Since January 4th, all the SMTP connections we get from *.outbound.protection.outlook.com fail right after issuing STARTTLS.
Our side hasn't change in a long time and is made of Postfix 2.9.6 with OpenSSL 1.0.1 (with all security fixes backported). Our server has SSLv2, SSLv3, TLS1, TLSv1.1 and TLSv1.2 enable for optional encryption. The STARTTLS mechanism is optional but always used by *.outbound.protection.outlook.com servers apparently.
At first we taught it was related to https://support.microsoft.com/kb/2992611 so we disabled the following ciphers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
That unfortunately didn't help. We are now trying to disable TLSv1.2 completely and see if it helps.
Any suggestion to workaround this issue would be appreciated. If it's a client-side problem, an ETA for resolution would be great too.
Thanks in advance,
Simon Deziel