[MlMt] return code 554 (expected 250)

Bill Cole mmlist-20120120 at billmail.scconsult.com
Tue Sep 23 13:53:43 EDT 2014


On 22 Sep 2014, at 20:58, Paula R. T. Coelho wrote:

> ah! the only thing i can think of is that this started happening since 
> i arrived in Spain for a work meeting...

Which is indeed the likely explanation...

> On 23 Sep 2014, at 2:54, Paula R. T. Coelho wrote:
>
>> very weird problem...
>>
>> in the last 35 hours or so every time i try to send emails *from* two 
>> specific accounts (out of 4 in total), i get the following message:
>>
>> Unexpected return code 554 (expected 250):
>> “5.7.1 <164.Red-83-61-103.dynamicIP.rima-tde.net[83.61.103.164]>: 
>> Client host rejected: Access denied”.

Unpacking that:

554 is a standard reply code in SMTP used by a server to tell the client 
that its last command failed without specifying a particular cause, 
simply that the failure should be deemed persistent and that the same 
transaction should not be re-tried automatically.

5.7.1 is an "enhanced" code that can be used with any 55x reply code 
which indicates that the failure is due to an authorization failure 
(i.e. a policy restriction rather than a syntax error, non-existent 
recipient address, etc.)

The remaining text appears to be the IP address of your client machine 
preceded by the hostname it resolves to and the human language (of a 
sort) explanation of the reason for the failure. This form using the 
"Client host rejected" phrase is indicative of the Postfix MTA software 
applying a local access rule based solely on the IP address and/or 
hostname of the sending client machine.

In short: It looks like the SMTP server you were talking to does not 
accept mail from the Telefonica de España IP address you are 
(temporarily) using. That is likely to be a ban that includes most of 
the surrounding TdE network: either an IP range or due to the telltale 
generic pattern in the hostnames which indicates that they are assigned 
to TdE customers temporarily and dynamically.

It is worth noting that many (perhaps MOST) SMTP servers would reject 
mail from that network unless the client successfully authenticates to 
an authorized account. It has been used by TdE for dynamic assignments 
for many years and is (properly) listed on the most widely used DNS 
blacklists specializing in identifying such networks. Dynamically 
assigned addresses are widely distrusted as mail clients (absent 
authentication) because that's where most end-user PCs are, and hence 
where most spamware-compromised machines are.

>> at first i thought the problem was at the smtp server (the two 
>> accounts use the same smtp server but different login). but after so 
>> many hours, i suspected of it and tried to send email from the same 
>> problematic account via ipad and i did manage! mail.app has the same 
>> problem as mailmate though, so it is a problem related to my laptop.
>>
>> i swear the problem started out of the blue, i haven't changed 
>> anything... (that i can remember of).
>>
>> any thoughts? i'm lost...

There are 3 possibilities that come to mind:

1. This is just an unusual (and maybe unwise) configuration by your mail 
provider to absolutely reject mail from a network with a long history of 
sending spam, without making exceptions for authenticated customers. The 
only solutions in this case are to not use that network to send through 
that SMTP server or to persuade the provider to lift the ban.

2. There is something which you can fix with your connection and/or 
authentication settings for that SMTP server. This can be a problem in 
both Mail and MailMate if you imported slightly bad account settings 
from Mail into MailMate. One issue that can go unnoticed is if your 
provider's SMTP server is accessible both over the standard SMTP port 
(25) and the mail submission port (587) with subtly different policy 
rules applied. The MacOS Internet Accounts subsystem by which Mail 
configures its accounts uses a procedure for quietly figuring out what 
port and SSL/TLS settings work with a particular server which has a 
history of incorrectly preferring port 25 when in fact port 587 is a 
better choice. It is quite reasonable for a port 25 SMTP service to ban 
dynamic ranges outright if the provider also allows authenticated 
customers to submit mail using port 587. To fix that particular problem, 
you can explicitly change the account to explicitly use port 587. If 
your provider does not offer a 587 submission service, you'll simply get 
a failed connection and you can switch it back. I've also seen reports 
of Mail trying to send messages in a SMTP session even after it has 
failed to authenticate or to set up a SSL/TLS session to encrypt traffic 
but I don't think MailMate would ever do that, so I doubt the problem 
includes an authentication failure. It MAY be that neither program is 
attempting authentication because you don't have the account set to use 
it. That error could go unnoticed if this SMTP server is run by your 
usual connection provider, as it may not require authentication for IP 
address on their own network.

3. It is possible that the network you are connecting to directly is 
hijacking your attempts to connect to an external SMTP server and 
imposing a proxy between your machine and the server which breaks your 
ability to send mail. This is often done with a goal of blocking abuse 
of networks that provide unrestricted access to random visitors, but 
some of the most common "transparent" proxy implementations (e.g. 
Cisco's PIX & ASA firewalls) mangle SMTP so badly that it is impossible 
to do secure mail submission through them.


More information about the mailmate mailing list