 

Hi,
I've noticed that in the last month I can't receive email from people using Office 365 hosted email. So, quite a few people. This is what appears in my mail.log (postfix 3.4.23) 


Dec  3 11:38:18 mail postfix/smtpd[15735]: lost connection after EHLO 
from 
mail-australiasoutheastazon11020092.outbound.protection.outlook.com[52.101.152.92]
Dec  3 11:38:28 mail postfix/smtpd[15717]: lost connection after EHLO 
from mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]
Dec  3 11:39:21 mail postfix/smtpd[15826]: lost connection after EHLO 
from 
mail-australiasoutheastazon11020101.outbound.protection.outlook.com[52.101.152.101]
Dec  3 11:39:29 mail postfix/smtpd[15826]: lost connection after EHLO 
from mail-tyzapc01on2112.outbound.protection.outlook.com[40.107.117.112]
Dec  3 11:40:05 mail postfix/smtpd[15717]: lost connection after EHLO 
from mail-tyzapc01olkn2078.outbound.protection.outlook.com[40.92.107.78]
Dec  3 11:40:31 mail postfix/smtpd[15826]: lost connection after EHLO 
from mail-tyzapc01on2111.outbound.protection.outlook.com[40.107.117.111]
Dec  3 11:41:34 mail postfix/smtpd[16050]: lost connection after EHLO 
from mail-sg2apc01on2113.outbound.protection.outlook.com[40.107.215.113]
Dec  3 11:42:53 mail postfix/smtpd[16050]: lost connection after EHLO 
from 
mail-koreacentralazon11023086.outbound.protection.outlook.com[40.107.44.86]
Dec  3 11:43:49 mail postfix/smtpd[16050]: lost connection after EHLO 
from 
mail-australiaeastazon11022099.outbound.protection.outlook.com[40.107.40.99]
Dec  3 11:44:24 mail postfix/smtpd[16112]: lost connection after EHLO 
from 
mail-australiaeastazon11020119.outbound.protection.outlook.com[52.101.150.119]
Dec  3 11:46:41 mail postfix/smtpd[16050]: lost connection after EHLO 
from mail-psaapc01on2136.outbound.protection.outlook.com[40.107.255.136]



I turned on detailed debugging and this is the transcript of the 
session.  Note that is this AFTER STARTTLS has occurred - so this isn't 
(at least I can't see how it can be) an SSL/Certificate issue.



postfix/smtpd[27329]: < 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
EHLO APC01-PSA-obe.outbound.protection.outlook.com

postfix/smtpd[27329]: report helo to all milters
postfix/smtpd[27329]: milter_macro_lookup: "{tls_version}"
postfix/smtpd[27329]: milter_macro_lookup: result "TLSv1.3"
postfix/smtpd[27329]: milter_macro_lookup: "{cipher}"

postfix/smtpd[27329]: milter_macro_lookup: result 
"TLS_AES_256_GCM_SHA384"

postfix/smtpd[27329]: milter_macro_lookup: "{cipher_bits}"
postfix/smtpd[27329]: milter_macro_lookup: result "256"
postfix/smtpd[27329]: milter_macro_lookup: "{cert_subject}"

postfix/smtpd[27329]: milter_macro_lookup: result 
"mail.protection.outlook.com"

postfix/smtpd[27329]: milter_macro_lookup: "{cert_issuer}"

postfix/smtpd[27329]: milter_macro_lookup: result "DigiCert Cloud 
Services CA-1"
postfix/smtpd[27329]: milter8_helo_event: milter inet:localhost:11332: 
helo APC01-PSA-obe.outbound.protection.outlook.com
postfix/smtpd[27329]: event: SMFIC_HELO; macros: {tls_version}=TLSv1.3 
{cipher}=TLS_AES_256_GCM_SHA384 {cipher_bits}=256 
{cert_subject}=mail.protection.outlook.com {cert_issuer}=DigiCert Cloud 
Se

rvices CA-1

postfix/smtpd[27329]: skipping reply for event SMFIC_HELO from milter 
inet:localhost:11332
postfix/smtpd[27329]: match_list_match: 
mail-psaapc01on2132.outbound.protection.outlook.com: no match

postfix/smtpd[27329]: match_list_match: 40.107.255.132: no match

postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-mail.muppetz.com
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-PIPELINING
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-SIZE 81920000
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-ETRN
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-AUTH PLAIN LOGIN
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-AUTH=PLAIN LOGIN
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-ENHANCEDSTATUSCODES
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-8BITMIME
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-DSN
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 
250-SMTPUTF8
postfix/smtpd[27329]: > 
mail-psaapc01on2132.outbound.protection.outlook.com[40.107.255.132]: 250 
CHUNKING

postfix/smtpd[27329]: watchdog_pat: 0x1dc017276230
postfix/smtpd[27329]: smtp_get: EOF


So Microsoft sends an EHLO, to which I reply, but they hangup on me.  
I've ever tried filtering the CHUNKING EHLO response, but the same.



I have worked around this by setting up a backup MX in a different 
location, running a slightly more modern version of Debian/Postfix, and 
Microsoft tries to deliver to my Primary MX, fails, then falls back to 
my Secondary which works.



This issue started a couple of months ago, but I've only been made aware 
of it yesterday when a user told me they'd gotten a bounceback 
forwarding an O365 based email to my mailserver.  This was the bounce 
message:


Generating server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
Receiving server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
t...@muppetz.com

12/2/2024 9:00:15 PM - Server at ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM 
returned '550 5.4.317 Message expired, cannot connect to remote 
server(451 4.4.0 Security status InvalidToken)'
12/2/2024 8:50:12 PM - Server at muppetz.com (142.93.19.23) returned 
'450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security 
status InvalidToken] [LastAttemptedServerName=muppetz.com] 
[LastAttemptedIP=142.93.19.23:25] [SmtpSecurity=-1;-1] 
[SY4AUS01FT004.eop-AUS01.prod.protection.outlook.com 
2024-12-02T20:50:15.410Z 08DD12BD88CBAC7F](451 4.4.0 Security status 
InvalidToken)'




Does anyone have any experience with Outlook/O365 and what "Security 
status InvalidToken" means?



I am guessing maybe some part of my TLS stack isn't working correctly, 
but as mentioned that debug is after STARTTLS and a negotiated secure 
session. I am not using DANE/TSLA or MTA-STS etc, just "generic" TLS.



I've already asked on the Postfix mailing list and they suggested asking 
here, as nothing immediately obviously wrong stood out to them with my 
config.  You can read the full thread with details etc here.  
https://www.mail-archive.com/postfix-users@postfix.org/msg104277.html


Thank you very much for any suggestions/help you may be able to provide.

Kind Regards,
Tim Harman
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to