This article contains information on common Mimecast 5xx SMTP error codes, their causes, and recommended resolutions to address issues like invalid addresses, authentication failures, policy violations, and email size limits.
When messages are sent or received between two email servers or Mail Transfer Agents (MTAs), the communication uses a series of numeric SMTP codes. These codes are always in pairs, which means both servers transmit the codes until either the conversation is successful or fails.
There are two main code types for dropped or failed SMTP conversations. The first number in a code indicates whether the MTA accepted the command or if it was rejected. The remaining two numbers in the code provide information on the reason for the failure. The code types are:
-
-
- 4xx: The server encountered a temporary failure. If the command is repeated without being changed, it may be successful, depending on the reason for the initial failure. Mail servers use temporary failures to hold connections from untrusted sources while additional security checks are performed. See the SMTP 4xx Error Codes section below for a full list.
- 5xx: The server has encountered a permanent error and failed message delivery. If you receive any errors listed below when sending a message to a Mimecast customer, contact the recipient's Mimecast Administrator. Mimecast can only deal with designated customer contacts. See the SMTP 5xx Error Codes section below for a full list.
-
SMTP 4x Error Codes
A 4xx error is returned if the server encounters a temporary failure. If the command is repeated without being changed, it may be successful, depending on the reason for the initial failure. Mail servers use temporary failures to hold connections from untrusted sources while additional security checks are performed.
A correctly configured mail server should retry sending a message if a 4xx error code is received. These connections are logged in the Message Center: Rejected and Deferred Messages list.
If you receive any errors listed below when sending a message to a Mimecast customer, contact the recipient's Mimecast Administrator. Mimecast can only deal with designated customer contacts.
| Code | Reason Given to Sending MTA | Description | Recommended Resolution |
|---|---|---|---|
| 421 | Sender address blocked. | A Blocked Senders Policy has blocked the sender's IP address. | Remove the entry from the policy. |
| 451 | Unable to process connection at this time. | The Mimecast server is under maximum load. | No action is required from the end user. The message will retry 30 times, and when server resources are available, the message is processed. |
| 451 | Internal resources are temporarily unavailable. | The sending mail server is subjected to Greylisting. This requires the server to retry the connection between one minute and 12 hours. Alternatively, the sender's IP address has a poor reputation. | An Auto Allow or Permitted Senders policy can bypass these reputation checks. If it's legitimate traffic, amend your Greylisting policy. |
|
451
|
Message ended early.
|
The message was incorrectly terminated. This can be caused by:
|
Investigate the Intrusion Detection software or other SMTP protocol analyzers. If running a Cisco Firewall, ensure the Mail- guard or SMTP Fixup module is disabled.
|
| 451 | An open relay is not allowed. | The sender and recipient domains specified in the transmission are external to Mimecast. They aren't allowed to relay through the Mimecast service, and/or the connecting IP address isn't recognized as authorized. | Customers should contact Mimecast Support to add the Authorized Outbound address or take other remedial action. |
| 451 | Account outbounds disabled. | The customer account outbound emails are disabled in the Mimecast Administration Console. | Contact Mimecast Support if the account's outbound traffic should be allowed. |
| 451 | Account inbounds disabled. | The customer account Inbound emails are disabled in the Mimecast Administration Console. | Contact Mimecast Support if the account's inbound traffic should be allowed. |
| 451 | Account service is temporarily unavailable . | There are too many concurrent inbound connections for the account. The default is 20. | The IP address is automatically removed from the block list after five minutes. Continued invalid connections result in the IP being readded to the block list. Ensure you don't route outbound or journal messages to Mimecast from an IP address that has yet been authorized. |
| 451 | Recipient Temporarily Unavailable. | The Sender's IP address has been placed on the block list due to too many invalid connections. | The sender's mail server must retry the connection. The mail server performing the connection says the recipient address validation isn't responding. |
| 451 | Unable to process command. | Generic error if the reason is unknown. | Contact Mimecast Support. |
| 451 | Unable to process email at this time. | Generic error if the reason is unknown. | Contact Mimecast Support. |
| 451 | IP Temporarily Blacklisted. | You've reached your mail server's limit. | Wait and try again. The mail server won't accept any messages until you're under the limit. |
| 451 | The hostname is not authorized. | Omni Directional hostnames are enabled. | Disable Omni Directional hostnames. |
| 451 | The incorrect hostname used for inbounds. | The recipients' domains have MX records configured incorrectly. | Check and remove any MX records that point to hostnames with outbound references. Only Inbound smart hosts are supported on MX records. |
| 452 | Too many recipients. | The sending server issues more than 100 RCPT TO entries. By default, Mimecast only accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending mail server to provide the DATA for the first 100 recipients before it provides the next batch of RCPT TO entries. | Most mail servers respect the transient error and treat it as a "truncation request." If your mail server, firewall, or on-site solution doesn't respect the error, you- must ensure that at most 100 recipients are submitted. |
| 454 | TLS not available due to temporary reason | SMTP inbound TLS has been enabled but no SSL certificate (or no valid certificate) has been selected to be used. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven't expired. If using a proxy server, ensure it isn't intercepting the traffic and modifying encryption parameters. |
These SMTP codes and reasons are communicated to the sending MTA. For a permanent failure, these details must be included in the Non-Delivery Report (NDR) generated by that mail server.
Solutions like SMTP Fix-Up / MailGuard and ESMTP inspection on Cisco Pix and ASA Firewalls do not respect the transient error. We advise you to disable this functionality.
SMTP 5xx Error Codes
A 5xx error time is returned if the server has encountered a permanent error and the message depend-user has failed. If you receive the errors listed below when sending a message to a Mimecast customer, contact the recipient's Mimecast Administrator. Mimecast can only deal with designated customer contacts.
Error 5xx codes are retry failures. The protocol rejects these connections, and the connection is logged in the Rejection Viewer. As the message is rejected in the protocol, it isn't retrievable from the Administration Console and must be resent once the issue is addressed.
| Code | Reason Given to Sending MTA | Description | Recommended Resolution |
|---|---|---|---|
| 501 | Invalid address. | The email address isn't a valid SMTP address. | The sender must resend the message to a valid internal email address. |
| 503 | User unknown. | The server has encountered a bad sequence of commands or requires authentication. | In a Bad Sequence, the server has pulled off its commands in the wrong order, usually because of a broken connection. If authentication is needed, enter your username and password. |
| 535 | Incorrect authentication data. | Messages submitted to SMTP port 587 require authentication. This error indicates the authentication details provided needed to be corrected. | Check your authentication details match an internal email address in Mimecast with a corresponding Mimecast cloud password. Alternatively, consider sending the message on SMTP port 25. |
| 550 | Submitter failed to authenticate. | ||
| 550 | Administrative prohibition envelope blocked. | The sender's email address or domain has triggered a Blocked Senders Policy or an SPF hard rejection. | Delete or modify the Blocked Senders policy to exclude the sender address. |
| 550 | Anti-Spoofing policy - Inbound not allowed. | The message has triggered an Anti-Spoofing policy. | Create an Anti-Spoofing policy to take no action for the sender's address or IP address. |
| 550 | Rejected by header-based Anti-Spoofing policy. | ||
| 550 | Envelope blocked – User Entry. | A personal block policy is in place for the email address/domain. | Remove the email address/domain from the Managed Senders list. |
| 550 | Envelope blocked – User Domain Entry. | ||
| 550 | Rejected by header-based manually Blocked Senders - block for manual block. | ||
| 550 | Rejected by header-based Blocked Senders - Block policy for Header From. | A Block Sender Policy has been applied to reject emails based on the Header From or Envelope From address. | Delete or change the Blocked Senders policy. |
| 550 | Envelope Rejected - Block policy for Envelope from address. | ||
| 550 | < details of RBL > | The sender's IP address is listed in an RBL. The text displayed is specific to the RBL, which lists the sender's IP address. | Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally, request the associated IP address from the RBL. |
| 550 | Local CT IP Reputation - (reject) | Ongoing reputation checks have resulted in the message being rejected due to poor IP reputation. This could occur after a 4xx error. | Create an Auto Allow or Permitted Senders policy.
You can request a review of your source IP ranges by completing our online form. |
| 550 | Invalid Recipient. | Known recipient, LDAP, or SMTP call forwarding recipient validation checks have yet to return a valid internal user. | The sender must resend the message to a valid internal recipient address. |
| 550 | Exceeding outbound thread limit. | There are too many concurrent outbound connections for the account. | Send the messages in smaller chunks to recipients. |
| 550 | Message bounced due to Content Examination Policy. | The message has triggered a Content Examination policy. | Either create a Content Examination Bypass policy or adjust the Content Examination policy as required. |
| 550 | SPF Sender Invalid - envelope rejected. | The inbound message has been rejected because the originated IP address isn't listed in the published SPF records for the sending domain. | Ensure all the IP addresses for your mail servers are listed in your SPF records. Alternatively, create a DNS Authentication (Inbound / Outbound) policy with the Inbound SPF or Reject on Hard Fail option disabled. Messages that fail our SPF checks are subjected to spam and RBL checks instead of being rejected. |
| 550 | DKIM Sender Invalid - envelope rejected. | The DKIM key for the outbound message is broken and doesn't match the DNS record of the registered sender. | Check your organization's DNS record is populated with the right public key as part of the DNS Authentication Outbound Signing definition. The private key of the keypair must be populated in the DNS Authentication policy, along with the domain and selector of that record. |
| 550 | DMARC Sender Invalid - envelope rejected. | The inbound message has been rejected because the originated IP address isn't listed in the published SPF records for the sending domain. | Ensure all the IP addresses for your mail servers are listed in your SPF records. |
| 550 | Journal messages past the expiration. | Attempts are being made to journal mail past the set expiry threshold. A retry response will replace the failure because the message is marked for retry if rejected, causing the journal queue to grow. | Check to confirm there are no significant time discrepancies on the mail server. Discontinue journaling old messages past the expiry threshold. |
| 550 | The incorrect hostname used for inbounds. | The recipients' domains have MX records configured incorrectly. | Check and remove any MX records that point to hostnames with outbound references. Only Inbound smart hosts are supported on MX records. |
| 553 | This route requires encryption (TLS). | This email has been sent using SMTP, but TLS is required by policy. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven't expired. If using a proxy server, ensure it isn't intercepting the traffic and modifying encryption parameters. |
| 553 | This route requires TLS version 1.2 or greater. | A TLS connection has been attempted using a TLS version lower than TLS 1.2. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the mail server attempting to connect uses the appropriate TLS version. |
| 553 | This route requires high-strength ciphers. | A secure connection was attempted using ciphers that do not meet the configured cipher strength. | Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alternatively, ensure the certificates on the mail server haven't expired. If using a proxy server, ensure it isn't intercepting the traffic and modifying encryption parameters. |
| 554 | Email rejected due to security policies (e.g., MCSpamSignature.x.x). | A signature could be a virus or a spam score over the maximum threshold. The spam score isn't available in the Administration Console. If you aren't a Mimecast customer but have emails rejected with this error code, contact the recipient to adjust their configuration and permit your address. If unsuccessful, your IT department can- submit a request to review these email rejections via our Sender Feedback form. | Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop these messages from being blocked. Anti-spam checks can be bypassed using a Permitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound Activity and search for the required email address. |
| 554 | Mail loop detected. | The message has too many Received Headers as it has been forwarded across multiple hops. Once 25 hops have been reached; the email is rejected. | Investigate the email addresses in the communication pairs to see what forwarders are configured on the mail servers. |
| 554 | Maximum email size exceeded. | The email size either exceeds an Email Size Limit policy or is larger than the Mimecast service limit. The default is 100 MB for the Legacy MTA and 200 MB for "the Latest MTA." | Resend the message, ensuring it's smaller than the limitation set. The transmission and content-encoding can add significantly to the total message size (e.g., a message with a 70 MB attachment can have an overall size larger than 100 MB). |
| 554 | Host network, not allowed. | The message has triggered a Geographical Restriction policy. | Delete or amend the policy. |
| 554 | Configuration is invalid for this certificate. | Validation on your umbrella account's domain name does not conform to your DNS. | Check your DNS has the required umbrella accounts listed as comma-separated values. |
These SMTP codes and reasons are communicated to the sending MTA. For a permanent failure, these details must be included in the Non-Delivery Report (NDR) generated by that mail server.
Comments
Please sign in to leave a comment.