We've got a postfix mail server running postscreen that is configured to make use of the postscreen_dnsbl_whitelist_threshold feature. The postfix version is 3.0.3. Things have been working really well for the last 6 months, or so. However, we have recently discovered an issue where it seems that incoming email that comes from *.outbound.protection.outlook.com servers seem to not be handled properly.
Here is a snippet from the logs: Dec 1 01:05:59 shenandoah postfix/postscreen[21329]: CONNECT from [157.56.112.120]:28475 to [REMOVED_IP]:25 Dec 1 01:05:59 shenandoah postfix/dnsblog[21437]: addr 157.56.112.120 listed by domain list.dnswl.org as 127.0.3.0 Dec 1 01:05:59 shenandoah postfix/dnsblog[21440]: addr 157.56.112.120 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1 Dec 1 01:05:59 shenandoah postfix/dnsblog[21440]: addr 157.56.112.120 listed by domain hostkarma.junkemailfilter.com as 127.0.0.3 Dec 1 01:05:59 shenandoah postfix/dnsblog[21442]: addr 157.56.112.120 listed by domain wl.mailspike.net as 127.0.0.17 Dec 1 01:06:05 shenandoah postfix/tlsproxy[21715]: CONNECT from [157.56.112.120]:28475 Dec 1 01:06:06 shenandoah postfix/tlsproxy[21715]: Anonymous TLS connection established from [157.56.112.120]:28475: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) Dec 1 01:06:06 shenandoah postfix/postscreen[21329]: NOQUEUE: reject: RCPT from [157.56.112.120]:28475: 450 4.3.2 Service currently unavailable; from=<sen...@domain1.com>, to=<recipi...@domain2.com>, proto=ESMTP, helo=<emea01-am1-obe.outbound.protection.outlook.com> Dec 1 01:06:07 shenandoah postfix/tlsproxy[21715]: DISCONNECT [157.56.112.120]:28475 Dec 1 01:06:07 shenandoah postfix/postscreen[21329]: HANGUP after 1.6 from [157.56.112.120]:28475 in tests after SMTP handshake Dec 1 01:06:07 shenandoah postfix/postscreen[21329]: PASS NEW [157.56.112.120]:28475 Dec 1 01:06:07 shenandoah postfix/postscreen[21329]: DISCONNECT [157.56.112.120]:28475 I've altered the IP address of the receiving mail server and have altered the sending and receiving email addresses, in the snippet above, for posting on the mailing list. Now, a few things to note: The four white lists hits give it a score of -8. I have postscreen_dnsbl_whitelist_threshold set to -2. Questions: 1. Why is this message getting a 450 message? Is the outlook mail server speaking out of turn here? 2. For some reason, the sending mail server hangs up before postscreen gives the pass new command. Is this, again, a problem with the outlook.com mail servers? 3. This seems to happen with all of the outbound.protection.outlook.com mail servers, but only their servers. This cycle will repeat itself repeatedly until the message is retried with one of the servers that have already connected. It is my understanding that the sending mailserver should not be receiving a 450 due to our postscreen_dnsbl_whitelist_threshold configuration. (this seems to work properly for other mailservers connecting to us. 4. Do I have any options other than manually whitelisting all of their IPs? Thanks, Bryan Walton
