Re: [exim] 454 Error

Top Page
Delete this message
Reply to this message
Author: Richard James Salts
Date:  
To: exim-users
Subject: Re: [exim] 454 Error
On Wed, 27 Jul 2016 12:50:59 PM Viktor Dukhovni wrote:
> On Tue, Jul 26, 2016 at 05:34:34PM -0700, Mike Kadin wrote:
> > help.uber.com is a CNAME to frontends.uber.com which is a CNAME to
> > frontends-sjc1.uber.com which has an MX record of mx.sendgrid.net.
> > Sendgrid is our inbound SMTP provider:
> > ...
> > help.uber.com. 60 IN CNAME frontends.uber.com.
> > frontends.uber.com. 60 IN CNAME frontends-sjc1.uber.com.
> > frontends-sjc1.uber.com. 300 IN MX 0 mx.sendgrid.net.
> > ```
> > Delivery Host: mx.sendgrid.net
> > Delivery IP: 167.89.125.4
> > Size: 39.83 KB
> > Result: 25: SMTP error from remote mail server after RCPT TO:<
> > test123@???>: 454 4.7.1 <test123@???>: Relay
> > access denied
> > ```
>
> Note that the DSN code is "4.7.1", which is:
>
>     https://tools.ietf.org/html/rfc3463

>
>       X.7.1   Delivery not authorized, message refused

>
>          The sender is not authorized to send to the destination.  This
>          can be the result of per-host or per-recipient filtering.  This
>          memo does not discuss the merits of any such filtering, but
>          provides a mechanism to report such.  This is useful only as a
>          permanent error.

>
> When I send a probe to <postmaster@???>, I get:
>
>     Reporting-MTA: dns; mournblade.imrryr.org
>     X-Postfix-Queue-ID: 23C8D284F25
>     X-Postfix-Sender: rfc822; exim-users@???
>     Arrival-Date: Wed, 27 Jul 2016 12:46:05 +0000 (UTC)

>
>     Final-Recipient: rfc822; postmaster@???
>     Original-Recipient: rfc822;postmaster@???
>     Action: deliverable
>     Status: 2.1.5
>     Remote-MTA: dns; mx.sendgrid.net
>     Diagnostic-Code: smtp; 250 2.1.5 Ok

>
> So the issue sure looks like sendgrid is blocking the sending host,
> envelope sender domain, or specific recipient address.


This is because postfix and exim differ on where the mail should be sent.
http://cr.yp.to/im/cname.html explains the problem: sendmail accepts a domain
with a CNAME record. It replaces the domain with the CNAME value before using
it in RCPT, unless it is acting as a dumb client. Similar comments apply to
qmail and other mailers.