Archive

Archive for January, 2018

NDR Codes

01/25/2018 No comments

When two email servers, or Mail Transfer Agents (MTAs), send and receive emails between each other, they communicate using a series of numeric codes. These SMTP codes always take place in pairs, which means that both of the servers will transmit SMTP codes, until either the conversation is successful, or fails.

When troubleshooting dropped or failed SMTP conversations, there are two main types of codes used; 400 and 500 error codes. The first number in this code, generally indicates whether the MTA accepted the command or if the command was rejected.


If you are trying to send an email to a Mimecast customer and receiving any of the error codes below, this should be escalated to the Mimecast Administrator of the intended recipient. Mimecast is only able to deal with the designated contacts for our customers.

The values of interest for this article are:
•4xx: The server has encountered a temporary failure. If the command is repeated without any change, it may be successful, depending on the reason for the initial failure. Mail servers can use such temporary failures to hold connections from untrusted sources, while additional security checks are performed
•5xx: The server has encountered a permanent error and the email delivery has failed. The remaining two numbers in the code provide more information regarding the reason for the temporary or permanent failure.

400 Error Codes

Error 400 codes are typically temporary failures, so a correctly configured mail server should retry the connection based on their Delivery. These connections will be logged in Connection Attempts if applicable.

Temporary Email Connection Failures Failures (ordered by most common to least common):

Code

Reason Given to Sending MTA

Description

Recommended Resolution

421 Sender address blocked The sender’s IP address has been blocked by a Block Policy The entry will need to be removed from the Block Senders Policy

421 Unable to process connection at this time The Mimecast Server is currently under maximum load. The sending mail server should retry the connection The email will be processed on retry, when the Mimecast service has processed some of the current load
451 Internal resource temporarily unavailable
The sending mail server has been subjected to Greylisting . Greylisting requires that the server retries the connection, between 1 minute and 12 hours.

OR

The senders IP address has a poor reputation. The connection is temporarily failed while updated reputation information is obtained.
These reputation checks can be bypassed with an Auto Allow entry, a Permitted Senders Policy ; or if it is legitimate traffic being blocked by greylisting, by creating a Greylisting bypass policy.
451 Message ended early The message was incorrectly terminated. This can be caused by files that have previously been infected with a virus, and have not been cleaned correctly by an anti-virus product, which has then left traces in the email. This can also be caused by Firewall issues on the sender’s side, or incorrectly configured content rules on a security device. The Administrator should investigate their Intrusion Detection software or other SMTP protocol analyzers. If running a Cisco Firewall, ensure that the Mailguard or SMTP Fixup module is disabled.
451 Open relay not allowed This error indicates that both the sender AND the recipient email domains specified in the transmission are external to the Mimecast service and therefore are not allowed to relay through the Mimecast service and / or the connecting IP address was not recognized as authorized. Mimecast customers should contact Mimecast Support for the Authorized Outbound address to be added or to take other remedial action as appropriate.
451 Account outbounds disabled The customer account outbound emails have been disabled in the Mimecast Administration Console. Contact Mimecast Support if the account outbound traffic should be allowed.
451 Account inbounds disabled The customer account inbound emails have been disabled in the Mimecast Administration Console. Contact Mimecast Support if the account outbound traffic should be allowed.
451 Account service temporarily unavailable There are too many concurrent inbound connections for this account (the default is 20).
The IP address will automatically be removed from the Mimecast temporary block list after 5 minutes. Continued invalid connections will result in the IP getting added to the Mimecast temporary block list again.

Ensure that you do not try to route outbound or journal messages to Mimecast from an IP address that has not been authorized to do so.

451 Recipient Temporarily Unavailable The Sender’s IP address has been placed on the Mimecast temporary block list due to too many invalid connections. The senders mail server will need to retry the connection. The mail server performing is the recipient address validation is not responding.
451 Unable to process email at this time Temporary Mimecast internal error: an AV scanner or store server is temporarily unavailable due to updates being deployed to it. The email will be processed on retry once the updates have been deployed.
451 Unable to process email at this time Catch all error if reason is unknown
Contact Mimecast Support to investigate.


We can only liaise with the designated contacts for the Mimecast Account.

451 IP Temporarily Blacklisted You’ve reached a limit on your mail server. Wait and try again. The mail server won’t accept any further messages until you are under the limit.
452 Too many recipients
By default, the Mimecast platform only accepts 100 RCPT TO entries per message body (DATA).

If the sending server issues more RCPT TO entries, then the Mimecast platform will respond with “452 Too many recipients”.

This transient error code should trigger the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries.

None. Most mail servers correctly respect the transient error and will treat it as a “truncation request”. If your mail server, firewall or on-site solution does not respect the transient error, you may need to ensure that no more than 100 recipients are submitted.


Solutions like SMTP Fix Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls are known not to respect the transient error. Mimecast advises that you to disable this functionality.

500 Error Codes

Error 500 codes are typically permanent failures. These connections are rejected in protocol, and the connection is logged in the Rejection Viewer. As the email is rejected in protocol, it is not retrievable from the Mimecast Administration Console, and will need to be resent once the issue has been addressed.

Permanent Email Connection Failures (ordered by most common to least common):

Code

Reason Given to Sending MTA

Description

Recommended Resolution

501 Invalid address The email address is not a valid SMTP address. The sender should resend the email to a valid internal email address.
535 Incorrect authentication data Messages submitted to SMTP port 587 require authentication. This error indicates that the authentication details provided were incorrect. Ensure your authentication details match an internal email address on the Mimecast platform with a corresponding Mimecast cloud password. Alternatively consider sending the message on SMTP port 25 instead.
550 Administrative prohibition – envelope blocked The sender’s email address or domain matches an entry in a Block Sender Policy, or there is an SPF hard rejection. The Block Sender Policy must be removed or modified to exclude the sender address.
550 Anti-Spoofing policy – Inbound not allowed This is a spoofed email and has been flagged by the Anti-Spoofing Policy.
An Anti-Spoofing Policy must be created to take no action to exclude the sender’s address or IP address.

550 Rejected by header based Anti-Spoofing policy This is a spoofed email and has been flagged by the Anti-Spoofing Policy. An Anti-Spoofing Policy must be created to take no action to exclude the sender’s address or IP address.
550 Envelope blocked – User Entry A personal block policy is in place for this email address. Remove the entry from the Managed Sender list.
550 Envelope blocked – User Domain Entry A personal block policy is in place for this domain. Remove the entry from the Managed Sender list.
550 Rejected by header based Blocked Senders – Block policy for Header From A Block Sender Policy has been applied to reject emails based on the Header From address Remove or adjust the Block Sender Policy

550 Envelope Rejected – Block policy for Envelope from address A Block Sender Policy has been applied to reject emails based on the Envelope From address Remove or adjust the Block Sender Policy.
550 Rejected by header based manually Blocked Senders – block for manual block A personal block policy is in place for this email address. Remove the entry from the Managed Sender list.
550

The sender’s IP address is listed in an RBL. The text displayed is specific to the RBL which lists the senders IP address. The RBL can be bypassed with an Auto Allow entry or Permitted Senders Policy. It is also recommended that the sender requests removal of the associated IP address from the RBL.
550 Local CT IP Reputation – (reject) This error is based on ongoing reputation checks, which have resulted in the email being rejected due to poor IP reputation (this could be subsequent to temporary failures).
This rejection can be bypassed with an Auto Allow entry, or by creating a Permitted Senders Policy.


You can request a review of your source IP ranges by completing our online form, available at: http://www.mimecast.com/senderfeedback

550 Invalid Recipient Known recipient, LDAP or SMTP call forwarding recipient validation checks have not returned a valid internal user. The sender must resend the email to a valid internal recipient address.
550 Exceeding outbound thread limit There are too many concurrent outbound connections for the account. Send the outbound emails in smaller chunks of recipients.
550 Submitter failed to authenticate Messages submitted to SMTP port 587 require authentication. This error indicates that no authentication details were provided. Configure your authentication details. These should match an internal email address on the Mimecast platform with a corresponding Mimecast cloud password. Alternatively consider sending the message on SMTP port 25 instead.
550 Message bounced due to Content Examination Policy A Content Examination Definitions and associated Policy are being used to reject emails based on the specified text matches within the email. Create a Content Examination Bypass Policy or adjust the existing Content Examination Definition/Policy as needed.
550 SPF Sender Invalid – envelope rejected The inbound message has originated from an IP address that is not listed in the published SPF records for the sending domain and has been rejected.
Ensure that all of the IP address for your mail servers are correctly listed in your SPF records.

Alternatively you can create a DNS Authentication policy with the Inbound SPF check disabled or disable the ‘Reject on hard fail’ option. So that messages that fail our SPF checks are subjected to Spam and RBL checks, rather than rejected.

553 This route requires encryption (TLS) This email has been sent using SMTP, however TLS is required by policy. Review or disable the Secure Receipt/Delivery Policy which is enforcing TLS. Alternatively ensure that the certificates on the mail server have not expired. If using a proxy server, ensure that it is not intercepting the traffic and modifying encryption parameters.
554 Email rejected due to security policies (E.g. MCSpamSignature.x.x)
A signature was detected, which could either be a virus signature, or a spam score over the maximum threshold. The spam score is not available in the Administration Console.


If you’re not a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can submit a request to review these email rejections via our Sender Feedback form.

Anti-virus checks cannot be bypassed, and the sender should be notified see if there is anything they can do on their end to stop these emails from being blocked. Anti-spam checks can be bypassed using a Configuring Permitted Senders Policies or an Auto Allow entry.

You can view the rejected emails by looking at your Outbound Activity and searching for the email address in question.

554 Mail loop detected There are too many “received headers” in this email, as it has been forwarded across multiple hops. Once 25 hops has been reached, the email is rejected. Investigate the email addresses involved in the communication pairs to see what forwarders have been configured on the involved mail servers.
Maximum email size exceeded
The email size either exceeds an Email Size Limits Policy, or is larger than Mimecast service limit:
•Default 100 MB for “the Legacy MTA”
•Default 200 MB for “the Latest MTA”

Resend the email ensuring that it is smaller than the limitation set.


The transmission and content encoding can add significantly to the total size of the email. This means that an email with a 70 MB attachment, can have an overall size larger than 100 MB.

Categories: Uncategorized Tags: