Re: How to Whitelist a sender with MTA's poor reputation

alexpopaz777 · ‎04-01-2022

We have a customer that is not able to send e-mail to users from our organization. The e-mails are bouncing back with:

"554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."

I am trying to whitelist this sender and so far nothing works.

Any help would be appreciated.

Ken Stieers · ‎04-01-2022

First step is figure out if its the IP or the domain that's bad. In the tracking look for the SBRS score of the IP.

Also look for the SDR rating.

Depending upon which one, you tweak it differently.

Ken Stieers · ‎04-02-2022

Once you have the IP, check your HAT under Mail Policy/HAT overview...

Make sure to select the inbound listener, then check open the appropriate sender group and add the IP.

Now whatever Mail flow policy is assigned to that policy will apply to mail from that address. Make sure its doing what you want it to.

IPs are matched to Sender group from the TOP down, just like mail policy, so this IP needs to go into sender group that is above the groups based on SBRS score (Blocked, suspect, unknown in this example).

alexpopaz777 · ‎04-04-2022

Hi Ken,

Thank you for replying. I've looked up the MX records IP addresses of the sender in scope. The domain name, along with IP addresses were added to the allow list.
I've noticed that when running an e-mail trace report, there are no results returned, even when using a very broad search criteria for this sender. This is not helping, as I don't have any specific details I can work with.

Ken Stieers · ‎04-04-2022

Hey Alex,
In the Gui, go to Security Services/Message Tracking. (near the bottom under "Centralized Services" even if you aren't centralizing...) Make sure Rejected Connection Handling is enabled, at least while you're debugging this.
Also check your various mail flow policies, specifically the "BLOCKED" one, and set it for "REJECT" instead of "TCP Refuse"
That will let the mail get a little farther down the pipeline before it gets booted, and more info gathered, so we can see what's going on.
Have them send more test mails. You should see them in the mail log, or if you use Message Tracking you ought to be able to see them if you click Advanced, and search for Rejected connections.

alexpopaz777 · ‎04-05-2022

Hi Ken,

- Rejected Connection Handling was already enabled

- "BLOCKED" mail flow policy was already set for "REJECT"

I've asked the sender to reply to test e-mails and ther e-mail trace reports are showing zero results, it looks that the e-mails are not evern reaching the ESAs.

I was provided a bounced e-mail header and I can see the our ESA IP address as it rejected the message:

Reason: There was an error while attempting to deliver your message with [Subject: <removed>] to <user@company.com>. MTA <server name> received this response from the destination host IP - <ESA IP address> - 554 , 554-<ESA FQDN>

554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

Ken Stieers · ‎04-05-2022

Ok.. so now I'd go digging in the logs.
Grep, on the box, or download them from the box (via FTP...) and use something else to search them.

It will look something like this:
Tue Apr 5 10:25:59 2022 Info: New SMTP ICID 19797555 interface Public (172.xxx.xxx.xxx) address 185.102.170.199 reverse dns host kit.mrniceseedbank.com verified yes
Tue Apr 5 10:25:59 2022 Warning: SMTP connection rejected on interface Public address 185.102.170.199
Tue Apr 5 10:25:59 2022 Info: ICID 19797555 TCPREFUSE SG BLOCKED_LIST match sbrs[-10.0:-3.0] SBRS -9.7 country United States
Tue Apr 5 10:25:59 2022 Info: ICID 19797555 close
So you can see which IP and which SenderGroup its hitting.

alexpopaz777 · ‎04-21-2022

The solution was to update the HAT table Allowed_List. I've added the sender's mail server public IP address. This allows e-mail delivery although sender's domain is blacklisted.

Thanks for your help!