Outlook.com/Hotmail.com


#1

I am running my own mailserver and used LetsEncrypt to generate a SSL certificate to use for TLS on SMTP port 25.

Outbound mail FROM my mail server to online email providers like yahoo.com, gmail.com, and outlook.com all work.

Inbound mail TO my mail server from online email providers like yahoo.com and gmail.com work.

Inbound mail TO my mail server from online email provider outlook.com does NOT work.

I’m thinking the outlook.com is having a problem trusting the certificate.

I’ve included the cert generate by letsencrypt, the intermediate cert,and the root cert.

Although when I include the root cert it says error 19 at 2 depth lookup:self signed certificate in certificate chain when I try to look at it using openssl.

My guess this is a outlook.com issue but maybe I am missing something?


#2

…which is because you’re including the root cert. Don’t do that. It may not have anything to do with your mail problem, but you shouldn’t generally be serving root certs–that’s what the client’s trust store is for.


#3

Yes, that is unrelated to my mail problem I believe. That was just something I tried to see if would fix the problem.

I first tried without the root certificate concatenated in the pem file. The pem file only contained the certificate itself and the intermediate certificate but I still could not receive mail from outlook.com.

If I get rid of the certificate entirely and don’t enable TLS on SMTP then I can receive mail from outlook.com.

Hoping there was something else I was missing instead of it being an issue with outlook.com


#4

Can we have some more info? When you say inbound from outlook doesn’t work, how do you know this? Is the mail just disappearing, is the mail bouncing? If it is bouncing, shoot us a copy (anonimized deets if you so chose) and let us see why.

What do your server’s mail logs say?


#5

Here is what led me to believe it’s an outlook.com issue with the LetsEncrypt certificate:

  1. Created a new test@mydomain.com email account on my mail server.
  2. Sent an email from my test@gmail.com account to test@mydomain.com
  3. Logs in my email server show gmail talking to port 25 on my mail server and successfully completing the TSL handshake. Here is the log from my mail server: “TCPConnection - TLS/SSL handshake completed. Session Id: 210, Remote IP: 209.85.213.45, Version: TLSv1.2, Cipher: ECDHE-ECDSA-AES128-GCM-SHA256, Bits: 128
  4. Check my email account test@mydomain.com and I see the email from gmail.

Repeat the above steps using my test@yahoo.com email account and everything completes successfully as well.

Now, when I repeat the steps with my test@outlook.com email here is what happens:

  1. Using my test@mydomain.com email account on my mail server to test inbound mail from outlook.com
  2. Sent an email from my test@outlook.com account to test@mydomain.com
  3. Logs in my email server show outlook/hotmail talking to port 25 on my mail server and and it can’t successfully complete the TSL handshake. Here is the log from my mail server: ““TCPConnection - TLS/SSL handshake failed. Session Id: 209, Remote IP: 65.55.34.92, Error code: 336109761, Message: no shared cipher””
  4. Check my email account test@mydomain.com and I do not see the email from my test@outlook.com
  5. Check my test@outlook.com email and after a while I get an email from postmaster@mail.hotmail.com which states “This is an automatically generated Delivery Status Notification. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipients has been delayed. test@mydomain.com
  6. The next day I check my test@outlook.com email and I get an email from postmaster@mail.hotmail.com which states “This is an automatically generated Delivery Status Notification. Unable to deliver message to the following recipients, due to being unable to connect successfully to the destination mail server. test@mydomain.com

For the message from step 3 above where it says “no shared chiper” is probably because of an error with the TSL handshake. I know this because if I turn off SSL on port 25 then email from hotmail.com/outlook.com comes in successfully.

Here is what happens if I turn off SSL on port 25

  1. Sent an email from my test@outlook.com account to test@mydomain.com
  2. Logs in my email server show outlook/hotmail talking to port 25 on my mail server and successfully establishing a connection and delivering the mail. Here is the log: ““65.55.116.19” "RECEIVED: EHLO BLU004-OMC1S8.hotmail.com” which shows successful connection
  3. Check my email account test@mydomain.com and I see the email from test@outlook.com

Furthermore, I have another mail server configured exactly the same for a different domain but using a GoDaddy SSL certificate and outlook.com can send to that domain with TSL:

  1. Created a new test@myotherdomain.com email account on my other mail server.
  2. Sent an email from my test@outlook.com account to test@myotherdomain.com
  3. Logs in my email server show outlook/hotmail talking to port 25 on my mail server and successfully completing the TSL handshake. Here is the log from my mail server: “TCPConnection - TLS/SSL handshake completed. Session Id: 59821, Remote IP: 65.55.34.11, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256
  4. Check my email account test@myotherdomain.com and I see the email from outlook.com/hotmail.com.

So basically here is what led be to believe it’s an outlook.com/hotmail.com

  1. Mail from gmail comes to my mail server perfectly using TLS on SMTP with a LetsEncrypt certificate
  2. Mail from yahoo comes to my mail server perfectly using TLS on SMTP with a LetsEncrypt certificate
  3. Mail from outlook.com comes to my mail server perfectly when TLS is disabled on SMTP
  4. Mail from outlook.com comes to my mail server perfectly using TLS on SMTP with a GoDaddy certificate
  5. Mail from outlook.com DOES NOT come to my mail server using TLS on SMTP with a LetsEncrypt certificate
  6. I know mail is not being delivered because I get an email from postmaster@hotmail.com telling me so.
  7. I’ve tried including the root certificate and not including it.
  8. I’ve tried including the intermediate certificate and not including it.

I assume this is a problem with outlook.com and LetsEncrypt certificates on mail servers but I figured I would ask to see if anyone else has had this problem.

I have opened a trouble ticket with outlook.com but they may take a while to get back to me.

Thanks everyone for helping to try and figure this out.


#6

Well there you have it.


#7

As explained above, I believe that error is just masking an upstream error.

To be sure, using a GoDaddy certificate, the cipher that hotmail.com is using ECDHE-RSA-AES256-SHA384 which is installed on my mail server.

Since hotmail.com uses that chiper when I use the GoDaddy certificate I am assuming that hotmail.com will use the same chiper when using the LetsEncrypt certificate.

It works with when TLS is not enabled on SMTP. It works when TLS is enabled on SMTP with a GoDaddy certificate. It works when TLS is enabled with LetsEncrypt using yahoo or gmail.

It does not work when TLS is enabled with a LetsEncrypt certficate using outlook.com.

The “no shared chiper” message is most likely just masking an error that outlook.com is having with the LetsEncrypt certificate since I assuming the cipher that hotmail.com uses would be the same with the LetsEncrypt certificate versus a GoDaddy certificate.

Unless I’m thinking incorrectly about how ciphers work…


#8

Well, we don’t know anything since you don’t tell anything. What’s the domain? What’s the server software? Is the cert RSA or EC? etc.

Cipher selection has mostly nothing to do with the cert, apart from the key type.

Edit: Since Gmail completed an ECDSA cipher handshake, I’m taking a guess that you created an EC cert with LE and Outlook doesn’t handle these.


#9

Thank you for the insight!

I wasn’t even aware that I had a choice between RSA and EC.

You are right that it is an EC cert with LE.

I’m going to try to generate an RSA cert and see if the same thing happens.

I’ll update the post after I try it out.

Thanks!


#10

That was it! Thank you so much!

I didn’t know about the difference between RSA and EC.

I re-generated that cert using an RSA key and now I see this in my mailserver logs from hotmail.comTCPConnection - TLS/SSL handshake completed. Session Id: 575, Remote IP: 65.55.34.19, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256

Can’t thank you enough for the insight!


#11

Dunno if that helps, among the first Google hits: http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/


#12

Definitely going to read that. Apparently, there is a lot I don’t know and need to learn :slight_smile:


#13

That’s the attitude, mate! Go get 'em!

Sorry I wasn’t able to respond to you sooner - we were busy sleeping over on my end of the world. Glad to see @TCM sorted you out, and thank you very much for providing the information we requested, it makes troubleshooting a lot easier.


#14

Really appreciate the help @TCM and you provided! Learned something new and hopefully this thread will benefit someone else with a similar issue.

Thanks!


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.