search

zone-eu / zone-mta

📤 Modern outbound MTA cross platform and extendable server application
European Union Public License 1.2
602 stars 96 forks source link

icloud / proofpoint Unexpected MX error #301

Closed dazoot closed 2 years ago

dazoot commented 2 years ago 
Feb 11 08:39:36 zmta1 zone-mta: info Sender/default/827[14] 17ee78226740009630.001 CONNECTED domain=icloud.com mx=mx01.mail.icloud.com[17.56.9.17] src=server[1.1.1.1]
Feb 11 08:39:37 zmta1 zone-mta: ERR! Sender/default/827[14] 17ee78226740009630.001 SMTPERR [zLjoL7dmg] src=1.1.1.1 error="Invalid greeting. response=554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1"
Feb 11 08:39:37 zmta1 zone-mta: ERR! Sender/default/827[14] 17ee78226740009630.001 ERRCONNECT [zLjoL7dmg] Unexpected MX error. src=1.1.1.1 error="Invalid greeting. response=554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1: 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1"
Feb 11 08:39:37 zmta1 zone-mta: info Sender/default/827[14] 17ee78226740009630.001 SMTPCLOSE [zLjoL7dmg] Closed prematurely src=1.1.1.1 response="554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1" connected=0.317s.
Feb 11 08:39:37 zmta1 zone-mta: info Sender/default/827[14] 17ee78226740009630.001 REJECTED[policy] from=nbounce-REDACTED@redacted.domain.tld to=REDACTED@icloud.com src=1.1.1.1 mx=icloud.com id=<20220211000000.111@redacted> (554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1)

Looks like the icloud / proofpoint is giving a non standard SMTP response greeting ?

andris9 commented 2 years ago

It's a common way to respond to blacklisted IP addresses. Instead of sending 220... they send 5xx and close the connection. Once they have removed your IP from the list they start accepting connections again.

dazoot commented 2 years ago

The problem is that in this situation Zonemta triggers a bounce on try 1 REJECTED[policy] and does not go through the bounces.txt which states that for this situation the action is to defer.

andris9 commented 2 years ago

All bounce responses go through the same processor. What happens here is that this bounce is invalidly detected as policy, while it should be a blacklist entry. You can test those messages manually like this:

~/zone-mta $ echo '554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1' | node ./bin/check-bounce.js
data     : 554 5.7.0 Blocked - see https://support.proofpoint.com/dnsbl-lookup.cgi?ip=1.1.1.1
action   : reject
message  : Unknown Security Or Policy Concern
category : policy
code     : 554
status   : 5.7.0
line     : 525

The script at ./bin/check-bounce.js (or the CLI command check-bounce if you have installed zone-mta globally) tells you how does it categorize that specific message.

dazoot commented 2 years ago

Great. I have updated bounces.txt to identify it as deferred and now i can reroute the mail.