problem with bounce verification and automatic reply

dstaniszewska · ‎10-27-2022

Hi,

I have a problem on IronPort because automatic replies are rejected and does not go to recipients by enable bounce verification on the ESA. Automatic replies are sent by the Exchange online server without the sender in the header (no sender)- in the field Envelope Sender (it is about outgoing traffic)

is there any solution on that?

Udupi Krishna. · ‎11-03-2022

This is more of a Microsoft behaviour/problem than of the ESA. From our experience investigating this issue, Microsoft interestingly doesn't comply with RFC standard.

Here's a snippet from https://datatracker.ietf.org/doc/html/rfc5321

If there is a delivery failure after acceptance of a message, the
   receiver-SMTP MUST formulate and mail a notification message.  This
   notification MUST be sent using a null ("<>") reverse-path in the
   envelope.  The recipient of this notification MUST be the address
   from the envelope return path (or the Return-Path: line)

So in reality, it rather sends these auto replies to "from" address which doesn't contain a PRVS tag (while return-path does) and gets rejected by bounce verification.

The following workarounds have their limitations (aren't scalable)

1. Disable bounce verification (no one likes this)

2. Identify important senders (hostnames, IP addresses). Setup a sender group, add the IP address/hostnames into. Setup a new mail flow policy and set below option to 'yes'

3. Change bounce verification action to add a new header (instead of reject). Use filters to take custom actions based on this header and other conditions if necessary.