I changed the preferred chain here, and for all my domains (thx o/ !).
it certainly didn't hurt.
Presumably you then also *force* renewed the certificate chain.
yes
After the dns cleanup, switching BACK the preferred chain didn't
reinit the issue.
Did you *force* renewal at that point?
a
On Tue, May 02, 2023 at 07:03:55PM -0400, PGNet Dev via Postfix-users wrote:
> > Also look into other possibilities, the DST Root issue is a bit of a
> > longshot. If you can get an account on Outlook.com, send mail and
> > see if it bounces with usable diagnostics in the bounce.
>
> I changed t
Also look into other possibilities, the DST Root issue is a bit of a
longshot. If you can get an account on Outlook.com, send mail and see
if it bounces with usable diagnostics in the bounce.
i changed the preferred chain here, and for all my domains (thx o/ !). it
certainly didn't hurt.
but
On Tue, May 02, 2023 at 11:54:00AM -0400, PGNet Dev wrote:
> > The DST root, that issued the ISRG X1 cross cert.
>
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>
> yikes. missed that by a mile!
>
> >>From my renewal.conf file:
> >
> > [renewalparams]
> > r
Original Message
From: Viktor Dukhovni via Postfix-users [mailto:postfix-users@postfix.org]
Sent: Tuesday, May 2, 2023 at 11:32 AM EDT
To: postfix-users@postfix.org
Subject: [pfx] Re: inbound failures only from outbound.protection.outlook.com.
Cert issue in this log?
On Tue
On Tue, May 02, 2023 at 11:09:59AM -0400, PGNet Dev wrote:
> what root CA expiry are you referring to?
The DST root, that issued the ISRG X1 cross cert.
> > The "ISRG Root X1" CA no longer needs a cross cert.
>
> it seems that LE still provides them,
>
>https://letsencrypt.org/certificates
What are some domains your server accepts mail for? Do you perhaps
publish DANE TLSA records and have botched certificate rotation?
See if dropping the DST cross cert from your certificate chain will
help. That root CA has long ago expired.
nothing in that cert chain reports a past date.
wha
On Tue, May 02, 2023 at 09:54:48AM -0400, Viktor Dukhovni via Postfix-users
wrote:
> What are some domains your server accepts mail for? Do you perhaps
> publish DANE TLSA records and have botched certificate rotation?
See if dropping the DST cross cert from your certificate chain will
help. T
On Tue, May 02, 2023 at 09:41:50AM -0400, PGNet Dev via Postfix-users wrote:
> a server that i don't have shell access to atm has, today, started
> seeing undelivered mail from only one domain --
> *outbound.protection.outlook.com. apparently, everything else inbound
> is flowin
a server that i don't have shell access to atm has, today, started seeing
undelivered mail from only one domain -- *outbound.protection.outlook.com.
apparently, everything else inbound is flowing. and, i'm told, inbound from
outlook.com was working yesterday.
all i've got so
: outbound.protection.outlook.com
On 2019/10/02 16:13, Henrik K wrote:
> On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr:
> >
> > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > >
On 2019/10/02 16:13, Henrik K wrote:
> On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> > Henrik K schrieb am 02.10.19 um 15:46:18 Uhr:
> >
> > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > > >
> > > > I got rid of it, since of too many false positive
Dnia 2.10.2019 o godz. 11:05:31 ratatouille pisze:
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com
> in postgrey?
I just put the domain name outbound.protection.outlook.com into
/etc/postgrey/whitelist_clients.local and it works for me.
--
Regards,
* ratatouille :
> Hello!
>
> Do I really have to whitelist all the IPs of outbound.protection.outlook.com
> in postgrey?
Yes. There's a script for that:
# Postwhite - Automatic Postcreen Whitelist / Blacklist Generator #
# https://github.com/stevejenkins/postwhite
On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> Henrik K schrieb am 02.10.19 um 15:46:18 Uhr:
>
> > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > >
> > > I got rid of it, since of too many false positives related to outlook,
> > > gmail
> > > etc.
>
Henrik K schrieb am 02.10.19 um 15:46:18 Uhr:
> On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> >
> > I got rid of it, since of too many false positives related to outlook, gmail
> > etc.
>
> Why would you greylist something that's easily skipped using DNSWL etc?
Tha
On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
>
> I got rid of it, since of too many false positives related to outlook, gmail
> etc.
Why would you greylist something that's easily skipped using DNSWL etc?
On 2019-10-02 ratatouille wrote:
> Do I really have to whitelist all the IPs of
> outbound.protection.outlook.com in postgrey?
Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr:
No. You could simply stop graylisting and instead use spam protection
measures without its side effect
Ansgar Wiechers schrieb am 02.10.19 um 11:56:56 Uhr:
> On 2019-10-02 ratatouille wrote:
> > Do I really have to whitelist all the IPs of
> > outbound.protection.outlook.com in postgrey?
>
> No. You could simply stop graylisting and instead use spam protection
> m
On 2019-10-02 ratatouille wrote:
> Do I really have to whitelist all the IPs of
> outbound.protection.outlook.com in postgrey?
No. You could simply stop graylisting and instead use spam protection
measures without its side effects (e.g. postscreen).
Regards
Ansgar Wiechers
--
"Abstra
Hello!
Do I really have to whitelist all the IPs of outbound.protection.outlook.com in
postgrey?
Oct 2 10:57:28 bitclusive1 postfix/smtpd[20061]: NOQUEUE: reject: RCPT from
mail-eopbgr680083.outbound.protection.outlook.com[40.107.68.83]: 450 4.2.0
: Recipient address rejected: Greylisted for
PGNet Dev:
> > That should be safe, because the OK here cannot affect how a recipient
> > will be evaluated.
>
> Do you have any reasonable advice as to a better approach to share?
Well you can drop the initial .* and you may want to end the pattern
in '$' as in
/\.outbound\.protection\.outl
That should be safe, because the OK here cannot affect how a recipient
will be evaluated.
Do you have any reasonable advice as to a better approach to share?
PGNet Dev:
> currently, my config does include
>
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> permit_mynetworks
> check_helo_access pcre:${config_directory}/helo_access.pcre
> reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname
> permit
>
> is adding
currently, my config does include
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
check_helo_access pcre:${config_directory}/helo_access.pcre
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
permit
is adding to head of helo_access.pcre
/.*\.out
for a single sender, here "them @theirdomain.com", in my logs
postfix.log:Apr 24 13:18:19 mx postfix/postscreen-internal/smtpd[6816]:
NOQUEUE: client=mail-eopbgr770049.outbound.protection.outlook.com[40.107.77.49]
postfix.log:Apr 26 11:15:00 mx
postfix/postscreen-internal/
wn state") that's also likely not the problem, but just in
case:
http://dilbert.com/strip/1995-06-24
The outlook.com email servers are fully able to support modern TLS
ciphersuites, and do not object to my self-signed cert.
Nov 7 16:34:41 amnesiac postfix/smtpd[6205]: conn
On 7 Nov 2016, at 9:26, Florian Piekert wrote:
Hello everybody,
another issue around TLS/SSL from me.
I see tons of
==> mail/mail.log <==
[...]
Nov 7 15:03:29 blueberry postfix/smtpd[18091]:
mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]:
TLS cipher list "aNULL
Hello everybody,
another issue around TLS/SSL from me.
I see tons of
==> mail/mail.log <==
Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW
[2a01:111:f400:fe1f::32d]:56472
Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from
[187.58.37.29]:62661 to [85.214.17.19]:25
Nov
On Wed, Dec 02, 2015 at 10:10:27AM -0800, Steve Jenkins wrote:
> At the risk of sounding spammy for my latest pet project, Bryan's use case
> is exactly the type of issue an SPF-based whitelist for known senders (such
> as outlook.com) would fix.
>
> Bryan: grab the postwhite script (https://githu
On Wed, Dec 02, 2015 at 01:55:01PM -0500, Bill Cole wrote:
> My mistake: I didn't look carefully enough at what
> postscreen_dnsbl_whitelist_threshold is supposed to do. Sorry for the
> rapid-fire noise.
>
> Theory: Your 8 DNSBL lookups are not all completing fast enough for
> postscreen to make a
On 2 Dec 2015, at 12:54, Bryan K. Walton wrote:
On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote:
Alternative (and I think better) random guess: you've enabled one or
more
"after 220 server greeting" test. See the postscreen man page for the
consequences of such configuration and note
On Wed, Dec 2, 2015 at 9:54 AM, Bryan K. Walton
wrote:
> On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote:
> > Alternative (and I think better) random guess: you've enabled one or more
> > "after 220 server greeting" test. See the postscreen man page for the
> > consequences of such conf
On 2 Dec 2015, at 12:48, Bryan K. Walton wrote:
On Wed, Dec 02, 2015 at 12:28:33PM -0500, Bill Cole wrote:
Questions:
1. Why is this message getting a 450 message? Is the outlook mail
server
speaking out of turn here?
Since you didn't bother providing 'postconf -n' output, which would
prov
On Wed, Dec 02, 2015 at 12:49:05PM -0500, Bill Cole wrote:
> Alternative (and I think better) random guess: you've enabled one or more
> "after 220 server greeting" test. See the postscreen man page for the
> consequences of such configuration and note that there's no law requiring
> retry delivery
eally well for
the last 6 months, or so. However, we have recently discovered an
issue where it seems that incoming email that comes from
*.outbound.protection.outlook.com servers seem to not be handled
properly.
[...]
Questions:
1. Why is this message getting a 450 message? Is the outlook
On Wed, Dec 02, 2015 at 12:28:33PM -0500, Bill Cole wrote:
> >Questions:
> >1. Why is this message getting a 450 message? Is the outlook mail server
> >speaking out of turn here?
>
> Since you didn't bother providing 'postconf -n' output, which would provide
> useful clues, we are left with making
wever, we have recently discovered an
issue where it seems that incoming email that comes from
*.outbound.protection.outlook.com servers seem to not be handled
properly.
[...]
Questions:
1. Why is this message getting a 450 message? Is the outlook mail
server speaking out of turn here?
Sinc
seems that incoming
email that comes from *.outbound.protection.outlook.com servers seem to not be
handled properly.
Here is a snippet from the logs:
Dec 1 01:05:59 shenandoah postfix/postscreen[21329]: CONNECT from
[157.56.112.120]:28475 to [REMOVED_IP]:25
Dec 1 01:05:59 shenandoah po
39 matches
Mail list logo
