Mysterious transient failures mailing outlook on cert renewal day

Issuance Tech
#1

I can't explain why this would be a thing, but it seems to be a thing: Every time we renew our certs, we start getting mail bounced by outlook/hotmai/msn, usually for a day or so. If we fill out the "please stop rejecting our mail" form, we eventually get a thing saying we're "not eligible" for that.

msn-com.olc.protection.outlook.com[104.47.12.33] said:
550 5.7.1 Unfortunately, messages from [redacted] weren't sent. Please
contact your Internet service provider since part of their network is on
our block list (S3150). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[DB3EUR04FT010.eop-eur04.prod.protection.outlook.com] (in reply to MAIL
FROM command)

It doesn't seem that we actually stay on the block list for any length of time, maybe a day or two. And once or twice would be coincidence, but I think this has happened about every 2-3 months for as long as I've been using LE, it just took me a long time to start noticing the pattern.

I can't immediately figure out why, or what about any part of this would be related, but it seems like a heck of a coincidence unless the outlook spam protection is somehow picking this up and acting on the information that the cert is new or something?!?

1 Like
#2

This is an odd one! I've had lots of trouble with deliverability to Microsoft too; I wouldn't be surprised to see them (or their machine learning algorithms) treating "too new" TLS certificates as suspicious.

But, they shouldn't need to see your cert at all. When TLS is used for an SMTP session between independent sites, it's usually anonymous: the server (being connected to) will present its cert, but the client won't. Postfix recommends you don't present a client cert in most cases.

I experimented on my own system and found that Postfix's default level of logging doesn't detail TLS negotiation very well, so you might need to tweak that if you'd like to troubleshoot this further.

4 Likes
#3

Thanks! We were indeed set to send outgoing TLS certs, and the docs say not to, so I've commented that out and kicked it.

2 Likes