[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

[Viktor Dukhovni via Postfix-users]

On Wed, Aug 16, 2023 at 10:56:07AM +0000, Serg via Postfix-users wrote:
> I have checked email server of mine and can confirm I am seeing that too 
> (logs are since Aug 13 03:50:38 EEST):
> 
> > admin@flopster ~ $ sudo grep -e .outbound.protection.outlook.com 
> > /var/log/mail.log | grep 'ehlo=1 starttls=1 quit=1 commands=3' | tail
> > Aug 16 13:47:34 flopster postfix/smtpd[23237]: disconnect from 
> > mail-mw2nam12on20617.outbound.protection.outlook.com[2a01:111:f400:fe5a::617]
> >  ehlo=1 starttls=1 quit=1 commands=3
> > [...]

There's good reason for that, your MX host has DANE TLSA records that
don't match its certificate chain:

    $ danesmtp ()
    {
        local host=$1;
        shift;
        local opts=(-starttls smtp -connect "$host:25" -verify 9 
-verify_return_error -brief -dane_ee_no_namechecks -dane_tlsa_domain "$host");
        set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i '^[23] 
[01] [012] [0-9a-f]+$');
        while [ $# -ge 4 ]; do
            opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4");
            shift 4;
        done;
        ( sleep 1;
        printf "QUIT\r\n" ) | openssl s_client "${opts[@]}"
    }

    $ danesmtp flopster.at.encryp.ch
    verify depth is 9
    depth=0 CN = flopster.at.encryp.ch
    verify error:num=65:No matching DANE TLSA records
    34371133440:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:

Microsoft supports DANE outbound and will not deliver mail to sites with
misconfigured TLSA records.  This can only be discovered as part of
completing the TLS handshake.

Your server refuses SMTP connections from the DANE survey,

  flopster.at.encryp.ch[65.21.140.233]: GREETING 554 5.7.1 
<dnssec-stats.ant.isi.edu>: Unverified Client host rejected: opt-out from the 
research
  flopster.at.encryp.ch[2a01:4f9:3b:2a5f:86e2:89a:e1f7:b837]: GREETING 554 
5.7.1 <dnssec-stats.ant.isi.edu>: Unverified Client host rejected: opt-out from 
the research

so, unfortunately, you've also not been previously notified of this
problem.

I would like to encourage postmasters to not block SMTP connections from
the DANE survey: https://stats.dnssec-tools.org/about.html

There is typically just one connection a day per MX IP
address, perhaps a couple of extra connections if a problem is found.

Far less hassle (a few extra *lines* in the log per day) than not being
able to receive mail. And you contribute to the survey stats.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org