outgoing mail bounces with error 550 5.7.1

scottmusician · 01-09-2013, 05:34 PM

Hi all,

My dovecot+postfix server works very well most of the time. However, users are now starting to receive 'bounces' and undelivered mail when attempting to send to some (but not all) external addresses. The error that they receive is:

Quote:

550 5.7.1 can't determine Purported Responsible Address

And here's a copy of the returned headers:

Quote:

Reporting-MTA: dns; mail.mydomain.com
X-Postfix-Queue-ID: CA851E2877
X-Postfix-Sender: rfc822; j.sender@mydomain.com
Arrival-Date: Wed, 9 Jan 2013 14:27:16 +1100 (EST)
Final-Recipient: rfc822; j.recipient@theirdomain.com
Original-Recipient: rfc822;j.recipient@theirdomain.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; finance-in-somegroup.123.net
Diagnostic-Code: smtp; 550 5.7.1 can't determine Purported Responsible Address

Despite researching, I'm really not sure where to start with looking for a resolution to this. I have read that it could be a DNS issue, and/or because my server isn't forming outgoing message "from" headers properly. Because the rejection is happening at the recipient's end, the only info in my /var/log/maillog file is:

Quote:

Jan 9 14:27:23 mail MailScanner[29005]: Requeue: 2DCC9E25FC.A9E70 to CA851E2877
Jan 9 14:27:23 mail postfix/qmgr[29056]: from=<j.user@mydomain.com>, size=28558, nrcpt=1 (queue active)
Jan 9 14:27:23 mail MailScanner[29005]: Uninfected: Delivered 1 messages
Jan 9 14:27:23 mail MailScanner[29005]: Deleted 1 messages from processing-database
Jan 9 14:27:23 mail postfix/smtp [31467]: CA851E2877: to=<j.recipient@theirdomain.com>, relay=finance-in-somegroup.123.net[xxx.xxx.x.123]:25, delay=11, delays=7/0/1.8/2.1, dsn=5.7.1, status=bounced (host finance-in-somegroup.123.net[xxx.xxx.x.123]) said: 550 5.7.1 can't determine Purported Responsible Address (in reply to end of DATA command))
Jan 9 14:27:23 mail postfix/bounce [31535]: CA851E2877: sender non-delivery notification: 1EBB6E2878

-

Also, I'm not sure if it's related, but when I do a mydomain.com check on dnscolos.com, everything passes except the top 2x checks:

Quote:

Category: PARENT <FAIL> Parent nameservers mydomain.com -- Your NS records at the parent server are:
Category: PARENT <FAIL> Nameservers for domain in DNS -- Your NS records at your nameservers are:

Is this related to the DNS records at my host/ISP? Below is a copy of my internal DNS server's zones (which all look OK to me?). This doesn't happen with all recipients, only one or two. Any thoughts would be most helpful!

Thanks in advance,

Scott

Quote:

REVERSE ZONE: 1.168.192.in-addr-arpa
REVERSE MAPPING: 192.168.1.80 -> myinternalserver.mydomain.com
REVERSE MAPPING: 192.168.1.82 -> myinternalserver1.mydomain.com
REVERSE MAPPING: 192.168.1.88 -> myinternalserver2.mydomain.com
REVERSE MAPPING: 192.168.1.90 -> myinternalserver3.mydomain.com

REVERSE ZONE: zzz.yyy.xxx.in-addr-arpa
REVERSE MAPPING: www.xxx.yyy.zzz -> www.mydomain.com
REVERSE ZONE: ddd.ccc.bbb.in-addr-arpa
REVERSE MAPPING: aaa.bbb.ccc.ddd -> www1.mydomain.com
REVERSE ZONE: hhh.ggg.fff.in-addr-arpa
REVERSE MAPPING: eee.fff.ggg.hhh -> www2.mydomain.com

PRIMARY ZONE: mydomain.com.
MACHINE: 192.168.1.80 -> myinternalserver.mydomain.com
MACHINE: 192.168.1.82 -> myinternalserver1.mydomain.com
MACHINE: 192.168.1.88 -> myinternalserver2.mydomain.com
MACHINE: 192.168.1.90 -> myinternalserver3.mydomain.com
MACHINE: www.xxx.yyy.zzz -> www.mydomain.com
MACHINE: eee.fff.ggg.hhh -> www1.mydomain.com

fotoguy · 01-10-2013, 12:43 PM

Sounds like it might be a reverse dns lookup error, is there any reason to hosting your own dns server to using your isp's? A lot of mail servers now use reverse dns lookups to help fight against spam, if your dns server is not setup correctly other mail servers will reject your mail.

scottmusician · 01-16-2013, 08:03 AM

my understanding is that we need to run internal DNS servers for two reasons:

a) because we have multiple internally-hosted, publicly-available fqdn's (eg. www.mucompany.com, http://webmail.mycompany.com)... Without A records sitting on an internal dns server, how do incoming requests know which computer should be sought for the corresponding fqdn request?

b) same thing applies for requests from machines inside the network. Without DHCP pointing to the internal DNS, all local requests just end up at the router instead of deferring to the proper website of the destination IP address..

thoughts?

scottmusician · 01-20-2013, 07:46 PM

*bump*
any further word on this? My users now can't send to Gmail or to hotmail, which is causing business havoc!!

Ser Olmy · 01-20-2013, 08:17 PM

Are you getting the same error about "Purported Responsible Address" from Gmail? The error refers to an experimental RFC, RFC 4407. The "Purported Responsible Address" is used by the Sender ID mechanism to determine whether an MTA is authorized to send/relay mail for a given domain.

This error can be caused by missing/duplicate/badly formatted "From:" headers in the mail itself, or even by other malformed headers inserted by MTAs.

You should take a close look at the headers in mails leaving your server. You may also need to implement Sender ID records in your DNS zone, as described in chapter 3 of RFC 4408.

scottmusician · 01-20-2013, 11:46 PM

Thanks so much for the reply. Yes, the Gmail response was another 550 5.7.1 error, worded a little differently but still the same thing. I've now got a few things to go on, and am waiting to hear from the user to see how responses are going.

Turns out that a lot of users have had additional "from" headers configured in their clients (resulting in duplicate "from:" headers) from a legacy email system where they once used free @gmail accounts to store their imap archives. So I've turned that off and will see how it goes. I've also disabled a

Code:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access

as this only contained a:

Code:

ROOT@ REJECT

(which I think was only to stop ROOT@ folder filling up needlessly, but that's a null account anyway.

will let you know how it goes!

scottmusician · 01-21-2013, 08:50 PM

I made a test account on the server, and it looks like the from address is defaulting to:
user@mail.mydomain.com

which is of course bad, as it should be:
user@mydomain.com

Sorry to sound like a beginner - is this changed in a config file? or via a DNS server entry? I can't find anything obvious in the conf files..
If it is DNS.. what kind of record do I need to add?

Thanks yet again!!

(PS: i'm happy to post /etc/hosts if it helps, but it all looks pretty basic).

Ser Olmy · 01-21-2013, 08:57 PM

Quote:

Originally Posted by scottmusician

I made a test account on the server, and it looks like the from address is defaulting to:
user@mail.mydomain.com

which is of course bad, as it should be:
user@mydomain.com

I think this is what you're looking for.

scottmusician · 01-21-2013, 09:46 PM

thanks Ser_Olmy,

that's great! and so simple too.
Just waiting on a confirmation from users, but hopefully I can close off thread soon

Thanks again

scottmusician · 01-28-2013, 09:02 PM

So now /etc/postfix/main.cf reads:

Code:

myhostname = mail.mydomain.com
mydomain = mydomain.com
myorigin = $mydomain

and postconf -n reads:

Code:

 myogigin = $domain

If I create a new user and send an email from webmail (nutsmail) without any additional configuration, then the headers read:

Code:

From: USER <user@mail.mydomain.com>
X-COMPANY-MailScanner-From: user@mail.mydomain.com

Within NutsMail config, I'm overriding this by having each user's webmail account specifying their "Personal Information -> email address" as their correct "user@mydomain.com" format. This at least seems to make mail go out OK most of the time, however we are still occasionally not passing Purported Responsible Address checks properly.

Could it be a DNS thing?

scottmusician · 01-30-2013, 10:11 PM

*bump*

scottmusician · 02-04-2013, 06:54 PM

Hi again! Sorry to nag, it's been more than a week and my users still can't send to Gmail due to this drat error. Below is a copy of a delivery notice. Any ideas would be wonderful!

Code:

>This is the mail system at host mail.mydomain.com.
>
>I'm sorry to have to inform you that your message could not be 
>delivered to one or more recipients. It's attached below.
>
>For further assistance, please send mail to <postmaster>
>
>If you do so, please include this problem report. You can delete your 
>own text from the attached returned message.
>
>                   The mail system
>
><recipient@email.com>: host aspmx.l.google.com[74.125.133.26]
>said:
>    550-5.7.1 [xxx.yyy.zzz.ip      11] Our system has detected that this
>    message is 550-5.7.1 not RFC 2822 compliant. To reduce the amount 
>of spam
>    sent to Gmail, 550-5.7.1 this message has been blocked. Please 
>review
>550
>    5.7.1 RFC 2822 specifications for more information.
>h19si7264558igc.59 -
>    gsmtp (in reply to end of DATA command)
>
><joerecipient@email.com>: host aspmx.l.google.com[74.125.133.26] said:
>    550-5.7.1 [xxx.yyy.zzz.ip      11] Our system has detected that this
>    message is 550-5.7.1 not RFC 2822 compliant. To reduce the amount 
>of spam
>    sent to Gmail, 550-5.7.1 this message has been blocked. Please 
>review
>550
>    5.7.1 RFC 2822 specifications for more information.
>h19si7264558igc.59 -
>    gsmtp (in reply to end of DATA command)
>Received: from [192.168.1.109] (unknown [192.168.1.109])
>	by mail.mydomain.com (Postfix) with ESMTP id 0F839E2878;
>	Tue,  5 Feb 2013 10:56:08 +1100 (EST)
>User-Agent: Microsoft-MacOutlook/14.2.2.120421
>Date: Tue, 05 Feb 2013 10:55:17 +1100
>Subject: Re: Meeting 8 Feb
>From: Joe User<j.user@mydomain.com>
>To: Recipient <recipient@email.com>
>CC: Paul User <p.user@mydomain.com>,
>	Stephen S <supervisor@email.com>
>Message-ID: <CD36871F.14520%j.user@mydomain.com>
>Thread-Topic: Meeting 8 Feb
>In-Reply-To: <002501ce0004$67687050$363950f0$@com.au>
>from: j.user@mydomain.com
>reply-to: j.user@mydomain.com
>Mime-version: 1.0
>Content-type: multipart/mixed;
>	boundary="B_3442906569_248544"
>X-Server-MailScanner-Information: Please contact the ISP for more 
>information
>X-Server-MailScanner-ID: 0F839E2878.A5786
>X-Server-MailScanner: Found to be clean
>X-Server-MailScanner-From: j.user@mydomain.com
>X-Spam-Status: No


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

Ser Olmy · 02-04-2013, 07:57 PM

RFC 2822 describes what constitutes a valid e-mail address.

There has to be something wrong with either the sender or recipient address format in your mails. Since the error is reported at the end of the DATA session rather than after the "MAIL FROM" or "RCPT TO" commands, I suspect the problem is a malformed address in a header.

The only error I can see in the posted log is a lack of a space after the user name in the "From:" header (From: Joe User<j.user@mydomain.com>). You should capture the entire SMTP session between your server and Google's mail server (or the smart host if your're using one) and take a very close look at all headers containing mail addresses.

scottmusician · 02-04-2013, 08:38 PM

thanks for the reply!
I expect this has something to do with it:

Ok, If I make a new user, his emails go out with the incorrect "@mail.mydomain.com" from address.
The headers read:

Code:

Subject: test
From: New user <n.user@mail.mydomain.com>
Reply-To: <n.user@mail.mydomain.com>
X-Server-MailScanner-From: n.user@mail.mydomain.com
Return-Path: n.user@mail.mydomain.com

Here's what postconf -n reads:

Code:

mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain

Which appears correct to me. So where else does the domain suffix get added??

Users are overwriting their from fields via a webmail setting, which at least gets most mail delivered OK with a proper @domain.com address.

descendant_command · 02-05-2013, 12:17 AM

Quote:

Originally Posted by scottmusician

Code:

>From: Joe User<j.user@mydomain.com>
>from: j.user@mydomain.com

You've got two From: headers, that might be a problem.