01 Nov SMTP Error Codes
SMTP Error Codes
When messages are sent or received between two email servers or Mail Transfer Agents (MTAs), the communication uses a series of numeric SMTP codes. These codes are always in pairs, which means both servers transmit the codes until either the conversation is successful, or fails.
There are two main code types for dropped or failed SMTP conversations. The first number in a code, indicates whether the MTA accepted the command, or if it was rejected. The remaining two numbers in a code provide information on the reason for the failure. The code types are:
- 4xx: The server encountered a temporary failure. If the command is repeated without being changed, it may be successful depending on the reason for the initial failure. Mail servers use temporary failures to hold connections from untrusted sources, while additional security checks are performed.
- 5xx: The server has encountered a permanent error and the message delivery has failed.
4xx Error Codes
A correctly configured mail server should retry sending a message if a 4xx error code is received. These connections are logged in the Message Center: Rejected and Deferred Messages list.
Code | Reason Given to Sending MTA | Description | Recommended Resolution |
---|---|---|---|
421 | Sender address blocked | The sender’s IP address has been blocked by a Blocked Senders Policy. | Removed the entry from the policy. |
421 | Unable to process connection at this time | The Mimecast server is under maximum load. | The message is processed when the Mimecast server is less busy. |
451 | Internal resource temporarily unavailable | The sending mail server is subjected to Greylisting. This requires the server retries the connection, between one minute and 12 hours. Alternatively the sender’s IP address has a poor reputation. | These reputation checks can be bypassed with an Auto Allow or Permitted Senders policy. If it’s legitimate traffic create a Greylisting Bypass policy. |
451 | Message ended early | The message was incorrectly terminated. This can be caused by:
| Investigate the Intrusion Detection software or other SMTP protocol analyzers. If running a Cisco Firewall, ensure the Mailguard or SMTP Fixup module is disabled. |
451 | Open relay not allowed | Both the sender AND recipient domains specified in the transmission are external to Mimecast, and aren’t allowed to relay through the Mimecast service and / or the connecting IP address isn’t recognized as authorized. | Mimecast customers should contact Mimecast Support for add the Authorized Outbound address, or to take other remedial action. |
451 | Account outbounds disabled | The customer account outbound emails are disabled in the Administration Console. | Contact Mimecast Support if the account’s outbound traffic should be allowed. |
451 | Account inbounds disabled | The customer account inbound emails are disabled in the Administration Console. | Contact Mimecast Support if the account’s inbound traffic should be allowed. |
451 | Account service temporarily unavailable | There are too many concurrent inbound connections for the account. The default is 20. | The IP address is automatically removed from the block list after five minutes. Continued invalid connections result in the IP being readded to the block list. Ensure you don’t route outbound or journal messages to Mimecast from an IP address that hasn’t been authorized to do so. |
451 | Recipient Temporarily Unavailable | The Sender’s IP address has been placed on the block list due to too many invalid connections. | The sender’s mail server must retry the connection. The mail server performing the connection says the recipient address validation isn’t responding. |
451 | Unable to process email at this time | An AV scanner or store server is temporarily unavailable due to updates being deployed. | The message is processed once the updates are deployed. |
451 | Unable to process email at this time | Generic error if the reason is unknown | Contact Mimecast Support. |
451 | IP Temporarily Blacklisted | You’ve reached your mail server’s limit. | Wait and try again. The mail server won’t accept any messages until you’re under the limit. |
451 | Hostname is not authorized | Omni Directional hostnames is enabled. | Disable Omni Directional hostnames. |
452 | Too many recipients | The sending server issues more than 100 RCPT TO entries. By default, Mimecast only accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries. | None. Most mail servers respect the transient error and treat it as a “truncation request”. If your mail server, firewall, or on-site solution doesn’t respect the error, you must ensure that no more than 100 recipients are submitted. Solutions like SMTP Fix Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls are known not to respect the transient error. We advise you disable this functionality. |
5xx Error Codes
Error 5xx codes are permanent failures. These connections are rejected in protocol, and the connection is logged in the Rejection Viewer. As the message is rejected in protocol, it isn’t retrievable from the Administration Console, and must be resent once the issue is addressed.
Code | Reason Given to Sending MTA | Description | Recommended Resolution |
---|---|---|---|
501 | Invalid address | The email address isn’t a valid SMTP address. | The sender must resend the message to a valid internal email address. |
503 | User unknown | The server has encountered a bad sequence of commands, or it requires an authentication. | In case of a “bad sequence”, the server has pulled off its commands in a wrong order, usually because of a broken connection. If authentication is needed, enter your username and password. |
535 | Incorrect authentication data | Messages submitted to SMTP port 587 require authentication. This error indicates the authentication details provided were incorrect. | Check your authentication details match an internal email address in Mimecast, with a corresponding Mimecast cloud password. Alternatively, consider sending the message on SMTP port 25. |
550 | Submitter failed to authenticate | ||
550 | Administrative prohibition – envelope blocked | The sender’s email address or domain has triggered a Blocked Senders Policy, or there’s a SPF hard rejection. | Delete or modify the Block Sender Policy to exclude the sender address. |
550 | Anti-Spoofing policy – Inbound not allowed | The message has triggered an Anti-Spoofing Policy. | Create an Anti-Spoofing Policy to take no action for the sender’s address or IP address. |
550 | Rejected by header based Anti-Spoofing policy | ||
550 | Envelope blocked – User Entry | A personal block policy is in place for the email address / domain. | Remove the email address / domain from the managed senders list. |
550 | Envelope blocked – User Domain Entry | ||
550 | Rejected by header based manually Blocked Senders – block for manual block | ||
550 | Rejected by header based Blocked Senders – Block policy for Header From | A Block Sender Policy has been applied to reject emails based on the Header From or Envelope From address. | Delete or change the Block Sender policy. |
550 | Envelope Rejected – Block policy for Envelope from address | ||
550 | <details of RBL> | The sender’s IP address is listed in an RBL. The text displayed is specific to the RBL which lists the senders IP address. | Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally request removal of the associated IP address from the RBL. |
550 | Local CT IP Reputation – (reject) | Ongoing reputation checks have resulted in the message being rejected due to poor IP reputation. This could be subsequent to a 4xx error. | Create an Auto Allow or Permitted Senders policy. You can request a review of your source IP ranges by completing our online form. |
550 | Invalid Recipient | Known recipient, LDAP or SMTP call forwarding recipient validation checks haven’t returned a valid internal user. | The sender must resend the message to a valid internal recipient address. |
550 | Exceeding outbound thread limit | There are too many concurrent outbound connections for the account. | Send the messages in smaller chunks of recipients. |
550 | Message bounced due to Content Examination Policy | The message has triggered a Content Examination policy. | Create a Content Examination Bypass Policy, or adjust the Content Examination policy as required. |
550 | SPF Sender Invalid – envelope rejected | The inbound message has been rejected because the originated IP address isn’t listed in the published SPF records for the sending domain. | Ensure all the IP address for your mail servers are listed in your SPF records. Alternatively, create a DNS Authentication Policy with the “Inbound SPF” or “Reject on Hard Fail” option disabled. Messages that fail our SPF checks are subjected to spam and RBL checks, instead of being rejected. |
550 | DKIM Sender Invalid – envelope rejected | The DKIM key for the outbound message is broken, and doesn’t match the DNS record of the registered sender. | Check your organization’s DNS record is populated with the right public key as part of the DNS Authentication Outbound Signing definition. The private key of the keypair must be populated in the DNS Authentication policy, along with the domain and selector of that record. |
550 | DMARC Sender Invalid – envelope rejected | The inbound message has been rejected because the originated IP address isn’t listed in the published DMARC records for the sending domain. | Ensure all the IP address for your mail servers are listed in your DMARC records. |
550 | Journal message past expiration | Attempts are being made to journal mail that is past the set expiry threshold. The failure will be replaced by a retry response because the message is marked for retry if rejected, causing the journal queue to grow. | Check to confirm there are no significant time discrepancies on the mail server. Discontinue journaling old messages past the expiry threshold. |
553 | This route requires encryption (TLS) | This email has been sent using SMTP, but TLS is required by policy. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven’t expired. If using a proxy server, ensure it isn’t intercepting the traffic and modifying encryption parameters. |
553 | This route requires TLS version 1.2 or greater | A TLS connection has been attempted using a TLS version that is lower than TLS 1.2. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the mail server attempting to connect is using the appropriate version of TLS. |
553 | This route requires high strength ciphers | A secure connection was attempted using ciphers that do not meet the configured cipher strength. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven’t expired. If using a proxy server, ensure it isn’t intercepting the traffic and modifying encryption parameters. |
554 | Email rejected due to security policies (E.g. MCSpamSignature.x.x) | A signature was detected that could either be a virus, or a spam score over the maximum threshold. The spam score isn’t available in the Administration Console. If you aren’t a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can submit a request to review these email rejections via our Sender Feedback form. | Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop these messages from being blocked. Anti-spam checks can be bypassed using a Configuring Permitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound Activity and searching for the required email address. |
554 | Mail loop detected | The message has too many “received headers” as it has been forwarded across multiple hops. Once 25 hops has been reached, the email is rejected. | Investigate the email addresses in the communication pairs, to see what forwarders are configured on the mail servers. |
554 | Maximum email size exceeded | The email size either exceeds an Email Size Limits policy, or is larger than Mimecast service limit. The default is 100 MB for the Legacy MTA, and 200 MB for “the Latest MTA”. | Resend the message ensuring it’s smaller than the limitation set. The transmission and content encoding can add significantly to the total message size (e.g. a message with a 70 MB attachment, can have an overall size larger than 100 MB). |
554 | Host network not allowed | The message has triggered a Geographical Restrictions Policy. | Delete or amend the policy. |
554 | Configuration is invalid for this certificate | Validation on the your umbrella accounts domain name does not conform to your DNS. | Check you DNS has the required umbrella accounts listed as comma separated values. |
Resultados
-
-
Hi Bill.
These are rejection spam signatures issued with a 554 SMTP error code. The numbers at the end can help us determine what caused the rejection, but we’ll need access to your log files to do so. Can you please raise a ticket with our Support Desk, and they will progress this for you.
-
Hi,
Thanks Bill for raising this, It would be nice and efficient if we can have access to a more detailed information about these Spam signature codes, which would enable us to understand be able to explain the cause of the rejection.
We find ourselves having to explain why messages are rejected and to say its a spam signature is not enough. Also I do not think I want to log a ticket every time I get these with support.
-
-
-
I am experiencing the same issue John has raised. The permitted user group works for most but I have two domains that still get caught. We have not implemented the user digest yet. I am hoping that will enable the users to release these held messages and cut down on the number of support calls we are getting.
-
Hi
I just noticed this error going through our service desk and clicked the link but there is no info for DMARC on here.
– The last reported error was: 5.0.0 550 DMARC Sender Invalid – envelope rejected – https://community.mimecast.com/docs/DOC-1369#550
Thought i’d mention in case it was an oversight.
se
-
We have a client who have had the umbrella configuration completed, however whilst they are able to send through Mimecast via their 365 (onmicrosoft.com) domain they are unable to do so through their usual domain.
Reason: [{LED=451 Open relay not allowed – https://community.mimecast.com/docs/DOC-1369#451 [EYKiw4JbPoCrtxRdtYlsTQ.uk61]};{MSG=};{FQDN=eu-smtp-o365-outbound-1.mimecast.com};{IP=91.220.42.199};{LRT=8/17/2019 10:57:31 AM}]. OutboundProxyTargetIP: 91.220.42.199. OutboundProxyTargetHostName: eu-smtp-o365-outbound-1.mimecast.com
What is likely to be the problem here and how do we resolve it for them? -
I was reading this but it looks like some information is missing? The Resolution section of 550 – Envelop blocked – user entry or User domain entry, it seems to be missing part of it.
Remove the email address / domain from the The specified item was not found. list.
I am not sure what the “from the The specified item…” means. I am currently receiving this error but am trying to find the resolution but it does not provide the information.
Thanks
-
Thanks for pointing this out Bobby Ko. It looks like there was a broken link. This has now been corrected.
-
MCSpamSignature.x
As the head of IT, I really need to know more on this.
[MCSpamSignature.r.s.64.011]
[MCSpamSignature.r.s.64.009]
[MCSpamSignature.r.s.64.01]
These all mean nothing to me, and when upsets customers are looking for answers as to why their messages are being blocked, I have nothing to offer them.
Is there another list where these codes are broken down further?