This page
Other pages
Account
You are viewing an old version of this page. View the current version.
Compare with Current |
View Page History
554 5.7.1 Delivery not authorized
Question
I tried to send MIT email and got an email error "554 5.7.1", what does it mean?
554 5.7.1 Delivery not authorized
554 5.7.1 You are not allowed to connect
Answer
It probably means that MIT's spam filter blocked the mail.
Knowing why the mail was blocked is harder - our spam filter (Symantec Brightmail) can block various messages for various reasons.
Symantec's official answer to the topic is here:
http://www.symantec.com/docs/TECH169847 - Message Rejected with SMTP Code 554. 5.7.1
MIT-specific answer
While Symantec's official answer gives a few bullet points for people to work through, we will comment that the most common situations encountered by IS&T Customer Support are:
- problems with the sender's reputation
- problems with the sender's DNS.
Sender's Reputation
When a sending site connects to MIT to submit mail, MIT's spam filter does some lookups based on the IP address of the connecting site. If the spam filter determines that the sender's IP address has a "negative reputation", it will reject the mail with a 554 5.7.1 error.
To investigate problems with the sender's reputation, consult
http://ipremoval.sms.symantec.com/lookup/
Sender's DNS
In addition to considering the reputation of the sender's IP address, MIT's spam filter also checks to see if the sender has configured reverse DNS for their IP address. Loosely speaking, MIT requires that the sender have a properly-configured hostname, and treats them as a spammer if they do not.
The more technically correct description is that MIT's spam filter checks for "Forward-confirmed reverse DNS". It does a reverse-DNS lookup on the sender's IP address to check for a PTR record, then uses the hostname from the PTR record for a regular forward-DNS lookup, and checks that the resulting IP address matches the original.
Other considerations
Diagnosing these problems can be difficult, because mail errors do not always give a good report of IP addresses. The sender may not know the IP address of their edge mail servers.
One approach is to ask the sender to send a test message to a non-MIT site like Gmail. Once the test message is received, we can use "show original" to view the Received headers, which will reveal IP addresses of mail servers.
Example of error message
Here is an example of this kind of mail error; see "554 5.7.1 Delivery not authorized" at the bottom.
----- The following addresses had permanent fatal errors
-----<username@mit.edu> <username@mit.edu>
(reason: 554 5.7.1 Delivery not authorized)
----- Transcript of session follows -----
... while talking to dmz-mailsec-scanner-8.mit.edu.:
<<< 554 5.7.1 Delivery not authorized
... while talking to dmz-mailsec-scanner-1.mit.edu.:
<<< 554 5.7.1 Delivery not authorized
... while talking to dmz-mailsec-scanner-6.mit.edu.:
<<< 554 5.7.1 Delivery not authorized
554 5.0.0 Service unavailable
Reporting-MTA: dns; xxxxx.yyyyy.zzz
Received-From-MTA: DNS; www.xxxxx.yyyyy.zzz
Arrival-Date: Thu, 2 Feb 2012 14:01:15 -0500 (EST)
Final-Recipient: RFC822; username@mit.edu
Action: failed
Status: 5.5.0
Diagnostic-Code: SMTP; 554 5.7.1 Delivery not authorized
Last-Attempt-Date: Thu, 2 Feb 2012 14:01:16 -0500 (EST)
How to check DNS
You can use nslookup or host or other tools to check to see if an IP address reverse-resolves.
$ host 18.70.0.160
160.0.70.18.in-addr.arpa domain name pointer W20NS.MIT.EDU.
