On 2 Dec 2015, at 12:28, Bill Cole wrote:
On 2 Dec 2015, at 10:42, Bryan K. Walton wrote:
We've got a postfix mail server running postscreen that is configured
to make use of the postscreen_dnsbl_whitelist_threshold feature. The
postfix version is 3.0.3. Things have been working really well for
the last 6 months, or so. However, we have recently discovered an
issue where it seems that incoming email that comes from
*.outbound.protection.outlook.com servers seem to not be handled
properly.
[...]
Questions:
1. Why is this message getting a 450 message? Is the outlook mail
server speaking out of turn here?
Since you didn't bother providing 'postconf -n' output, which would
provide useful clues, we are left with making random guesses...
My random guess: you're doing sender verification. Don't. It's broken
in concept and especially broken operationally if you want to
communicate with people using MS products.
Alternative (and I think better) random guess: you've enabled one or
more "after 220 server greeting" test. See the postscreen man page for
the consequences of such configuration and note that there's no law
requiring retry delivery of a deferred message to be done via the same
IP as any prior delivery attempt, and a big complex mail system built
for high availability is likely to NOT do so.
