Closed Bug 1904257 Opened 5 months ago Closed 5 months ago

Microsoft PKI Services: Invalid Email Address for CPRs

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bwilson, Assigned: Dustin.Hollenback)

Details

(Whiteboard: [ca-compliance] [policy-failure] [external])

Section 1.5.2 of the Microsoft PKI Services CPS says provides an email address of centralpki@microsoft.com, but emails sent to that address are rejected as undeliverable because "sender not allowed".

Here are parts of the rejection message received:
Your message to csteamdl@microsoft.com couldn't be delivered.
The group csteamdl only accepts messages from people in its organization or on its allowed senders list, and your email address isn't on the list.
bwilson Office 365 csteamdl
Sender Action Required
Sender not allowed
How to Fix It
It appears you aren't in the same organization as the group (or a sub-group) you're sending to or your email address isn't on the group's allowed senders list. Ask the owner of the group to grant you permission to send to it, and then try again. If the group belongs to a different organization than yours, contact the organization's customer service department for assistance. If the group is in your organization and you don't know who the group owner is, you can find it by doing the following in either Outlook on the web or Outlook:
Open your Sent folder and select the original message.
If you're using Outlook on the web, select the group name located on the To or CC line. If you're using Outlook, double-click the group name located on the To or CC line.
In Outlook on the web, from the pop-up dialog box, choose Owner. In Outlook, choose Contact. The owner's name is listed under Owner.
The owner of the group may have intentionally chosen to restrict who can send messages to it, and they may not want to adjust the existing restriction. In this case, you'll have to contact the group members by some other means, such as sending an email message to their individual email addresses or contacting them by phone.
More Info for Email Admins
Status code: 550 5.7.133
This error occurs when the distribution group, security group, or Microsoft 365 group is configured to accept messages only from authenticated senders (senders in the same organization or those added to the group's allowed senders list).
To fix the issue, the recipient's email admin or the group owner must add the sender's email address to the group's allowed senders list or change the group's delivery management setting to accept messages from senders inside and outside of the organization.
Usually this issue can only be fixed by the recipient's email admin or the group owner.
For more information and steps to fix this error, see Fix email delivery issues for error code 5.7.133 in Office 365.
Original Message Details
Created Date: 6/23/2024 5:38:10 PM
Sender Address: bwilson@mozilla.com
Recipient Address: csteamdl@microsoft.com
Subject: [EXTERNAL] Test of CCADB-provided Email Address
Error Details
Error: 550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group
Message rejected by: DM6PR21MB1385.namprd21.prod.outlook.com

Certificate Problem Reports are being properly delivered to centralpki@microsoft.com. However, centralpki@microsoft.com is a distribution list that forwards to multiple other internal email addresses. Sometimes some of those cc'ed addresses choose to block external email without notifying us. The net effect is that those non-critical additional parties did not receive the mail, but the problem report was still received.

In this case, the rejection notification was sent by csteamdl@microsoft.com.

We will investigate whether this csteamdl@microsoft.com member should continue to be cc'ed on email sent to centralpki@microsoft.com and if so, if it can be configured to accept external email to avoid causing further confusion. However, the main point is that email is still being received properly.

Assignee: nobody → Dustin.Hollenback
Status: NEW → ASSIGNED

Quick update: We made a slight modification to the membership so that csteamdl@microsoft.com is no longer nested within centralpki@microsoft.com. Replication may take a few hours for the change to fully take effect. Once completed, the rejection emails will stop.

Are there any other actions needed before this can be considered closed? Thank you.

I think this can be closed as "Invalid" or "Fixed" without an incident report because the email address did accomplish its intended purpose of contacting Microsoft. I'll close this on 28-June-2024 unless I hear otherwise.

Flags: needinfo?(bwilson)

Agreed that an incident response isn’t necessary but any actions Microsoft can take to prevent another email address in the distribution list doing the same thing and confusing folks?

Flags: needinfo?(bwilson) → needinfo?(Dustin.Hollenback)

Hi amir,

Membership in centralpki has been static for several years, but since one of the members was another distribution list, that DL owner was able to change settings on their CSTeamDL distribution list to block external email.

There are some potential design changes that we are investigating to replace the centralpki distribution list with a dedicated mailbox or even another communication method, but not prepared to commit to changing the design yet.

The best we could do for now was to remove that CSTeamDL distribution list and not add any more DLs as members.

Thanks,

Dustin

Flags: needinfo?(Dustin.Hollenback)
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Summary: Microsoft PKI Services: Invalid Email Address for Certificate Problem Reports → Microsoft PKI Services: Invalid Email Address for CPRs
You need to log in before you can comment on or make changes to this bug.