I can't receive emails from office 365, others work fine

ExobiT · January 3, 2024, 12:33am

Hello

I have ciphermail set infront of mailcow on separate server. I set my mx records to ciphermail.domain.tld, and some people, like gmail users, they can send emails to me without problem, email goes straight throug to mailcow. But office 365 senders, nothing happens, email never gets received by ciphermail.

The only thing in the logs about it is this

Jan 2 23:33:42 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-he1eur04on2130.outbound.protection.outlook.com[40.107.7.130]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:33:42 sign postfix/smtpd[89094]: disconnect from mail-he1eur04on2130.outbound.protection.outlook.com[40.107.7.130] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:33:42 sign postfix/smtpd[89094]: connect from mail-he1eur04on070f.outbound.protection.outlook.com[2a01:111:f400:fe0d::70f]
Jan 2 23:33:42 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-he1eur04on070f.outbound.protection.outlook.com[2a01:111:f400:fe0d::70f]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:33:42 sign postfix/smtpd[89094]: disconnect from mail-he1eur04on070f.outbound.protection.outlook.com[2a01:111:f400:fe0d::70f] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:33:47 sign postfix/smtpd[89094]: connect from mail-am6eur05on2119.outbound.protection.outlook.com[40.107.22.119]
Jan 2 23:33:47 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on2119.outbound.protection.outlook.com[40.107.22.119]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:33:47 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on2119.outbound.protection.outlook.com[40.107.22.119] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:33:47 sign postfix/smtpd[89094]: connect from mail-am6eur05on20700.outbound.protection.outlook.com[2a01:111:f403:2612::700]
Jan 2 23:33:47 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on20700.outbound.protection.outlook.com[2a01:111:f403:2612::700]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:33:47 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on20700.outbound.protection.outlook.com[2a01:111:f403:2612::700] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:34:48 sign postfix/smtpd[89094]: connect from mail-am6eur05on2104.outbound.protection.outlook.com[40.107.22.104]
Jan 2 23:34:48 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on2104.outbound.protection.outlook.com[40.107.22.104]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:34:48 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on2104.outbound.protection.outlook.com[40.107.22.104] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:34:48 sign postfix/smtpd[89094]: connect from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701]
Jan 2 23:34:48 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:34:48 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:35:48 sign postfix/smtpd[89094]: connect from mail-am6eur05on2097.outbound.protection.outlook.com[40.107.22.97]
Jan 2 23:35:48 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on2097.outbound.protection.outlook.com[40.107.22.97]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:35:48 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on2097.outbound.protection.outlook.com[40.107.22.97] ehlo=1 starttls=1 quit=1 commands=3
Jan 2 23:35:48 sign postfix/smtpd[89094]: connect from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701]
Jan 2 23:35:48 sign postfix/smtpd[89094]: Anonymous TLS connection established from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 2 23:35:48 sign postfix/smtpd[89094]: disconnect from mail-am6eur05on20701.outbound.protection.outlook.com[2a01:111:f403:2612::701] ehlo=1 starttls=1 quit=1 commands=3

ExobiT · January 8, 2024, 10:36pm

Nobody have anything on this ? Its still not working, all other mailservers can easily send emails to the ciphermail, but o365 nope, it aint coming through.

martijn · January 9, 2024, 8:33am

I can try to send you an email so I can check whether I get a bounce message with hopefully the reason why the email was not delivered.

Please let me know to which email address I need to send a test email to (you an send me the email with a private message)

ExobiT · January 13, 2024, 10:00pm

So i figured out what the problem was, the TLSA record was wrong so it failed making a connection, after i solved the tlsa record then i could receive from office 365

But i have another problem i have tried to solve, but to no avail

Key exchange parameters close
Verdict:
At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:
Mail server (MX)	Affected parameters	Security level
domain.com.	DH-4096	insufficient
Test explanation:
We check if the public parameters used in Diffie-Hellman key exchange by your receiving mail servers (MX) are secure.

ECDHE: The security of elliptic curve Diffie-Hellman (ECDHE) ephemeral key exchange depends on the used elliptic curve. We check if the bit-length of the used elliptic curves is a least 224 bits. Currently we are not able to check the elliptic curve name.

DHE: The security of Diffie-Hellman Ephemeral (DHE) key exchange depends on the lengths of the public and secret keys used within the chosen finite field group. We test if your DHE public key material uses one of the predefined finite field groups that are specified in RFC 7919. Self-generated groups are 'Insufficient'.

The larger key sizes required for the use of DHE come with a performance penalty. Carefully evaluate and use ECDHE instead of DHE if you can.

RSA as an alternative: Besides ECDHE and DHE, RSA can be used for key exchange. However, it is at risk of becoming insufficiently secure (current status 'phase out'). The RSA public parameters are tested in the subtest 'Public key of certificate'. Note that RSA is considered as 'good' for certificate verification.

See 'IT Security Guidelines for Transport Layer Security (TLS) v2.1' from NCSC-NL, guideline B5-1 and table 9 for ECDHE, and guideline B6-1 and table 10 for DHE (in English).

Elliptic curve for ECDHE

Good: secp384r1, secp256r1, x448, and x25519
Phase out: secp224r1
Insufficient: Other curves
Finite field group for DHE

Sufficient:

ffdhe4096 (RFC 7919)
sha256 checksum: 64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
ffdhe3072 (RFC 7919)
sha256 checksum: c410cc9c4fd85d2c109f7ebe5930ca5304a52927c0ebcb1a11c5cf6b2386bbab
Note that we also test for ffdhe8192 and ffdhe6144. However their limited gain in security rarely outweighs the loss in performance.
Phase out:

ffdhe2048 (RFC 7919)
sha256 checksum: 9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b
Insufficient: Other groups

Note: the above names are based on the IANA naming conventions. Sometimes alternative names are used to refer to the same curves, like prime256v1 (ANSI) and NIST P-256 for secp256r1.

How can this be solved ?

Topic		Replies	Views
Servers wont talk to me! Gateway	0	142	June 27, 2017
Mail gets encrypted but not decrypted General	1	87	May 15, 2024
Ciphermail Appliance Office 365 Gateway	0	203	February 3, 2022
Ciphermail offive 365 senderconnector Gateway	1	305	January 18, 2023
Ciphermail Appliance Office 365 Gateway	0	220	February 9, 2022

I can't receive emails from office 365, others work fine

Related topics