550 Delivery is not allowed to this address

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 12:47

I have noticed something weird in my logs...

Is seems to be a read receipt, hence the empty sender address (MAIL FROM: <>)

Code: Select all

"SMTPD" 7252 108816 "2017-06-20 11:37:34.180" "[remote ipaddress]" "SENT: 220 mail.mailserver.com ESMTP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.211" "[remote ipaddress]" "RECEIVED: EHLO DELL-LAPTOP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.260" "[remote ipaddress]" "SENT: 250-mail.mailserver.com [nl]250-SIZE 40960000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "RECEIVED: AUTH LOGIN"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "RECEIVED: [USERNAME]
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.354" "[remote ipaddress]" "RECEIVED: [PASSWORD]
"SMTPD" 6416 108816 "2017-06-20 11:37:34.370" "[remote ipaddress]" "SENT: 235 authenticated."
"SMTPD" 7252 108816 "2017-06-20 11:37:34.416" "[remote ipaddress]" "RECEIVED: MAIL FROM: <>"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.432" "[remote ipaddress]" "SENT: 250 OK"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "RECEIVED: RCPT TO: <info@remoteaddress.com>"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "SENT: 550 Delivery is not allowed to this address."
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "RECEIVED: QUIT"
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "SENT: 221 goodbye"
As the user authenticated successfully I assumed this would be treated as being a "local" address

Anyone has a idea what the problem can be?


Note: 'Allow empty sender address' is checked in SMTP protocol settings
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 7755
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:02

I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.

I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:06

jimimaseye wrote:I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
jimimaseye wrote: I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
No idea...will have to try that
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 7755
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:19

RvdH wrote:
jimimaseye wrote:I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
Good spot. So the action does seem to counter the intention according to that post in 2009. Heres a thought though: early versions of HMS didnt refer to LOCAL as by domain. And that is bourne out by his comment:
In version 4.x and 5.0, a sender is considered local if he is sending from a local account address OR or if he has authenticated.
But now we have it purely based on DOMAIN existence - something that we acknowledge and adhere to every day (as written in the documentation too). In the *old days* there were only 2 or 3 combinations for 'allow deliveries', now there are 4 combinations - a sign that these versions do things differently. My conclusion is that martins post (referenced) in 2009 belongs to old functionality and doesnt fit the current methods.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:24

Spot on!

I have been looking in the source, no reference to authentication whatsoever

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
       if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:26

So basically my only option is to enable external to external deliveries for the internet ip-range (with authentication only!)?

That doesn't sound right, does it?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 7755
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:30

Reckon so. Or dont have blank FROMs if possible. (Cant you do "donotreply@localdomain" instead?) Although technically not against the rules or wrong, blank FROMs are not that common and are frowned upon by some systems. (Even HMS has the option to allow them or not).

Or a script that looks for these mails and changes/recofigures the outgoing email accordingly? (Hard work though).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:35

The blank FROM addresses are caused by Outlook, not much i can do about that i guess

Maybe i should 'fix' the code ;)

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
       if (isAuthenticated_)
          return true;
         
       if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 7755
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:46

What would the FROMADDRESS be? If the receiving server doesnt like blank FROM addresses and it bounces/rejects, then who will get the NDR? mailer_daemon@theauthenticationdomain ?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:55

I just did a test here, Outlook 2013....the read receipt is send with FROM address ....what the hell?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 7755
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:58

Google it and you will see LOADS of entries moaning about blanks in Outlook 2016.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 14:06

God damn, typically Microsoft :evil:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 19437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2017-06-20 14:07

FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account

There is also a SMTP >> RFC setting about 'allow empty sender address'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 14:10

Can a script help here? I mean to fix outlook's 2016 behaviour...
Something like...

Code: Select all

OnSMTPData

If oClient.Username <> "" And Message.FromAddress = "" Then

      ... add FromAddress header with value from oClient.Username 

end if
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 15:03

mattg wrote:FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account

There is also a SMTP >> RFC setting about 'allow empty sender address'
me too for the script part, i use this one: viewtopic.php?t=25938
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 22:27

This code seems to be working, any interest in a pull request for this functionality?

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated and the domain-part of the username matches an active local domain and no default domain is set
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (sDefaultDomain.IsEmpty())
	   {
		   auth_domain_ = CacheContainer::Instance()->GetDomain(StringParser::ExtractDomain(username_));
		   if (isAuthenticated_ && auth_domain_ && auth_domain_->GetIsActive())
		          return true;
	   }

	   if (sender_domain_ && sender_domain_->GetIsActive())
           return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
Although it could be as simple as this as the domain has to be active to be able to authenticate

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated and no default domain is set
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (sDefaultDomain.IsEmpty() && isAuthenticated_)
		  return true;

	   if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 19437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2017-06-20 23:57

Perhaps allowed by IP range for security purposes
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-21 08:42

mattg wrote:Perhaps allowed by IP range for security purposes
That is a bit tricky, as i have no control on who of our clients is using Outlook 2016 (quite a few after inspecting the logs)

It could be a ini setting though, eg:

Code: Select all

	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (IniFileSettings::Instance()->GetAuthUserIsLocal() && sDefaultDomain.IsEmpty() && isAuthenticated_)
		  return true;
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 632
Joined: 2008-06-27 14:42
Location: Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-07-04 10:07

I finally took the time to setup a VM to test this behavior with Office 2016, this are the headers of such read receipt:

Code: Select all

Return-Path: 
Delivered-To: ruud@domainname.nl
Received: from VM (domainname.nl [IPADDRESS])
	by mailserver with ESMTPSA
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256)
	; Tue, 4 Jul 2017 01:52:26 +0200
X-AuthUser: test@domainname.nl
From: "Test" <test@domainname.nl>
To: "Ruud" <ruud@domainname.nl>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAIOCMpPt0C5Dt51z6h2ej6jCgAAAEAAAAEOa6LbvhRdOqWY6Ez+R5EUBAAAAAA==@domainname.nl>
Subject: Gelezen: test (Gelezen = Read translated in English)
Date: Tue, 4 Jul 2017 01:52:21 +0200
Message-ID: <002401d2e9fe$bba874b0$32f95e10$@domainname.nl>
MIME-Version: 1.0
Content-Type: multipart/report;
	report-type=disposition-notification;
	boundary="----=_NextPart_000_0025_01D2EA0F.7F3144B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG2hQXtQCJgCKkX1fR7WmxXU6IBSaJm8v78
As the Return-Path is blank it is more then likely the oMessage.FormAddress value is empty on such read receipt, eg: that's why it is failing
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply