Mail from mailing list not working

rngai_ironport · ‎09-17-2009

Hi there, can I ask for opinion on this problem I couldn't solve. It's my first time here, so if this have been asked before I apologize in advance.

Here is the scenario, an outsider (eg: grp-mail@abc.com) sent an email to this group mailing list with several recipients email in it. One of the recipient email (eg: nick@xyz.com, which is my domain) is in grp-mail@abc.com mail list.

So as you might had guess, the email was never reach "nick". I did message tracking but I couldn't find sender email (grp-mail@abc.com) so I ask for mail logs from abc.com mail admin. He sent it and I could see my Ironport reject it with this code:

Tue 2009-09-01 09:33:26: From: (sender not specified)
Tue 2009-09-01 09:33:26: To: nick@xyz.com
Tue 2009-09-01 09:33:27:<-- 550 #5.1.0 Rejected by bounce verification.
Tue 2009-09-01 09:33:28: Message has no return path, it was deleted

Then I search Ironport knowledge base and found this http://tinyurl.com/yomn5f . I did apply that change but it never work. Can someone point me out where to go from here?

Thanks in advance!

kluu_ironport · ‎09-17-2009

More than likely Step #2 from the KB article is not set up correctly on your ESA appliance.

Can you provide the new mail_logs after you implemented the KB article? I want to see what HAT overview/inbound mail policy was applied to the grp_mail@abc.com address when it was an inbound message into your ESA appliance.

rngai_ironport · ‎09-18-2009

Thanks kluu. I made the following change and clearly it didn't work. I have rollback the steps below. The step #2 from the article wasn't clear to me, could you comment with better steps (eg: steps like below)?

Mail Policies - Destination Controls
Added Destination/Domain abc.com
Set Bounce Verification to No
Submit, Commit, Commit

Mail Policies - Mail Flow Policies
Added Policy BOUNCED
Submit, Commit, Commit

Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit

Thanks!

kluu_ironport · ‎09-18-2009

Thanks kluu. I made the following change and clearly it didn't work. I have rollback the steps below. The step #2 from the article wasn't clear to me, could you comment with better steps (eg: steps like below)?

Mail Policies - Destination Controls
Added Destination/Domain abc.com
Set Bounce Verification to No
Submit, Commit, Commit

Mail Policies - Mail Flow Policies
Added Policy BOUNCED
Submit, Commit, Commit

Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit

Thanks!

You can specify recipient domains on which to disable Bounce Verification when the Email Security Appliance (ESA) delivers to those domains. 


You will need to configure both outbound and inbound mail:
For outbound mail
Go to Mail Policies > Destination Controls
Select on "Add destination..."
Call the new destination "example.com"
In the settings, set "Bounce Verification" to No.
Submit and Commit changes.
For inbound mail
Create a Mail Flow Policy that has  "Accept Untagged Bounces" set to Yes.
Add the domain to a Sender Group that uses this policy. 

Notes:
Failure to configure your inbound mail may cause your ESA to drop valid bounce messages for messages. 
For outbound mail, you can only refer to the destination domain and not an IP address or email address.
To verify that Bounce Verification is disabled for this domain, you can enable "domain debug logs" and tail the logs to verify.  See "Using a domain debug log".

Looking at the way you added Step #2,

Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit

I think that may be the issue. It is correct that you're delivering to "abc.com", but when the email for "user@abc.com" comes inbound to you, the connecting host/mailserver may not necessarily be "mail.abc.com".

So, it is possible that when user@abc.com connects, the connecting hostname is this:

mail1.abcmailservers.com

or

outgoing.abcmail.com

you just need to inspect the ICID of any previous email from user@abc.com and see what the IP/hostname it's coming from.

Now, if it's

out1.abcmailserver.com
out2.abcmailserver.com

In Step #2, you can list it like this:

.abcmailserver.com

or

out1.abcmailserver.com
out2.abcmailserver.com

The first example is using the leading "." as a wildcard.

rngai_ironport · ‎09-18-2009

This is taken when I trace the message base on my recipient. I just realise the sender doesn't have the email, so it's blank in sender field.

Reverse DNS Hostname: 66.32.233.220.static.exetel.com.au (verified)
IP Address: 220.233.32.66
SBRS Score: None

Protocol SMTP interface Data 1 Outside (IP 10.0.0.1) on incoming connection (ICID 29634384) from sender IP 220.233.32.66. Reverse DNS host 66.32.233.220.static.exetel.com.au verified 1.
(ICID 29634384) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS None
Start message 2621767 on incoming connection (ICID 29634384).
Message 2621767 enqueued on incoming connection (ICID 29634384) from .
Message 2621767 on incoming connection (ICID 29634384) encountered invalid bounce. Recipient address rejected by bounce verification.
Message 2621767 aborted: Receiving aborted by sender

rngai_ironport · ‎09-18-2009

So taken from #2 article, I should be doing this:

a) Mail Flow Policies -> Add Policy (listener incoming mail).
b) Give a new policy name, under Security Features -> Consider Untagged Bounces to be Valid, set to Yes. Then submit.

Is that it? Do I have to add Destination Controls and SenderGroup (HAT overview)?

kluu_ironport · ‎09-18-2009

So taken from #2 article, I should be doing this:

a) Mail Flow Policies -> Add Policy (listener incoming mail).
b) Give a new policy name, under Security Features -> Consider Untagged Bounces to be Valid, set to Yes. Then submit.

Is that it? Do I have to add Destination Controls and SenderGroup (HAT overview)?

Destination Controls is applied for outbound traffic. Traffic leaving your network(ESA) and going to the Internet. What Step #1 in the KB article does is not "stamp" outgoing messages with a "Return-Path" header. You should look up "Bounce Verification" in the user guide because it explains this in greater detail and provides better example. I would say implement Step #2 and see if the error still occurs.

Your issue is an inbound issue, concerning the inbound traffic from this "user@abc.com" mailing list.

In the snippet that you provided:

Protocol SMTP interface Data 1 Outside (IP 10.0.0.1) on incoming connection (ICID 29634384) from sender IP 220.233.32.66. Reverse DNS host 66.32.233.220.static.exetel.com.au verified 1.
(ICID 29634384) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS None

We have some additional info:

The inbound connection ip was: 220.233.32.66
inbound hostname: 66.32.233.220.static.exetel.com.au
SBRS score: None

Because the SBRS score was None, the inbound connection matched the "Unknownlist" and the ACCEPTED mail flow policy was applied. I'm pretty sure of this, but double check.

So, to make sure the bounce verification feature doesn't treat this as an untagged bounce, using Step #2,

create these two things:

1. first, the new mail flow policy, called it: Accept_untagged_bounces

Set "Accept Untagged Bounces" to Yes

2. second, create a new Sendergroup called "Inbound-untagged-bounces"

Put the IP or hostname of the above example as a host

e.g.

220.233.32.66
66.32.233.220.static.exetel.com.au
.static.exetel.com.au (in case they have a bunch of incoming servers like 66.32.233.221.static.exetel.com.au) The leading "." is a wildcard.

Set the mail flow policy for "Inbound-untagged-bounces" to the new mail flow policy created, "Accept_untagged_bounces"

rngai_ironport · ‎09-18-2009

Thanks Kevin. I'll give a try and report back later.

rngai_ironport · ‎09-28-2009

Just to update, the article #2 did fix the problem. It's my mistake apply for outbound direction.

Thanks Kluu!