Mimecast SMTP Error Codes

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.oxriBaJeN4 Employee on Jul 25, 2017
Version 16Show Document
  • View in full screen mode

When two email servers, or Mail Transfer Agents (MTAs), send and receive emails between each other, they communicate using a series of numeric codes.  These SMTP codes always take place in pairs, which means that both of the servers will transmit SMTP codes, until either the conversation is successful, or fails.

 

When troubleshooting dropped or failed SMTP conversations, there are two main types of codes used; 400 and 500 error codes. The first number in this code, generally indicates whether the MTA accepted the command or if the command was rejected.

If you are trying to send an email to a Mimecast customer and receiving any of the error codes below, this should be escalated to the Mimecast Administrator of the intended recipient. Mimecast is only able to deal with the designated contacts for our customers.

The values of interest for this article are:

  • 4xx: The server has encountered a temporary failure. If the command is repeated without any change, it may be successful, depending on the reason for the initial failure. Mail servers can use such temporary failures to hold connections from untrusted sources, while additional security checks are performed
  • 5xx: The server has encountered a permanent error and the email delivery has failed. The remaining two numbers in the code provide more information regarding the reason for the temporary or permanent failure.

 

400 Error Codes

 

Error 400 codes are typically temporary failures, so a correctly configured mail server should retry the connection based on their Delivery. These connections will be logged in Connection Attempts if applicable.

 

Temporary Email Connection Failures Failures (ordered by most common to least common):

 

CodeReason Given to Sending MTADescriptionRecommended Resolution
421Sender address blockedThe sender's IP address has been blocked by a Block PolicyThe entry will need to be removed from the Block Senders Policy
421Unable to process connection at this timeThe Mimecast Server is currently under maximum load. The sending mail server should retry the connectionThe email will be processed on retry, when the Mimecast service has processed some of the current load
451Internal resource temporarily unavailable

The sending mail server has been subjected to Greylisting . Greylisting requires that the server retries the connection, between 1 minute and 12 hours.

OR

The senders IP address has a poor reputation. The connection is temporarily failed while updated reputation information is obtained.

These reputation checks can be bypassed with an Auto Allow entry, a Permitted Senders Policy ; or if it is legitimate traffic being blocked by greylisting, by creating a Greylisting bypass policy.
451Message ended earlyThe message was incorrectly terminated. This can be caused by files that have previously been infected with a virus, and have not been cleaned correctly by an anti-virus product, which has then left traces in the email. This can also be caused by Firewall issues on the sender's side, or incorrectly configured content rules on a security device.The Administrator should investigate their Intrusion Detection software or other SMTP protocol analyzers.  If running a Cisco Firewall, ensure that the Mailguard or SMTP Fixup module is disabled.
451Open relay not allowedThis error indicates that both the sender AND the recipient email domains specified in the transmission are external to the Mimecast service and therefore are not allowed to relay through the Mimecast service and / or the connecting IP address was not recognized as authorized.Mimecast customers should contact Mimecast Support for the Authorized Outbound address to be added or to take other remedial action as appropriate.
451Account outbounds disabledThe customer account outbound emails have been disabled in the Mimecast Administration Console.Contact Mimecast Support if the account outbound traffic should be allowed.
451Account inbounds disabledThe customer account inbound emails have been disabled in the Mimecast Administration Console.Contact Mimecast Support if the account outbound traffic should be allowed.
451Account service temporarily unavailableThere are too many concurrent inbound connections for this account (the default is 20).

The IP address will automatically be removed from the Mimecast temporary block list after 5 minutes. Continued invalid connections will result in the IP getting added to the Mimecast temporary block list again.

 

Ensure that you do not try to route outbound or journal messages to Mimecast from an IP address that has not been authorized to do so.

451Recipient Temporarily UnavailableThe Sender's IP address has been placed on the Mimecast temporary block list due to too many invalid connections.The senders mail server will need to retry the connection. The mail server performing is the recipient address validation is not responding.
451Unable to process email at this timeTemporary Mimecast internal error: an AV scanner or store server is temporarily unavailable due to updates being deployed to it.The email will be processed on retry once the updates have been deployed.
451Unable to process email at this timeCatch all error if reason is unknown

Contact Mimecast Support to investigate.

We can only liaise with the designated contacts for the Mimecast Account.

451IP Temporarily BlacklistedYou've reached a limit on your mail server.Wait and try again. The mail server won't accept any further messages until you are under the limit.
452Too many recipients

By default, the Mimecast platform only accepts 100 RCPT TO entries per message body (DATA).

 

If the sending server issues more RCPT TO entries, then the Mimecast platform will respond with "452 Too many recipients".

 

This transient error code should trigger the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries.

None. Most mail servers correctly respect the transient error and will treat it as a "truncation request". If your mail server, firewall or on-site solution does not respect the transient error, you may need to ensure that no more than 100 recipients are submitted.

Solutions like SMTP Fix Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls are known not to respect the transient error. Mimecast advises that you to disable this functionality.

 

500 Error Codes

 

Error 500 codes are typically permanent failures. These connections are rejected in protocol, and the connection is logged in the Rejection Viewer. As the email is rejected in protocol, it is not retrievable from the Mimecast Administration Console, and will need to be resent once the issue has been addressed.

 

Permanent Email Connection Failures (ordered by most common to least common):

 

CodeReason Given to Sending MTADescriptionRecommended Resolution
501Invalid addressThe email address is not a valid SMTP address.The sender should resend the email to a valid internal email address.
535Incorrect authentication dataMessages submitted to SMTP port 587 require authentication. This error indicates that the authentication details provided were incorrect.Ensure your authentication details match an internal email address on the Mimecast platform with a corresponding Mimecast cloud password. Alternatively  consider sending the message on SMTP port 25 instead.
550Administrative prohibition - envelope blockedThe sender's email address or domain matches an entry in a Block Sender Policy, or there is an SPF hard rejection.The Block Sender Policy must be removed or modified to exclude the sender address.
550Anti-Spoofing policy - Inbound not allowedThis is a spoofed email and has been flagged by the Anti-Spoofing Policy.

An Anti-Spoofing Policy must be created to take no action to exclude the sender's address or IP address.

550Rejected by header based Anti-Spoofing policyThis is a spoofed email and has been flagged by the Anti-Spoofing Policy.An Anti-Spoofing Policy must be created to take no action to exclude the sender's address or IP address.
550Envelope blocked - User EntryA personal block policy is in place for this email address.Remove the entry from the Managed Sender list.
550Envelope blocked - User Domain EntryA personal block policy is in place for this domain.Remove the entry from the Managed Sender list.
550Rejected by header based Blocked Senders – Block policy for Header FromA Block Sender Policy has been applied to reject emails based on the Header From addressRemove or adjust the Block Sender Policy
550Envelope Rejected – Block policy for Envelope from addressA Block Sender Policy has been applied to reject emails based on the Envelope From addressRemove or adjust the Block Sender Policy.
550Rejected by header based manually Blocked Senders – block for manual blockA personal block policy is in place for this email address.Remove the entry from the Managed Sender list.
550<details of RBL>The sender's IP address is listed in an RBL. The text displayed is specific to the RBL which lists the senders IP address.The RBL can be bypassed with an Auto Allow entry or Permitted Senders Policy. It is also recommended that the sender requests removal of the associated IP address from the RBL.
550Local CT IP Reputation - (reject)This error is based on ongoing reputation checks, which have resulted in the email being rejected due to poor IP reputation (this could be subsequent to temporary failures).

This rejection can be bypassed with an Auto Allow entry, or by creating a Permitted Senders Policy.

You can request a review of your source IP ranges by completing our online form, available at: http://www.mimecast.com/senderfeedback

550Invalid RecipientKnown recipient, LDAP or SMTP call forwarding recipient validation checks have not returned a valid internal user.The sender must resend the email to a valid internal recipient address.
550Exceeding outbound thread limitThere are too many concurrent outbound connections for the account.Send the outbound emails in smaller chunks of recipients.
550Submitter failed to authenticateMessages submitted to SMTP port 587 require authentication. This error indicates that no authentication details were provided.Configure your authentication details. These should match an internal email address on the Mimecast platform with a corresponding Mimecast cloud password. Alternatively consider sending the message on SMTP port 25 instead.
550Message bounced due to Content Examination PolicyA Content Examination Definitions and associated Policy are being used to reject emails based on the specified text matches within the email.Create a Content Examination Bypass Policy or adjust the existing Content Examination Definition/Policy as needed.
550SPF Sender Invalid - envelope rejectedThe inbound message has originated from an IP address that is not listed in the published SPF records for the sending domain and has been rejected.

Ensure that all of the IP address for your mail servers are correctly listed in your SPF records.

 

Alternatively you can create a DNS Authentication policy with the Inbound SPF check disabled or disable the 'Reject on hard fail' option. So that messages that fail our SPF checks are subjected to Spam and RBL checks, rather than rejected.

553This route requires encryption (TLS)This email has been sent using SMTP, however TLS is required by policy.Review or disable the Secure Receipt/Delivery Policy which is enforcing TLS. Alternatively ensure that the certificates on the mail server have not expired. If using a proxy server, ensure that it is not intercepting the traffic and modifying encryption parameters.
554Email rejected due to security policies (E.g. MCSpamSignature.x.x)

A signature was detected, which could either be a virus signature, or a spam score over the maximum threshold. The spam score is not available in the Administration Console.

If you're not a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can submit a request to review these email rejections via our Sender Feedback form.

Anti-virus checks cannot be bypassed, and the sender should be notified see if there is anything they can do on their end to stop these emails from being blocked. Anti-spam checks can be bypassed using a Configuring Permitted Senders Policies or an Auto Allow entry.

You can view the rejected emails by looking at your Outbound Activity and searching for the email address in question.

554Mail loop detectedThere are too many "received headers" in this email, as it has been forwarded across multiple hops. Once 25 hops has been reached, the email is rejected.Investigate the email addresses involved in the communication pairs to see what forwarders have been configured on the involved mail servers.
Maximum email size exceeded

The email size either exceeds an Email Size Limits Policy, or is larger than Mimecast service limit:

  • Default 100 MB for "the Legacy MTA"
  • Default 200 MB for "the Latest MTA"

Resend the email ensuring that it is smaller than the limitation set.

 

The transmission and content encoding can add significantly to the total size of the email. This means that an email with a 70 MB attachment, can have an overall size larger than 100 MB.

 

These SMTP codes and reasons are communicated to the sending MTA. For a permanent failure, these details should be included in the Non-Delivery Report (NDR) generated by that mail server.

2 people found this helpful

Attachments

    Outcomes