On Tue, Dec 03, 2024 at 12:39:16PM +1300, Tim Harman via Postfix-users wrote:

> I'm fairly sure this is a Microsoft problem, but I'm asking anyway in case
> I'm doing something really dumb.

Ignore the other responses, they are not relevant...  The problem would
typically be incorrect DANE TLSA records for your domain, or perhaps
broken MTA-STS.  But that's not the case here.

> Dec  3 11:59:36 mail postfix/smtpd[16112]: connect from
> mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
> Dec  3 11:59:37 mail postfix/smtpd[16112]: lost connection after EHLO from
> mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
> Dec  3 11:59:37 mail postfix/smtpd[16112]: disconnect from
> mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121]
> ehlo=2 starttls=1 commands=3

Indeed the lost connection is *after* STARTTLS, so if they did not like
the cert a disconnect might be expected.  But you cert looks fairly
plain, and no DANE or MTA-STS in sight, so if there's a problem, it is
not obvious at first glance.  Are there failures from other sources
within "outbound.protection.outlook.com"?

> ec  3 11:38:28 mail postfix/smtpd[15717]: Trusted TLS connection established
> from mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]:
> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-ex
> change ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
> SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256
> Dec  3 11:38:28 mail postfix/smtpd[15717]: lost connection after EHLO from
> mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]
> 
> Trusted TLS - so I think that proves my SSL is good?

No, that means they presented a client certificate for no particularly
good reason, one that happened to chain up to a known trust anchor.

> You can see I've commented out the usual reject statements just in case they
> were the cause, but they didn't make a difference (nor did commenting out
> tls_preempt_cipherlist)
> 
> 
> This is the only log/bounceback I've managed to get from someone:
> 
> Generating server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
> Receiving server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
> t...@muppetz.com
> 12/2/2024 9:00:15 PM - Server at ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM
> returned '550 5.4.317 Message expired, cannot connect to remote server(451
> 4.4.0 Security status InvalidToken)'
> 12/2/2024 8:50:12 PM - Server at muppetz.com (142.93.19.23) returned '450
> 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security status
> InvalidToken] [LastAttemptedServerName=muppetz.com]
> [LastAttemptedIP=142.93.19.23:25] [SmtpSecurity=-1;-1]
> [SY4AUS01FT004.eop-AUS01.prod.protection.outlook.com
> 2024-12-02T20:50:15.410Z 08DD12BD88CBAC7F](451 4.4.0 Security status
> InvalidToken)'

Join the "mailop" list, ask there.  I nevew knew or don't recall what
"Security status InvalidToken" means in Microsoft's world.

--
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to