SMTP典型错误:“550 5.7.1 Uable to relay user@domain.com” 的研究
----------------------------------------------------------------
The information in this article applies to:
- Microsoft Exchange 2000 Server
----------------------------------------------------------------
现象:
同类错误的表象:
错误发生的环境
详细错误报告
能够从Outlook客户端向外发送邮件(如user@Sohu.com),但是从Outlook Express客户端却不能这么做
OutlookExpress弹出一个错误对话框,说“处理所需任务时出错”。
错误描述:
由于服务器拒绝收件人之一,无法发送邮件。被拒绝的电子邮件地址是“zhengyun_ustc@XXX.com”。主题'test';账户:'mailserver',服务器:'mailserver',协议:SMTP,服务器响应:'550 5.7.1 Unable to relay for zhengyun_ustc@XXX.com',端口:25,安全(SSL):否,服务器错误:550,错误号:0x800CCC79
在VBScript脚本中,如果指定SMTP Server来向外发送邮件,会得到0X0804020F的错误号;
但是不指定SMTP Server,默认用Pickup方式,让本地的SMTP Service来向外发送邮件却是可以的
(脚本示范在附录A中)
弹出一个标题为“Windows 脚本宿主”的错误对话框。错误描述为:
错误:
the Server rejected one or more recipient address.The server response was:550 5.7.1 Unable to relay for zhengyun_ustc@XXX.com
代码:
8004020F
5.7.1错误号一般会伴随有应用程序日志的事件ID 1709和1710:
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1709
Date: 9/6/2000
Time: 5:21:28 AM
User: N/A
Computer: SERVERNAME
Description: An SMTP client did not authenticate before attempting to send mail. Access was denied. Data: 0000: 05 00 07 80 ...?
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1710
Date: 9/5/2000
Time: 3:31:03 PM
User: N/A
Computer: SERVERNAME
Description: An SMTP client authenticated as user "NT AUTHORITY\ANONYMOUS LOGON" attempted to send as "User.one@domain.edu". Access was denied because the authenticated client does not have permission to Send As this SMTP address. Data: 0000: 05 00 07 80 ...?
向一个不允许中继的远程域发送邮件
Non-Delivery Report (NDR)详细错误报告:
The following recipient(s) could not be reached:
User@Remotedomain.com on 1/6/00 7:58 PM
The originator does not have permission to submit message dns;Wsilver.com failed 5.7.1 smtp;550 5.7.1 Unable to relay for User@Remotedomain.com
我们先来了解一下前面报告的错误号的含义:
0X8004020F的错误号的定义:
可以参看CDO For Exchange 2000或者CDO For Windows 2000的错误号定义:
Error Name
Value
Remarks
CDO_E_RECIPIENTS_REJECTED
0x8004020FL
The server rejected one or more recipient addresses. The server response was: %1.
5.7.1错误号的定义:
DSN(Delivery Status Notifications in Exchange 2000 Server)描述了三种情况:
Ø Success (as 2.<X.X> numerical codes)
Ø Persistent transient failure (as 4.<X.X> numerical codes)
Ø Permanent failures (as 5.<X.X> numerical codes)
详细定义可以参见RFC 1891和RFC1893。
Numerical Code: 5.7.1:
Possible Cause:
n General access denied, sender access denied ? the sender of the message does not have the privileges necessary to complete delivery.
n You are trying to relay your mail via another SMTP server and it does not permit you to relay.
n The recipient might have mailbox delivery restrictions enabled. For example, a recipient’s mailbox delivery restriction was sent to receive from a Distribution List only and non-member’s email will be rejected with this error.
Troubleshooting: Check system privileges and attributes for the contact and
retry the message. Also make sure you are running Exchange 2000 Service Pack
1 or later for other potential known issues.
附录A:
Dim objMessage
set objMessage = CreateObject("CDO.Message")
With objMessage
.from = "User@XXX.com"
.To = "zhengyun_ustc@XXX.com"
.TextBody = "body"
.Subject = "Subject"
With .Configuration
.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'cdoSendUsingPort
.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailserver.tomocorp.com"
.Fields(cdoSMTPServerPort) = 25
.Fields.update
End With
End With
objMessage.send
原因与解决方法:
出错的几种原因:
第一种解释:
《XCON: NDRs May Result Based on SMTP Configuration [Q274638]》给出的适合Exchange的解释:
发生5.7.1错误可能是由于Exchange的System Manager中的SMTP虚拟服务器的设置中没有选中“allow computers which successfully authenticate to relay”复选框。如下所示,
先打开SMTP Virtual Server的属性页的Access页:
然后点击“Relay”按钮,察看“Allow all computers which successfully authenticate to relay,regardless of the list above”是否选中:
或者是DNS没有被正确配置。应该确保MX纪录指向正确的SMTP虚拟服务器。如果DNS没有配正确,incoming SMTP connection可能会随机连接到错误的SMTP虚拟服务器。
也可能收件人的邮件地址并不符合现有的收件人策略。
解决办法:正确地配置DNS MX记录;
允许验证通过的机器能够被中继;
让所有的SMTP虚拟服务器允许匿名访问。
然后重启这些虚拟服务、SMTP服务、Routing Engine服务等来使设置起效。
第二种解释:
《OL2000: SMTP Relay Blocking Error Sending E-mail [Q214402]》给出了的解释:
ü You are logged in to a Local Area Network (LAN) that has an Internet gateway and attempt to send e-mail through an Internet Service Provider's SMTP gateway.
ü You are logged onto an Internet Service Provider (ISP) and attempt to send e-mail through another Internet Service Provider's SMTP gateway.
ü You are using a cable modem or ADSL to get to another Internet Service Provider and attempt to send e-mail through that ISP's SMTP gateway.
这种问题的发生是ISP们的设置所造成的,ISP们这样做,是为了防止SPAM(垃圾邮件)。比如SOHU和新浪的SMTP服务就是ESMTP命令集,用这些服务器发送邮件,就需要先通过身份验证,否则会得到如下所示的提示:
SOHU的反应:
220 smtp01.sohu.com ESMTP
250 smtp01.sohu.com
505 Error:Client was not authenticated
新浪的反应:
220 sina.com ESMTP
250 sina.com
553 -------------------------------------------------------
SMTP登录出错。
-------------------------------------------------------------
第三种解释:
《XCON: SMTP Clients Receive Relaying Prohibited Error Message [Q295164]》给出了一种解释:可能是Outlook Express所在的客户端与服务器端之间有一个Cisco防火墙,而该火墙启用了SMTP inspection。
(Extension to SMTP (ESMTP) commands can also be removed by Pix firewall software.)
解决之道:不让火墙进行SMTP inspection。
第四种解释:
《XCON: Misleading NDR Sending to Remote Domain [Q262354]》说,也可能是Remote Domain已经禁止Sending Domain中继。也就是说,是对方禁止,而不是本地服务器禁止这种行为。
给出错误解决步骤比较详细的文档:
《Health Monitor Is Unable to Send E-Mail via Local SMTP Server [Q280043]》中给出的检查步骤比较详细,这里就简单列出两个检查点:
n Verify the Binding Order
n Verify the Relay Settings for the Exchange SMTP Virtual Server
小结:
这种“Unable to relay user@externaldomain.com”的错误通常属于设计意图。也就是说,为了防止Internet上的Unsolicited Commercial E-Mail (UCE),Microsoft的SMTP服务,默认,是不允许一封邮件通过它中继到外面的邮件地址的!
详细情况可以参看《SMTP Service Release Notes》。
下面是其中的一段话:
------------------------------------------------------------
Restrictions on Relaying Mail Through Microsoft SMTP Service
------------------------------------------------------------
Because of the growing problem on the Internet concerning Unsolicited Commercial
E-Mail (UCE), Microsoft SMTP Service, by default, does not allow mail to be
relayed through it to an external e-mail address. Mail addressed to any domain
not configured for the SMTP site is rejected with the error "550 Unable to relay
for <mail address>." To allow mail to be relayed from specific IP
addresses, change the settings in the "Relay Restrictions" section of the
"Directory Security" property sheet.
NOTE: Changing the settings to allow unrestricted relay through your SMTP server
on the Internet makes your site a prime target for UCE. UCE can consist of
special offers, commentaries, or any message a sender wants to convey to as many
recipients as possible across the Internet. Often, senders relay UCE through
well-known, trusted servers on the Internet to make messages appear as though
they originated from a trusted host, or to make it difficult to determine the
origin of the messages.