Mails to hotmail gone missing?

[Azurel]

I use centOS6 with Plesk12#42.

Since few days mails to hotmail vanishing without any error. postfix log said:

Apr 17 21:26:02 mail postfix/qmgr[2284]: 8632E60FB5: from=<*****@*****.com>, size=689, nrcpt=1 (queue active)

Apr 17 21:26:02 mail postfix/smtpd[19146]: disconnect from *****.dip0.t-ipconnect.de[*****]

Apr 17 21:26:03 mail postfix/smtp[19196]: certificate verification failed for mx4.hotmail.com[65.55.92.152]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

Apr 17 21:26:04 mail postfix/smtp[19196]: 8632E60FB5: to=<*****@hotmail.com>, relay=mx4.hotmail.com[65.55.92.152]:25, delay=2.4, delays=0.28/0/1.1/1.1, dsn=2.0.0, status=sent (250 <146883986.20150417212600@*****.com> Queued mail for delivery)

Apr 17 21:26:04 mail postfix/qmgr[2284]: 8632E60FB5: removed

Can anybody help here?

 

[UFHH01]

Hi Azurel,

please post your postfix configuration ( /etc/postfix/main.cf ) for further investigations.

 

[Azurel]

The main.cf was edited 27.02.2015.
The master.cf was edited 28.03.2015.
Last successfull registered user with "hotmail.de" was 07.04.2015.

I can't post both, because: The submitted message is too long to be processed. Please shorten it.

main.cf (28KB)
http://pastebin.com/MQiRRUGb

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup fifo n - n 60 1 pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr fifo n - n 1 1 qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

smtp      inet  n       -       n       -       -       smtpd
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes

plesk-**.**.**.**-***********c-0-1 unix - n n - - smtp -o smtp_bind_address=**.**.**.** -o smtp_bind_address6=*******:0:1 -o smtp_address_preference=ipv4

submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

 

[Azurel]

In maillog I found more issues

certificate verification failed for mx4.hotmail.com[65.55.37.120]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
certificate verification failed for mx-ha03.web.de[212.227.15.17]:25: untrusted issuer /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
certificate verification failed for gmail-smtp-in.l.google.com[74.125.136.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

 

[UFHH01]

Hi Azurel,

in main.cf search for: "smtpd_tls_cert_file = /etc/postfix/postfix_default.pem" and insert right under it the line:

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
​

Restart postfix with the command: "/etc/init.d/postfix restart"

 

[Azurel]

I not understand. You said twice the same property with the same value.

 

[UFHH01]

Hi Azurel,

please have a CLOSER look to the suggestion. "smtpd_tls_cert_file..." is not at all the same as "smtp_tls_CAfile...".

 

[Azurel]

Ah, now its different. Thanks!

I have look in /etc/ssl/certs/ which is a alias for /etc/pki/tls/certs and found only this files:

ca-bundle.crt
ca-bundle.trust.crt
localhost.crt
make-dummy-cert
Makefile
renew-dummy-cert

That file with name "ca-certificates.crt" not exists here, in my centOS6. yum said:

# yum list "ca-certi*"

Installed Packages
ca-certificates.noarch 2014.1.98-65.1.el6 @base

Thats the last version for my system.

 

[UFHH01]

Hi Azurel,

the command "openssl version -a" should show you the full path to your standard openssl folder.

A standard procedure to search for a file on your system is using the command "locate". For example:

locate ca-certificates.crt​

If you indeed get no output for your search, you can as well use the "bundle" - crt, which is on some system the used equivalent.
Both paths should work ( "/etc/ssl/certs/" and "/etc/pki/tls/certs/" ), because "/etc/ssl/certs/" should always be a symbolic link to your very own system path to the openssl - certs, depending on your system installation.

 

[Azurel]

#openssl version -a
result is:
OPENSSLDIR: "/etc/pki/tls"

I have added:
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
and the warning with "certificate verification failed..." is gone. *yeah*

Thank you very much!


But my main problem, that hotmail not receive any e-mail from my domain, is still present.

 

[UFHH01]

Hi Azurel,

your second issue needs investigations of DNS - settings ( MX -/A -/SPF - /DKIM - entries ) and can't be answered by any of us, if you don't provide informations about the IP(s) and the used domain. We could only guess, which might not at all be a good solution.

 

[Azurel]

My hoster said thats my server ist not in a blacklist and the mail-queue report no problems with hotmail.

I use http://mxtoolbox.com to check my config:

DNS Check:

first two are yellow:

SOA Retry Value is outside of the recommended range
auth1.*****.de reported Retry 14400 : Retry is recommended to be between 120 and 7200.

SOA Expire Value out of recommended range
auth1.*****.de reported Expire 860400 : Expire is recommended to be between 1209600 and 2419200.

all other values are green:

No Bad Glue Detected
At Least Two Name Servers Found
All name servers are responding
At least one name server responded
All of the name servers are Authoritative
Local NS list matches Parent NS list
Name Servers appear to be Dispersed
Name Servers have Public IP Addresses
Serial numbers match
Primary Name Server Listed At Parent
SOA Serial Number Format appears valid
SOA Refresh Value is within the recommended range
SOA Minimum TTL Value is within allowed values
No Open Recursive Name Server Detected

SMTP Test: (all green)

220 mail.*****.com ESMTP Postfix

SMTP Banner Check => OK - **.**.**.** resolves to mail.*****.com
SMTP Reverse DNS Mismatch => OK - Reverse DNS matches SMTP Banner
SMTP TLS => OK - Supports TLS.
SMTP Connection Time => 1.045 seconds - Good on Connection time
SMTP Open Relay => OK - Not an open relay.
SMTP Transaction Time => 3.416 seconds - Good on Transaction Time

SPF Check (all green):

v=spf1 +a +mx ip4:**.**.**.**ip6:****:***:**:****:****:***:0:1 -all

SPF Record Deprecated => There are no records of type SPF
SPF Invalid Syntax => The SPF record is valid
SPF No Records => SPF record found
SPF Multiple Records => Less than two SPF records found

Checking IPv4 against 91 known blacklists...
Listed 0 times with 1 timeouts

Checking IPv6 against 6 known blacklists...
Listed 0 times with 0 timeouts

 

[Azurel]

I found out, that problem can be solved, when the hotmail (outlook) user disable "Prevent junk e-mail" in his settings. I think I must ask outlook support for more information.

https://support.microsoft.com/de-de/contactus/technicalsupport