Outbound SMTP connections to Postfix server fail after STARTTLS (since Jan 4th)

Since January 4th, all the SMTP connections we get from *.outbound.protection.outlook.com fail right after issuing STARTTLS.

Our side hasn't change in a long time and is made of Postfix 2.9.6 with OpenSSL 1.0.1 (with all security fixes backported). Our server has SSLv2, SSLv3, TLS1, TLSv1.1 and TLSv1.2 enable for optional encryption. The STARTTLS mechanism is optional but always used by *.outbound.protection.outlook.com servers apparently.

At first we taught it was related to https://support.microsoft.com/kb/2992611 so we disabled the following ciphers:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

That unfortunately didn't help. We are now trying to disable TLSv1.2 completely and see if it helps.

Any suggestion to workaround this issue would be appreciated. If it's a client-side problem, an ETA for resolution would be great too.

Thanks in advance,

Simon Deziel

|

Disabling TLSv1.2 completely is the only valid workaround for the problem. Unfortunately it is not a desirable solution for the long run.

Again, any ideas/suggestions welcome.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Simon,

Thank you for posting your issue on the Microsoft Community.

Your query is better suited for the TechNet forums. The IT Professionals on this forum should be able to help you with this query. So, I would suggest you to post this query on the TechNet Windows 8.1 IT Pro Forums from this link:

TechNet Windows 8.1 IT Pro Forums
http://social.technet.microsoft.com/Forums/windows/en-US/home?category=w8itpro

Hope this information was helpful. Please get back to us with the results and if you need further assistance or have any queries regarding windows, we will be glad to assist you.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This is not relevant to Windows 8, or the technet forum you pointed towards. This is an outlook.com (and seemingly hotmail.com as well) TLS problem, and I've got the exact same issue. 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Can someone from Microsoft/Outlook.com look into this, please? Breaking the communication with MX that have TLS 1.2 enabled is a serious problem.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

FYI, seem to have a workaround for now with my postfix config, running on CentOS, so adapt as needed. 

In /etc/postfix/main.cf:

smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/discard_ehlo_map

In /etc/postfix/discard_ehlo_map:

# Disable TLS from outlook/hotmail
157.55.234.100 starttls
157.55.234.101 starttls
157.55.234.102 starttls
157.55.234.103 starttls
157.55.234.104 starttls
157.55.234.105 starttls
157.55.234.106 starttls
157.55.234.107 starttls

<SNIP IPs 108-200>

Then:

postmap hash:/etc/postfix/discard_ehlo_map

service postfix restart

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated September 20, 2021 Views 1,522 Applies to: