Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to receive mail from outlook servers #730

Open
imol-ai opened this issue Nov 2, 2024 · 8 comments
Open

Unable to receive mail from outlook servers #730

imol-ai opened this issue Nov 2, 2024 · 8 comments
Labels
bug Something isn't working.

Comments

@imol-ai
Copy link

imol-ai commented Nov 2, 2024

Describe the bug

Whenever somebody from microsoft outlook (doesn't matter if it's company, or private email) tries to send me a message, the message delivery fails. Funnily enough, I can send mail no problem to outlook addresses. Any other host can send my maddy server messages without a single problem, I have tried at least twenty.

Steps to reproduce

Send a message from an outlook address to the maddy server.

Log files

When outlook connects to my server:

Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 220 redacted ESMTP Service Ready
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: EHLO EUR05-DB8-obe.outbound.protection.outlook.com
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-Hello EUR05-DB8-obe.outbound.protection.outlook.com
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-PIPELINING
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-8BITMIME
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-ENHANCEDSTATUSCODES
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-CHUNKING
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-STARTTLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-SMTPUTF8
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250 SIZE 67108864
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: STARTTLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 220 2.0.0 Ready to start TLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 550 5.0.0 Handshake error

The logs that outlook gave me after it couldn't deliver:

Diagnostic information for administrators:

Generating server: AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM
Receiving server: AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM

[email protected]
11/2/2024 9:26:59 AM - Server at AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM returned '550 5.4.317 Message expired, cannot connect to remote server(451 4.4.0 Security status Renegotiate)'
11/2/2024 9:17:03 AM - Server at redacted (redacted) returned '450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security status Renegotiate] [LastAttemptedServerName=redacted] [LastAttemptedIP=redacted] [SmtpSecurity=-2;-2] [DB8EUR05FT024.eop-eur05.prod.protection.outlook.com 2024-11-02T09:17:04.213Z 08DCFA5EB073BFF6](451 4.4.0 Security status Renegotiate)'

Original message headers:

Received: from PAVPR10MB7354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:31d::12)
 by AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:132::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.20; Sat, 2 Nov
 2024 07:32:55 +0000
---snip---

Configuration file

TLS config:

protocols tls1.2 tls1.3
ciphers ECDHE-ECDSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-WITH-AES128-GCM-SHA256 ECDHE-RSA-WITH-AES256-GCM-SHA384 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-AES128-GCM-SHA256

I also tried with:

protocols tls1.0 tls1.3
ciphers RSA-WITH-RC4128-SHA RSA-WITH-3DES-EDE-CBC-SHA RSA-WITH-AES128-CBC-SHA RSA-WITH-AES256-CBC-SHA RSA-WITH-AES128-CBC-SHA256 RSA-WITH-AES128-GCM-SHA256 RSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-RC4128-SHA ECDHE-ECDSA-WITH-AES128-CBC-SHA ECDHE-ECDSA-WITH-AES256-CBC-SHA ECDHE-RSA-WITH-RC4128-SHA ECDHE-RSA-WITH-3DES-EDE-CBC-SHA ECDHE-RSA-WITH-AES128-CBC-SHA ECDHE-RSA-WITH-AES256-CBC-SHA ECDHE-ECDSA-WITH-AES128-CBC-SHA256 ECDHE-RSA-WITH-AES128-CBC-SHA256 ECDHE-RSA-WITH-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-AES128-GCM-SHA256 ECDHE-RSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-AES256-GCM-SHA384 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-WITH-CHACHA20-POLY1305
curves p256 p384 p521 X25519

SMTP config:

smtp tcp://${pub_ipv4}:25 tcp://[${pub_ipv6}]:25 {
	debug true # only for the logs
	io_debug true
	limits {
		all rate 20 1s
		all concurrency 10
	}
	max_message_size 64M
	check {
		require_mx_record
		require_tls { fail_action quarantine }
		dkim
		spf
		rspamd {
			api_path redacted
		}
	}
	dmarc yes
	source $(local_domains) {
		reject 501 5.1.8 "Use Submission for outgoing SMTP"
	}
	default_source {
		destination postmaster $(local_domains) {
			deliver_to &local_routing
		}
		default_destination {
			reject 550 5.1.1 "User doesn't exist"
		}
	}
}

And I also tried this with the whole check block, and dmarc commented out.

Environment information

  • maddy version: 0.7.1 linux/amd64 go1.22.6
  • os: NixOS 24.11 (Vicuna) (unstable)
@imol-ai imol-ai added the bug Something isn't working. label Nov 2, 2024
@mjl-
Copy link

mjl- commented Nov 6, 2024

fyi, a workaround may be to disable tls session tickets, see https://github.com/mjl-/mox/issues/237 for details.
@foxcpp

@imol-ai
Copy link
Author

imol-ai commented Nov 17, 2024

Hi @foxcpp, could you take a look at this if you have a minute? It is quite a burning problem.

@vsenko
Copy link

vsenko commented Nov 21, 2024

The problem is widespread, we encounter it too.

@vsenko
Copy link

vsenko commented Nov 21, 2024

A temporary solution is to disable TLS 1.3:

protocols tls1.0 tls1.2

As long as maddy defaults are to allow TLS 1.0 - 1.3, and TLS 1.2 is still not deprecated, it looks not that bad.

foxcpp added a commit that referenced this issue Nov 24, 2024
Workaround for Outlook delivery issues.
See #730
@foxcpp
Copy link
Owner

foxcpp commented Nov 24, 2024

fc179fc with workaround applies. Can someone confirm that it indeed fixes the issue?

@Dr-Escher
Copy link

fc179fc with workaround applies. Can someone confirm that it indeed fixes the issue?

Confirmed

@imol-ai
Copy link
Author

imol-ai commented Nov 24, 2024

Also works here.

@McSinyx
Copy link

McSinyx commented Dec 28, 2024

Should a new release be published then?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working.
Projects
None yet
Development

No branches or pull requests

6 participants