Hi, Has anyone else seen this? Apologies in advance for this not being directly postfix-related, but I'm hoping someone here can explain some wierd behaviour I'm seeing from Outlook's mail servers.
I'm setting up a new postfix server for someone. It mainly does virus/spam checking and relaying for a bunch of domains. For testing, I've made it the only MX server for one of my spare domains, and sent an email to there from an account at outlook.office.com. For this test, I remembered to add the new server to the list of mx records that MTA-STS knows about. I probably should have removed MTA-STS completely for this test. The test email bounced with the following report: > Diagnostic information for administrators: > > Generating server: ME3PR01MB8390.ausprd01.prod.outlook.com > Receiving server: ME3PR01MB8390.ausprd01.prod.outlook.com > > r...@libslack.org > 5/1/2022 12:09:32 AM - Server at ME3PR01MB8390.ausprd01.prod.outlook.com > returned '550 5.4.317 Message expired, cannot connect to remote > server(451 4.7.5 Remote certificate MUST have a subject alternative name > matching the hostname (MTA-STS))' > 4/30/2022 11:59:28 PM - Server at libslack.org (82.134.31.111) > returned '450 4.4.317 Cannot connect to remote server [Message=451 > 4.7.5 Remote certificate MUST have a subject alternative name matching > the hostname (MTA-STS)] [LastAttemptedServerName=libslack.org] > [LastAttemptedIP=82.134.31.111:25] > [SY4AUS01FT024.eop-AUS01.prod.protection.outlook.com](451 4.7.5 Remote > certificate MUST have a subject alternative name matching the hostname > (MTA-STS))' The test email was sent to r...@libslack.org. libslack.org's MX record points to smtp10.infotech.no. smtp10.infotech.no's IP address is 82.134.31.111. https://mta-sts.libslack.org/.well-known/mta-sts.txt contains "mx: smtp10.infotech.no". $ host -t mx libslack.org libslack.org mail is handled by 10 smtp10.infotech.no. $ host smtp10.infotech.no smtp10.infotech.no has address 82.134.31.111 $ curl https://mta-sts.libslack.org/.well-known/mta-sts.txt [...] mx: smtp10.infotech.no [...] The above report seems to indicate that Outlook's servers think that the MX server they are sending to is called libslack.org and that its address is 82.134.31.111. The address is right, but the name isn't. libslack.org is just the recipient domain, not the MX server name. It also seems to indicate that the TLS certificate at that server should have libslack.org as one of its subject alternative names. Am I reading that right? It seems very badly wrong. What am I missing? I don't remember reading that a requirement of MTA-STS is that MX server TLS certificates need to certify all the domains that they server as MX for. But it seems hard to believe that the Outlook servers could mistake the recipient domain for the MX server domain, but that's what it looks like. For my next test, I'll just turn off MTA-STS (using yet another spare domain so I don't have to wait a week). cheers, raf
