Mail from mailing list not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2009 01:44 AM
Hi there, can I ask for opinion on this problem I couldn't solve. It's my first time here, so if this have been asked before I apologize in advance.
Here is the scenario, an outsider (eg: grp-mail@abc.com) sent an email to this group mailing list with several recipients email in it. One of the recipient email (eg: nick@xyz.com, which is my domain) is in grp-mail@abc.com mail list.
So as you might had guess, the email was never reach "nick". I did message tracking but I couldn't find sender email (grp-mail@abc.com) so I ask for mail logs from abc.com mail admin. He sent it and I could see my Ironport reject it with this code:
Tue 2009-09-01 09:33:26: From: (sender not specified)
Tue 2009-09-01 09:33:26: To: nick@xyz.com
Tue 2009-09-01 09:33:27:<-- 550 #5.1.0 Rejected by bounce verification.
Tue 2009-09-01 09:33:28: Message has no return path, it was deleted
Then I search Ironport knowledge base and found this http://tinyurl.com/yomn5f . I did apply that change but it never work. Can someone point me out where to go from here?
Thanks in advance!
- Labels:
-
Email Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2009 08:31 AM
More than likely Step #2 from the KB article is not set up correctly on your ESA appliance.
Can you provide the new mail_logs after you implemented the KB article? I want to see what HAT overview/inbound mail policy was applied to the grp_mail@abc.com address when it was an inbound message into your ESA appliance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 01:41 AM
Thanks kluu. I made the following change and clearly it didn't work. I have rollback the steps below. The step #2 from the article wasn't clear to me, could you comment with better steps (eg: steps like below)?
Mail Policies - Destination Controls
Added Destination/Domain abc.com
Set Bounce Verification to No
Submit, Commit, Commit
Mail Policies - Mail Flow Policies
Added Policy BOUNCED
Submit, Commit, Commit
Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 01:55 AM
Thanks kluu. I made the following change and clearly it didn't work. I have rollback the steps below. The step #2 from the article wasn't clear to me, could you comment with better steps (eg: steps like below)?
Mail Policies - Destination Controls
Added Destination/Domain abc.com
Set Bounce Verification to No
Submit, Commit, Commit
Mail Policies - Mail Flow Policies
Added Policy BOUNCED
Submit, Commit, Commit
Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit
Thanks!
You can specify recipient domains on which to disable Bounce Verification when the Email Security Appliance (ESA) delivers to those domains.
You will need to configure both outbound and inbound mail:
For outbound mail
Go to Mail Policies > Destination Controls
Select on "Add destination..."
Call the new destination "example.com"
In the settings, set "Bounce Verification" to No.
Submit and Commit changes.
For inbound mail
Create a Mail Flow Policy that has "Accept Untagged Bounces" set to Yes.
Add the domain to a Sender Group that uses this policy.
Notes:
Failure to configure your inbound mail may cause your ESA to drop valid bounce messages for messages.
For outbound mail, you can only refer to the destination domain and not an IP address or email address.
To verify that Bounce Verification is disabled for this domain, you can enable "domain debug logs" and tail the logs to verify. See "Using a domain debug log".
Looking at the way you added Step #2,
Mail Policies - HAT Overview
Added Sender Group BOUNCEDLIST
Added Sender abc.com into Group BOUNCEDLIST
Submit, Commit, Commit
I think that may be the issue. It is correct that you're delivering to "abc.com", but when the email for "user@abc.com" comes inbound to you, the connecting host/mailserver may not necessarily be "mail.abc.com".
So, it is possible that when user@abc.com connects, the connecting hostname is this:
mail1.abcmailservers.com
or
outgoing.abcmail.com
you just need to inspect the ICID of any previous email from user@abc.com and see what the IP/hostname it's coming from.
Now, if it's
out1.abcmailserver.com
out2.abcmailserver.com
In Step #2, you can list it like this:
.abcmailserver.com
or
out1.abcmailserver.com
out2.abcmailserver.com
The first example is using the leading "." as a wildcard.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 04:28 AM
This is taken when I trace the message base on my recipient. I just realise the sender doesn't have the email, so it's blank in sender field.
Reverse DNS Hostname: 66.32.233.220.static.exetel.com.au (verified)
IP Address: 220.233.32.66
SBRS Score: None
Protocol SMTP interface Data 1 Outside (IP 10.0.0.1) on incoming connection (ICID 29634384) from sender IP 220.233.32.66. Reverse DNS host 66.32.233.220.static.exetel.com.au verified 1.
(ICID 29634384) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS None
Start message 2621767 on incoming connection (ICID 29634384).
Message 2621767 enqueued on incoming connection (ICID 29634384) from .
Message 2621767 on incoming connection (ICID 29634384) encountered invalid bounce. Recipient address
Message 2621767 aborted: Receiving aborted by sender
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 04:34 AM
So taken from #2 article, I should be doing this:
a) Mail Flow Policies -> Add Policy (listener incoming mail).
b) Give a new policy name, under Security Features -> Consider Untagged Bounces to be Valid, set to Yes. Then submit.
Is that it? Do I have to add Destination Controls and SenderGroup (HAT overview)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 05:42 AM
So taken from #2 article, I should be doing this:
a) Mail Flow Policies -> Add Policy (listener incoming mail).
b) Give a new policy name, under Security Features -> Consider Untagged Bounces to be Valid, set to Yes. Then submit.
Is that it? Do I have to add Destination Controls and SenderGroup (HAT overview)?
Destination Controls is applied for outbound traffic. Traffic leaving your network(ESA) and going to the Internet. What Step #1 in the KB article does is not "stamp" outgoing messages with a "Return-Path" header. You should look up "Bounce Verification" in the user guide because it explains this in greater detail and provides better example. I would say implement Step #2 and see if the error still occurs.
Your issue is an inbound issue, concerning the inbound traffic from this "user@abc.com" mailing list.
In the snippet that you provided:
Protocol SMTP interface Data 1 Outside (IP 10.0.0.1) on incoming connection (ICID 29634384) from sender IP 220.233.32.66. Reverse DNS host 66.32.233.220.static.exetel.com.au verified 1.
(ICID 29634384) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS None
We have some additional info:
The inbound connection ip was: 220.233.32.66
inbound hostname: 66.32.233.220.static.exetel.com.au
SBRS score: None
Because the SBRS score was None, the inbound connection matched the "Unknownlist" and the ACCEPTED mail flow policy was applied. I'm pretty sure of this, but double check.
So, to make sure the bounce verification feature doesn't treat this as an untagged bounce, using Step #2,
create these two things:
1. first, the new mail flow policy, called it: Accept_untagged_bounces
Set "Accept Untagged Bounces" to Yes
2. second, create a new Sendergroup called "Inbound-untagged-bounces"
Put the IP or hostname of the above example as a host
e.g.
220.233.32.66
66.32.233.220.static.exetel.com.au
.static.exetel.com.au (in case they have a bunch of incoming servers like 66.32.233.221.static.exetel.com.au) The leading "." is a wildcard.
Set the mail flow policy for "Inbound-untagged-bounces" to the new mail flow policy created, "Accept_untagged_bounces"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2009 06:17 AM
Thanks Kevin. I'll give a try and report back later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2009 02:09 AM
Just to update, the article #2 did fix the problem. It's my mistake apply for outbound direction.
Thanks Kluu!
