On Tue, Dec 03, 2024 at 12:39:16PM +1300, Tim Harman via Postfix-users wrote:
> I'm fairly sure this is a Microsoft problem, but I'm asking anyway in case > I'm doing something really dumb. Ignore the other responses, they are not relevant... The problem would typically be incorrect DANE TLSA records for your domain, or perhaps broken MTA-STS. But that's not the case here. > Dec 3 11:59:36 mail postfix/smtpd[16112]: connect from > mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121] > Dec 3 11:59:37 mail postfix/smtpd[16112]: lost connection after EHLO from > mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121] > Dec 3 11:59:37 mail postfix/smtpd[16112]: disconnect from > mail-australiaeastazon11021121.outbound.protection.outlook.com[40.107.39.121] > ehlo=2 starttls=1 commands=3 Indeed the lost connection is *after* STARTTLS, so if they did not like the cert a disconnect might be expected. But you cert looks fairly plain, and no DANE or MTA-STS in sight, so if there's a problem, it is not obvious at first glance. Are there failures from other sources within "outbound.protection.outlook.com"? > ec 3 11:38:28 mail postfix/smtpd[15717]: Trusted TLS connection established > from mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110]: > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-ex > change ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest > SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256 > Dec 3 11:38:28 mail postfix/smtpd[15717]: lost connection after EHLO from > mail-psaapc01on2110.outbound.protection.outlook.com[40.107.255.110] > > Trusted TLS - so I think that proves my SSL is good? No, that means they presented a client certificate for no particularly good reason, one that happened to chain up to a known trust anchor. > You can see I've commented out the usual reject statements just in case they > were the cause, but they didn't make a difference (nor did commenting out > tls_preempt_cipherlist) > > > This is the only log/bounceback I've managed to get from someone: > > Generating server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM > Receiving server: ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM > t...@muppetz.com > 12/2/2024 9:00:15 PM - Server at ME0P300MB0700.AUSP300.PROD.OUTLOOK.COM > returned '550 5.4.317 Message expired, cannot connect to remote server(451 > 4.4.0 Security status InvalidToken)' > 12/2/2024 8:50:12 PM - Server at muppetz.com (142.93.19.23) returned '450 > 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security status > InvalidToken] [LastAttemptedServerName=muppetz.com] > [LastAttemptedIP=142.93.19.23:25] [SmtpSecurity=-1;-1] > [SY4AUS01FT004.eop-AUS01.prod.protection.outlook.com > 2024-12-02T20:50:15.410Z 08DD12BD88CBAC7F](451 4.4.0 Security status > InvalidToken)' Join the "mailop" list, ask there. I nevew knew or don't recall what "Security status InvalidToken" means in Microsoft's world. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org