In reply to my earlier mail: I kept experimenting a bit by using tcpdump. And the output suggested to turn on IPv6 support (inet_protocols = all) in Postfix. Now the messages from outlook.com get delivered but not without problems. Here are the relevant log entries:
----- Jul 24 12:58:58 serving postfix/smtpd[5573]: initializing the server-side TLS engine Jul 24 12:58:58 serving postfix/smtpd[5573]: connect from mail-db3on0080.outbound.protection.outlook.com[157.55.234.80] Jul 24 12:58:58 serving postfix/smtpd[5573]: setting up TLS connection from mail-db3on0080.outbound.protection.outlook.com[157.55.234.80] Jul 24 12:58:58 serving postfix/smtpd[5573]: mail-db3on0080.outbound.protection.outlook.com[157.55.234.80]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:before/accept initialization Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 read client hello A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write server hello A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write certificate A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write key exchange A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write server done A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 flush data Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:failed in SSLv3 read client certificate A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept error from mail-db3on0080.outbound.protection.outlook.com[157.55.234.80]: lost connection Jul 24 12:58:58 serving postfix/smtpd[5573]: lost connection after STARTTLS from mail-db3on0080.outbound.protection.outlook.com[157.55.234.80] Jul 24 12:58:58 serving postfix/smtpd[5573]: disconnect from mail-db3on0080.outbound.protection.outlook.com[157.55.234.80] Jul 24 12:58:58 serving postfix/smtpd[5573]: connect from mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656] Jul 24 12:58:58 serving postfix/smtpd[5573]: setting up TLS connection from mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656] Jul 24 12:58:58 serving postfix/smtpd[5573]: mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:before/accept initialization Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 read client hello A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write server hello A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write certificate A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write key exchange A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 write server done A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:SSLv3 flush data Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept:failed in SSLv3 read client certificate A Jul 24 12:58:58 serving postfix/smtpd[5573]: SSL_accept error from mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656]: lost connection Jul 24 12:58:58 serving postfix/smtpd[5573]: lost connection after STARTTLS from mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656] Jul 24 12:58:58 serving postfix/smtpd[5573]: disconnect from mail-db3on0656.outbound.protection.outlook.com[2a01:111:f400:fe04::656] Jul 24 12:58:58 serving postfix/smtpd[5573]: connect from mail-db3on0674.outbound.protection.outlook.com[2a01:111:f400:fe04::674] Jul 24 12:58:59 serving postfix/smtpd[5573]: 132B5486FB: client=mail-db3on0674.outbound.protection.outlook.com[2a01:111:f400:fe04::674] Jul 24 12:58:59 serving postfix/cleanup[5578]: 132B5486FB: message-id=<e5751b71-cdbf-4244-ac1d-ffc80c90a...@warwick.ac.uk> Jul 24 12:58:59 serving postfix/qmgr[5571]: 132B5486FB: from=<some...@warwick.ac.uk>, size=6038, nrcpt=1 (queue active) Jul 24 12:58:59 serving postfix/local[5579]: 132B5486FB: to=<mor...@schmi.tt>, relay=local, delay=0.24, delays=0.2/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir) Jul 24 12:58:59 serving postfix/qmgr[5571]: 132B5486FB: removed Jul 24 12:58:59 serving postfix/smtpd[5573]: disconnect from mail-db3on0674.outbound.protection.outlook.com[2a01:111:f400:fe04::674] ----- I am not sure if I read these logs correctly. Does it mean that outlook.com first tries TLS via IPv4 and fails, then TLS via IPv6 and fails again, and finally resorts to an unsecured connection successfully? Does anyone have an idea of what the reason for theses problems could be? I am using a certificate signed by CAcert.org which is happily accepted by Google, Yahoo, etc. Moritz On Fri, Jul 24, 2015 at 10:20:49AM +0200, Moritz Schmitt wrote: > Hey, > > My server serving.schmi.tt is experiencing problems with mails coming in > from outlook.com. This is what I found in my logs (many times actually): > > ----- > Jul 24 09:28:16 serving postfix/smtpd[4577]: initializing the server-side TLS > engine > Jul 24 09:28:16 serving postfix/smtpd[4577]: connect from > mail-am1on0067.outbound.protection.outlook.com[157.56.112.67] > Jul 24 09:28:16 serving postfix/smtpd[4577]: setting up TLS connection from > mail-am1on0067.outbound.protection.outlook.com[157.56.112.67] > Jul 24 09:28:16 serving postfix/smtpd[4577]: > mail-am1on0067.outbound.protection.outlook.com[157.56.112.67]: TLS cipher > list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:before/accept > initialization > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 read client > hello A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 write server > hello A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 write > certificate A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 write key > exchange A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 write server > done A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:SSLv3 flush data > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept:failed in SSLv3 read > client certificate A > Jul 24 09:28:16 serving postfix/smtpd[4577]: SSL_accept error from > mail-am1on0067.outbound.protection.outlook.com[157.56.112.67]: lost connection > Jul 24 09:28:16 serving postfix/smtpd[4577]: lost connection after STARTTLS > from mail-am1on0067.outbound.protection.outlook.com[157.56.112.67] > Jul 24 09:28:16 serving postfix/smtpd[4577]: disconnect from > mail-am1on0067.outbound.protection.outlook.com[157.56.112.67] > ----- > > The last time this occuredi, outlook.com tried 115 times to deliver > unsuccessfully. It returned the message to the sender with the following > comment: > > ----- > Diagnostic information for administrators: > > Generating server: VI1PR01MB1567.eurprd01.prod.exchangelabs.com > Receiving server: emea01-internal.map.protection.outlook.com (10.174.64.27) > Total retry attempts: 8 > > mor...@schmi.tt > 7/23/2015 1:30:37 PM - Remote Server at > emea01-internal.map.protection.outlook.com (10.174.64.27) returned '550 4.4.7 > QUEUE.Expired; message expired' > 7/23/2015 1:20:35 PM - Remote Server at > emea01-internal.map.protection.outlook.com (10.174.64.27) returned '451 4.4.0 > Primary target IP address responded with: "451 4.4.0 Security status > InvalidToken." Attempted failover to alternate host, but that did not > succeed. Either there are no alternate hosts, or delivery failed to all > alternate hosts. The last endpoint attempted was 2001:67c:1400:22a0::1:1101' > > Original message headers: > > (...) > ----- > > Of course I searched the internet for this problem but didn't really > find anything that helped me. There are other people who have troubles > with outlook.com at the receiving end, however, their problems seem to > slightly different. > > serving.schmi.tt is my own private little toy server and I am an > unexperienced admin (in fact, I am not an admin at all). So I find it > quite likely that I made a mistake in my postfix configuration. Let me > therefore also post the output of postconf -n: > > ----- > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > config_directory = /usr/local/etc/postfix > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > home_mailbox = Maildir/ > html_directory = /usr/local/share/doc/postfix > inet_protocols = ipv4 > mail_owner = postfix > mailbox_size_limit = 0 > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > message_size_limit = 1000000000 > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, > bismark.$mydomain, www.$mydomain, mail.$mydomain > mydomain = schmi.tt > myhostname = serving.schmi.tt > mynetworks_style = host > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = /usr/local/share/doc/postfix > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtp_tls_loglevel = 2 > smtp_tls_security_level = may > smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_starttls_timeout = 300s > smtpd_tls_CAfile = /etc/ssl/certs/CACERT.ORG_root.crt > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/certs/PUB_CHAIN_serving.schmi.tt.pem > smtpd_tls_key_file = /etc/ssl/private/PRIV_serving.schmi.tt.pem > smtpd_tls_loglevel = 2 > smtpd_tls_security_level = may > unknown_local_recipient_reject_code = 550 > virtual_mailbox_limit = 0 > ----- > > Any hints are greatly appreciated since I am quite lost at what to try > next. Maybe someone spots a mistake in my configuration? Or encountered > the same problem with outlook.com? > > It is probably not relevant, but on this machine I am running FreeBSD > 10.1-RELEASE-p15. > > Best, > Moritz
