Unable to receive mail from outlook servers

[imol-ai]

Describe the bug

Whenever somebody from microsoft outlook (doesn't matter if it's company, or private email) tries to send me a message, the message delivery fails. Funnily enough, I can send mail no problem to outlook addresses. Any other host can send my maddy server messages without a single problem, I have tried at least twenty.

Steps to reproduce

Send a message from an outlook address to the maddy server.

Log files

When outlook connects to my server:

Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 220 redacted ESMTP Service Ready
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: EHLO EUR05-DB8-obe.outbound.protection.outlook.com
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-Hello EUR05-DB8-obe.outbound.protection.outlook.com
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-PIPELINING
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-8BITMIME
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-ENHANCEDSTATUSCODES
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-CHUNKING
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-STARTTLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250-SMTPUTF8
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 250 SIZE 67108864
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: STARTTLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 220 2.0.0 Ready to start TLS
Nov 02 16:17:04 tempelhof maddy[81396]: smtp: 550 5.0.0 Handshake error

The logs that outlook gave me after it couldn't deliver:

Diagnostic information for administrators:

Generating server: AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM
Receiving server: AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM

redacted@redacted.tld
11/2/2024 9:26:59 AM - Server at AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM returned '550 5.4.317 Message expired, cannot connect to remote server(451 4.4.0 Security status Renegotiate)'
11/2/2024 9:17:03 AM - Server at redacted (redacted) returned '450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 Security status Renegotiate] [LastAttemptedServerName=redacted] [LastAttemptedIP=redacted] [SmtpSecurity=-2;-2] [DB8EUR05FT024.eop-eur05.prod.protection.outlook.com 2024-11-02T09:17:04.213Z 08DCFA5EB073BFF6](451 4.4.0 Security status Renegotiate)'

Original message headers:

Received: from PAVPR10MB7354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:31d::12)
 by AM7PR10MB3480.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:132::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.20; Sat, 2 Nov
 2024 07:32:55 +0000
---snip---

Configuration file

TLS config:

protocols tls1.2 tls1.3
ciphers ECDHE-ECDSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-WITH-AES128-GCM-SHA256 ECDHE-RSA-WITH-AES256-GCM-SHA384 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-AES128-GCM-SHA256

I also tried with:

protocols tls1.0 tls1.3
ciphers RSA-WITH-RC4128-SHA RSA-WITH-3DES-EDE-CBC-SHA RSA-WITH-AES128-CBC-SHA RSA-WITH-AES256-CBC-SHA RSA-WITH-AES128-CBC-SHA256 RSA-WITH-AES128-GCM-SHA256 RSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-RC4128-SHA ECDHE-ECDSA-WITH-AES128-CBC-SHA ECDHE-ECDSA-WITH-AES256-CBC-SHA ECDHE-RSA-WITH-RC4128-SHA ECDHE-RSA-WITH-3DES-EDE-CBC-SHA ECDHE-RSA-WITH-AES128-CBC-SHA ECDHE-RSA-WITH-AES256-CBC-SHA ECDHE-ECDSA-WITH-AES128-CBC-SHA256 ECDHE-RSA-WITH-AES128-CBC-SHA256 ECDHE-RSA-WITH-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-AES128-GCM-SHA256 ECDHE-RSA-WITH-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-AES256-GCM-SHA384 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-WITH-CHACHA20-POLY1305
curves p256 p384 p521 X25519

SMTP config:

smtp tcp://${pub_ipv4}:25 tcp://[${pub_ipv6}]:25 {
    debug true # only for the logs
    io_debug true
    limits {
        all rate 20 1s
        all concurrency 10
    }
    max_message_size 64M
    check {
        require_mx_record
        require_tls { fail_action quarantine }
        dkim
        spf
        rspamd {
            api_path redacted
        }
    }
    dmarc yes
    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

And I also tried this with the whole check block, and dmarc commented out.

Environment information

• maddy version: 0.7.1 linux/amd64 go1.22.6
• os: NixOS 24.11 (Vicuna) (unstable)

[mjl-]

fyi, a workaround may be to disable tls session tickets, see https://github.com/mjl-/mox/issues/237 for details. @foxcpp

[imol-ai]

Hi @foxcpp, could you take a look at this if you have a minute? It is quite a burning problem.

[vsenko]

The problem is widespread, we encounter it too.

[vsenko]

A temporary solution is to disable TLS 1.3:

protocols tls1.0 tls1.2

As long as maddy defaults are to allow TLS 1.0 - 1.3, and TLS 1.2 is still not deprecated, it looks not that bad.