[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

pgnd via Postfix-users Wed, 16 Aug 2023 06:13:20 -0700

BTW I explicitly allow mail from their IP ranges at postscreen level:

...

#outlook.com
40.92.0.0/15            permit
40.107.0.0/16           permit
52.100.0.0/14           permit
104.47.0.0/17           permit


they published some more ranges but when I checked, I haven't noticed mail from 
other than these ranges


i suppose that can't hurt here.

i added the ranges, and, as expected, see ALLOWLISTED @ postscreen; tho, the 
connection still terminates as above.



taking a stab at looking at TLS, for one of these short/failed from-outlook.com 
attempts,

        tshark -nr /tmp/tls.pcap
                1   0.000000 52.101.62.16 → 192.0.2.25 TCP 66 60645 → 25 [SYN] 
Seq=0 Win=64240 Len=0 MSS=1378 WS=256 SACK_PERM
                2   0.000211 192.0.2.25 → 52.101.62.16 TCP 66 25 → 60645 [SYN, 
ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 SACK_PERM WS=1
                3   0.044868 52.101.62.16 → 192.0.2.25 TCP 54 60645 → 25 [ACK] 
Seq=1 Ack=1 Win=525568 Len=0
                4   0.321516 192.0.2.25 → 52.101.62.16 SMTP 121 S: 220 
mx1.example.net ESMTP .
                5   0.365891 52.101.62.16 → 192.0.2.25 SMTP 105 C: EHLO 
DM5PR00CU002.outbound.protection.outlook.com
                6   0.365969 192.0.2.25 → 52.101.62.16 TCP 54 25 → 60645 [ACK] 
Seq=68 Ack=52 Win=64189 Len=0
                7   0.366134 192.0.2.25 → 52.101.62.16 SMTP 185 S: 
250-mx1.example.net | PIPELINING | SIZE 104857600 | STARTTLS | 
ENHANCEDSTATUSCODES | 8BITMIME | SMTPUTF8
                8   0.410624 52.101.62.16 → 192.0.2.25 SMTP 64 C: STARTTLS
                9   0.410814 192.0.2.25 → 52.101.62.16 SMTP 84 S: 220 2.0.0 
Ready to start TLS
                10   0.455866 52.101.62.16 → 192.0.2.25 TLSv1.2 224 Client Hello
                11   0.466708 192.0.2.25 → 52.101.62.16 TLSv1.2 1432 Server 
Hello
                12   0.466719 192.0.2.25 → 52.101.62.16 TCP 1432 25 → 60645 
[PSH, ACK] Seq=1607 Ack=232 Win=64009 Len=1378 [TCP segment of a reassembled 
PDU]
                13   0.466947 192.0.2.25 → 52.101.62.16 TLSv1.2 902 
Certificate, Server Key Exchange, Server Hello Done
                14   0.511121 52.101.62.16 → 192.0.2.25 TCP 54 60645 → 25 [ACK] 
Seq=232 Ack=2985 Win=525568 Len=0
                15   0.518474 52.101.62.16 → 192.0.2.25 TLSv1.2 212 Client Key 
Exchange, Change Cipher Spec, Encrypted Handshake Message
                16   0.520753 192.0.2.25 → 52.101.62.16 TLSv1.2 296 New Session 
Ticket, Change Cipher Spec, Encrypted Handshake Message
                17   0.567586 52.101.62.16 → 192.0.2.25 TLSv1.2 89 Application 
Data
                18   0.568017 192.0.2.25 → 52.101.62.16 TLSv1.2 98 Application 
Data
                19   0.568181 192.0.2.25 → 52.101.62.16 TLSv1.2 85 Encrypted 
Alert
                20   0.612599 52.101.62.16 → 192.0.2.25 TCP 54 60645 → 25 [ACK] 
Seq=425 Ack=4151 Win=524288 Len=0
                21   0.613008 52.101.62.16 → 192.0.2.25 TCP 54 60645 → 25 [RST, 
ACK] Seq=425 Ack=4151 Win=0 Len=0

&

        tshark -nr /tmp/tls.pcap -V ssl
                ...
                Transmission Control Protocol, Src Port: 25, Dst Port: 60645, 
Seq: 2985, Ack: 232, Len: 848
                    Source Port: 25
                    Destination Port: 60645
                    [Stream index: 0]
??                  [Conversation completeness: Incomplete, DATA (15)]
                ...

iiuc, 15 == 1/SYN +2/SYN-ACK + 4/ACK +8/DATA and indicates the handshake lacks 
a FIN or RST closing sequence


for an OK send, from google,

        tshark -nr /tmp/tls.pcap
                1   0.000000 209.85.128.182 → 192.0.2.25 TCP 74 47456 → 25 
[SYN] Seq=0 Win=65535 Len=0 MSS=1412 SACK_PERM TSval=1170316599 TSecr=0 WS=256
                2   0.000181 192.0.2.25 → 209.85.128.182 TCP 74 25 → 47456 
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=3383420399 
TSecr=1170316599 WS=1
                3   0.023599 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=1170316622 TSecr=3383420399
                4   0.318693 192.0.2.25 → 209.85.128.182 SMTP 133 S: 220 
mx1.example.net ESMTP .
                5   0.342110 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=1 Ack=68 Win=65536 Len=0 TSval=1170316941 TSecr=3383420717
                6   0.343199 209.85.128.182 → 192.0.2.25 SMTP 97 C: EHLO 
mail-yw1-f182.google.com
                7   0.343282 192.0.2.25 → 209.85.128.182 TCP 66 25 → 47456 
[ACK] Seq=68 Ack=32 Win=65129 Len=0 TSval=3383420742 TSecr=1170316942
                8   0.343408 192.0.2.25 → 209.85.128.182 SMTP 197 S: 
250-mx1.example.net | PIPELINING | SIZE 104857600 | STARTTLS | 
ENHANCEDSTATUSCODES | 8BITMIME | SMTPUTF8
                9   0.367327 209.85.128.182 → 192.0.2.25 SMTP 76 C: STARTTLS
                10   0.367387 192.0.2.25 → 209.85.128.182 SMTP 96 S: 220 2.0.0 
Ready to start TLS
                11   0.391656 209.85.128.182 → 192.0.2.25 TLSv1 583 Client Hello
                12   0.393450 192.0.2.25 → 209.85.128.182 TLSv1.3 1466 Server 
Hello, Change Cipher Spec, Application Data
                13   0.393454 192.0.2.25 → 209.85.128.182 TLSv1.3 1466 
Application Data
                14   0.393505 192.0.2.25 → 209.85.128.182 TLSv1.3 128 
Application Data, Application Data
                15   0.416843 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=559 Ack=3029 Win=72448 Len=0 TSval=1170317016 TSecr=3383420792
                16   0.419252 209.85.128.182 → 192.0.2.25 TLSv1.3 130 Change 
Cipher Spec, Application Data
                17   0.420751 192.0.2.25 → 209.85.128.182 TLSv1.3 305 
Application Data
                18   0.420798 209.85.128.182 → 192.0.2.25 TLSv1.3 119 
Application Data
                19   0.449566 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=676 Ack=3330 Win=75008 Len=0 TSval=1170317048 TSecr=3383420819
                20   0.449639 192.0.2.25 → 209.85.128.182 TLSv1.3 205 
Application Data
                21   0.473294 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=676 Ack=3469 Win=77824 Len=0 TSval=1170317072 TSecr=3383420848
                22   0.474032 209.85.128.182 → 192.0.2.25 TLSv1.3 131 
Application Data
                23   0.474154 209.85.128.182 → 192.0.2.25 TLSv1.3 129 
Application Data
                24   0.474498 209.85.128.182 → 192.0.2.25 TLSv1.3 94 
Application Data
                25   0.486255 192.0.2.25 → 209.85.128.182 TLSv1.3 102 
Application Data
                26   0.513835 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=832 Ack=3505 Win=77824 Len=0 TSval=1170317113 TSecr=3383420885
                27   5.142936 192.0.2.25 → 209.85.128.182 TLSv1.3 102 
Application Data
                28   5.166367 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=832 Ack=3541 Win=77824 Len=0 TSval=1170321765 TSecr=3383425541
                29   5.166407 192.0.2.25 → 209.85.128.182 TLSv1.3 125 
Application Data
                30   5.189798 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[ACK] Seq=832 Ack=3600 Win=77824 Len=0 TSval=1170321788 TSecr=3383425565
                31   5.190796 209.85.128.182 → 192.0.2.25 TLSv1.3 1488 
Application Data
                32   5.190839 192.0.2.25 → 209.85.128.182 TCP 66 25 → 47456 
[ACK] Seq=3600 Ack=2254 Win=63000 Len=0 TSval=3383425589 TSecr=1170321789
                33   5.191233 209.85.128.182 → 192.0.2.25 TLSv1.3 1488 
Application Data
                34   5.191249 192.0.2.25 → 209.85.128.182 TCP 66 25 → 47456 
[ACK] Seq=3600 Ack=3676 Win=63000 Len=0 TSval=3383425590 TSecr=1170321790
                35   5.192044 209.85.128.182 → 192.0.2.25 TLSv1.3 184 
Application Data
                36   5.233805 192.0.2.25 → 209.85.128.182 TCP 66 25 → 47456 
[ACK] Seq=3600 Ack=3794 Win=63000 Len=0 TSval=3383425632 TSecr=1170321791
                37  10.835039 192.0.2.25 → 209.85.128.182 TLSv1.3 121 
Application Data
                38  10.860709 209.85.128.182 → 192.0.2.25 TLSv1.3 94 
Application Data
                39  10.860710 209.85.128.182 → 192.0.2.25 TCP 66 47456 → 25 
[FIN, ACK] Seq=3822 Ack=3655 Win=77824 Len=0 TSval=1170327459 TSecr=3383431234
                40  10.860826 192.0.2.25 → 209.85.128.182 TCP 66 25 → 47456 
[ACK] Seq=3655 Ack=3822 Win=63000 Len=0 TSval=3383431259 TSecr=1170327459
                41  10.861257 192.0.2.25 → 209.85.128.182 TLSv1.3 103 
Application Data
                42  10.861587 192.0.2.25 → 209.85.128.182 TLSv1.3 90 
Application Data
                43  10.885279 209.85.128.182 → 192.0.2.25 TCP 54 47456 → 25 
[RST] Seq=3823 Win=0 Len=0
                44  10.885279 209.85.128.182 → 192.0.2.25 TCP 54 47456 → 25 
[RST] Seq=3823 Win=0 Len=0

&

        tshark -nr /tmp/tls.pcap -V ssl
        ...
        Transmission Control Protocol, Src Port: 25, Dst Port: 47456, Seq: 
3692, Ack: 3823, Len: 24
            Source Port: 25
            Destination Port: 47456
            [Stream index: 0]
!!          [Conversation completeness: Complete, WITH_DATA (31)]
        ...

atm i'm staring at

        11   0.466708 192.0.2.25 → 52.101.62.16 TLSv1.2 1432 Server Hello
        12   0.466719 192.0.2.25 → 52.101.62.16 TCP 1432 25 → 60645 [PSH, ACK] 
Seq=1607 Ack=232 Win=64009 Len=1378 [TCP segment of a reassembled PDU]
        ...
        19   0.568181 192.0.2.25 → 52.101.62.16 TLSv1.2 85 Encrypted Alert
        ...
        21   0.613008 52.101.62.16 → 192.0.2.25 TCP 54 60645 → 25 [RST, ACK] 
Seq=425 Ack=4151 Win=0 Len=0

in the outlook.com transaction, and reading up on packet reassembly issues, kernel 
sysctls, &/or firewall ...

in any case, it appears to be incomplete DATA.

and doesn't (?) appear to be a pfx issue, or one it can shed any light on.
whether it's a 'me' or 'them' issue, remains to be seen.








_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

Reply via email to