On 17.08.23, 01:48 Viktor Dukhovni wrote via Postfix-users:
So far, the pattern of Microsoft's outbound systems disconnecting immediately after a completed TLS handshake strongly correlates with a broken TLSA setup.
For the record: I stumbled across this a couple of days ago when I received a message on LinkedIn telling me that a number of e-mails sent via Microsoft's outbound systems had bounced. Given that occasional tests using MECSA (https://mecsa.jrc.ec.europa.eu/) and DNSSEC and DANE Validation (part of the Microsoft Remote Connectivity Analyzer, https://testconnectivity.microsoft.com/tests/O365DaneValidation/input) looked /good/ (all TLSA entries for ECDSA/RSA certificates used by a certain domain and its subdomains were always listed under subname "_tcp", with a couple of CNAME entries "*._tcp", "[*.]_tcp.subdomain", ... pointing to said subname), it took a while to realize that the above "STARTTLS,QUIT" behaviour is due to the fact that said outbound systems do not like to come across non-matching TLSA entries (for other certificates used by the webserver) anymore.
The simple solution was to introduce a new specific subname "_25._tcp" (which takes precedence over the generic "*._tcp" CNAME) and duplicate/move the TLSA entries directly related to the certificate used by postfix for the (sub)domain(s) in question there. In hindsight, this means: Whenever the MRCA test results (see above) show something marked in red, you should check whether it's possible to modify your configuration.
KR, Markus _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
