Solved: Re: PRVS Bounces by Destination Server

browndw999 · ‎11-25-2010

Hello all

I have a domain that no longer receives mail from us. The error is just after the PRVS bounce verification rewriting sender. Message xxxxxxxx to.... bounced by destination server. Reason 510 unknown address error.

How can I stop this from happening to this one doamin?

Thank you

Christopher Smith · ‎12-02-2010

Hi David,

So you indicated that it looks like their side is blocking for some reason, and you indicated that TLS is set to preferred.

Looking at the logs you provided we see the following,

Thu Dec 2 12:03:38 2010 Info: Begin Logfile

Thu Dec 2 12:03:38 2010 Info: Version: 7.1.2-020 SN: 0019B9C6A47B-JFQ61D1

Thu Dec 2 12:03:38 2010 Info: Time offset from UTC: 0 seconds

Thu Dec 2 12:04:00 2010 Info: 249330903 Rcvd: '220 service90.mimecast.com ESMTP ; Thu, 02 Dec 2010 12:04:00 +0000'

Thu Dec 2 12:04:00 2010 Info: 249330903 Sent: 'EHLO remacdmzma03.rbs.com'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-Hello [mailhost5.rbs.co.uk (155.136.80.33)]'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-AUTH LOGIN'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-AUTH=LOGIN'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-STARTTLS'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250 HELP'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'STARTTLS'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '220 Starting TLS'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'EHLO remacdmzma03.rbs.com'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-Hello [mailhost5.rbs.co.uk (155.136.80.33)]'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-AUTH LOGIN'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250-AUTH=LOGIN'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250 HELP'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'MAIL FROM:<prvs=945920702=David.W.Brown@rbs.co.uk>'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250 Sender [prvs=945920702=david.w.brown@rbs.co.uk] OK'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'RCPT TO:<Kulvinder.Bath@lawsociety.org.uk>'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '550 Administrative prohibition - envelope blocked'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'RSET'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250 Transaction Reset OK'

Thu Dec 2 12:04:07 2010 Info: 249330903 Sent: 'QUIT'

Thu Dec 2 12:04:07 2010 Info: 249330903 Rcvd: '221 Service closing transmission channel'

Thu Dec 2 12:04:08 2010 Info: Domain Debug is no longer enabled for domain lawsociety.org.uk

Thu Dec 2 12:04:08 2010 Info: End Logfile

We see that the connection is successful and we are able to STARTTLS ok

It is only once we get to identification of the sender and recipients that we run into trouble.

hu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'MAIL FROM:<prvs=945920702=David.W.Brown@rbs.co.uk>'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '250 Sender [prvs=945920702=david.w.brown@rbs.co.uk] OK'

Thu Dec 2 12:04:02 2010 Info: 249330903 Sent: 'RCPT TO:<Kulvinder.Bath@lawsociety.org.uk>'

Thu Dec 2 12:04:02 2010 Info: 249330903 Rcvd: '550 Administrative prohibition - envelope blocked'

This error 550 Administrative prohibition - envelope blocked, originated from the exchange server on the remote side. While I am not familiar with that specific error and all of the conditions required to produce it, it appears that the traffic is being blocked on their side.

Next question would be does it effect all mail to this domain or just mail from a specific sender, or from a specific IP or hostname?

Christopher C Smith
CSE

Cisco IronPort Customer Support

View solution in original post

Christopher Smith · ‎11-25-2010

Greetings,

While I would have to see the mail logs to know for sure, my guess is the 5.1.0 unknown user may actually be referring to the sender. Some domains utilize sender verification which will typically fail if Bounce Verification is being used. This is be cause we append the PRVS tag to the sender ID in the message. If the recipient domain attempts to validate the sender by replying to the address listed with the PRVS tag, this will obviously fail.

Currently the only way around this is to make an exception in destination controls for the recipient domain in questions.

Failure to configure your inbound mail may cause your ESA to drop valid bounce messages for messages.
For outbound mail, you can only refer to the destination domain and not an IP address or email address.

Hopefully this will help!

REF Article EKB #869

http://tinyurl.com/yomn5f

Christopher C Smith
CSE

Cisco IronPort Customer Support

browndw999 · ‎11-26-2010

Hi Chris

Thanks for the quick response. The error I now have for this domain is

The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.

< ironportserver #5.0.0 smtp; 5.1.0 - Unknown address error 550-'Administrative prohibition - envelope blocked' (delivery attempts: 0)>

It doesn't seem to be reaching there gateway server, but am unsure if the failure is from there perimeter server rejecting the connection.

Is there anyway to check?

Christopher Smith · ‎11-26-2010

Hi,

probably be a good idea to enable a domain debug log for this , that way you can see the full SMTP conversation.

The domain debug log is a system log designed to record all SMTP traffic between a specific domain and an Email Security Appliance (ESA) for a finite number of sessions. This log type can assist in troubleshooting issues that relate to a specific recipient domain or host. Each session is recorded until the number of session defined has been reached, at which time the log will stop collecting data. You can stop domain debug before all sessions have been recorded by deleting or editing the log subscription.

Configuration

Logs can be configured and created through the IronPort CLI using the logconfig command or via the GUI.

To configure logs via the GUI, see the Advanced User Guide: Log Subscriptions .

Below is an example of creating a Domain Debug Log subscription using the CLI:.

example.run> logconfig

Currently configured logs:
1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll
2. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
3. "asarchive" Type: "Anti-Spam Archive" Retrieval: FTP Poll
4. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
5. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
6. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
7. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
8. "euq_logs" Type: "IronPort Spam Quarantine Logs" Retrieval: FTP Poll
9. "euqgui_logs" Type: "IronPort Spam Quarantine GUI Logs" Retrieval: FTP Poll
10. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
11. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
12. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
13. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll
14. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll
15. "scanning" Type: "Scanning Logs" Retrieval: FTP Poll
16. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
17. "status" Type: "Status Logs" Retrieval: FTP Poll
18. "system_logs" Type: "System Logs" Retrieval: FTP Poll
19. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> new

Choose the log file type for this subscription:
1. IronPort Text Mail Logs
2. qmail Format Mail Logs
3. Delivery Logs
4. Bounce Logs
5. Status Logs
6. Domain Debug Logs
7. Injection Debug Logs
8. System Logs
9. CLI Audit Logs
10. FTP Server Logs
11. HTTP Logs
12. NTP logs
13. LDAP Debug Logs
14. Anti-Virus Logs
15. Anti-Virus Archive
16. Scanning Logs
17. IronPort Spam Quarantine Logs
18. IronPort Spam Quarantine GUI Logs
19. Reporting Logs
20. Reporting Query Logs
21. Updater Logs
[1]> 6

Please enter the name for the log:
[]> debug_example

Enter the name of the domain for which you want to record debug information.
[]> example.com

Please enter the number of SMTP sessions you want to record for this domain.
[1]> 8

Choose the method to retrieve the logs.
1. FTP Poll
2. FTP Push
3. SCP Push
4. Syslog Push
[1]>

Filename to use for log files:
[example.com.text]>

Please enter the maximum file size:
[10485760]>

Please enter the maximum number of files:
[10]>

Currently configured logs:
1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll
2. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
3. "asarchive" Type: "Anti-Spam Archive" Retrieval: FTP Poll
4. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
5. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
6. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
7. "debug_example" Type: "Domain Debug Logs" Retrieval: FTP Poll
8. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
9. "euq_logs" Type: "IronPort Spam Quarantine Logs" Retrieval: FTP Poll
10. "euqgui_logs" Type: "IronPort Spam Quarantine GUI Logs" Retrieval: FTP Poll
11. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
12. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
13. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
14. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll
15. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll
16. "scanning" Type: "Scanning Logs" Retrieval: FTP Poll
17. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
18. "status" Type: "Status Logs" Retrieval: FTP Poll
19. "system_logs" Type: "System Logs" Retrieval: FTP Poll
20. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]>

example.run> commit

Domain Debug Log

Below is an example of a Domain Debug Log looks like when the IronPort appliance delivers a message to the recipient domain: "example.com".

Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '220 ESmtp mail.example.com ESMTP service ready'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'EHLO ironport.com'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250-mail.example.com'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250-8BITMIME'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250-SIZE 31981568'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250 PIPELINING'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'MAIL FROM:<user@ironport.com>'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250 sender <user@ironport.com> ok'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'RCPT TO:<test@example.com>'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250 recipient <test@example.com> ok'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'DATA'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '354 go ahead'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'Received: from unknown (HELO)(10.250.7.164)rn by ironport.com with SMTP; 22 Mar 2005 16:52:08 -0800rn'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: 'Message-ID: <000d01c52f43$48dacba0$a407fa0a@ironport.com>rnFrom: "User" <user@ironport.com>rnTo:<test@example.com>rn Subject:TestrnDate:Tue,22Mar200516:57:28-0800rnMIME-Version:1.0rn
Content-Type:multipart/alternative;rntboundary="----=_NextPart_000_000A_01C52F00.3AA3B580"rnX-Priority: 3rnX-MSMail-Priority: Normalrn X-Mailer: Microsoft Outlook Express 6.00.2900.2180rnX-MimeOLE: Produced ByMicrosoft MimeOLEV6.00.2900.2180rnrnThis is a multi-part messageinMIMEformat.rnrn------=_NextPart_000_000A_01C52F00.3AA3B580rnContent-Type:text/plain;rntcharset= "iso-8859-1"rnContent-Transfer-Encoding: quoted-printablernrnThis isthebodyofthemail.rnThisisadisclaimer.rnrn------=_NextPart_000_000A_01C52F00.3AA3B580rnContent-Type:text/html;rntcharset= "iso-8859-1"rnContent-Transfer-Encoding:quoted-printablernrnrnrnrnrnrnrnrn

This is the body of thernmail.

 This is a  disclaimer.rn

rnrn------=_NextPart_000_000A_01C52F00.3AA3B580--rn'
Tue Mar 22 16:52:07 2005 Info: 411 Sent: '.rn'
Tue Mar 22 16:52:07 2005 Info: 411 Rcvd: '250 ok dirdel'
Tue Mar 22 16:52:12 2005 Info: 411 Sent: 'QUIT'
Tue Mar 22 16:52:12 2005 Info: 411 Rcvd: '221 mail.example.com'

----------------------------------------------------------------------------------------------------

Christopher C Smith

CSE
Cisco IronPort Customer Support

browndw999 · ‎12-02-2010

Hi Chris

TLS is set as the prefered option to all domains within our organisation. It looks as if there side are blocking for some reason?

Christopher Smith · ‎12-02-2010