Digg VS 玩聚

SMTP典型错误:“550 5.7.1 Uable to relay user@domain.com” 的研究

----------------------------------------------------------------

The information in this article applies to:

  - Microsoft Exchange 2000 Server

----------------------------------------------------------------

现象：

同类错误的表象:

错误发生的环境	详细错误报告
能够从Outlook客户端向外发送邮件(如user@Sohu.com)，但是从Outlook Express客户端却不能这么做	OutlookExpress弹出一个错误对话框，说“处理所需任务时出错”。 错误描述： 由于服务器拒绝收件人之一，无法发送邮件。被拒绝的电子邮件地址是“zhengyun_ustc@XXX.com”。主题'test'；账户：'mailserver'，服务器：'mailserver'，协议：SMTP，服务器响应：'550 5.7.1 Unable to relay for zhengyun_ustc@XXX.com'，端口：25，安全（SSL）：否，服务器错误：550，错误号：0x800CCC79
在VBScript脚本中，如果指定SMTP Server来向外发送邮件，会得到0X0804020F的错误号； 但是不指定SMTP Server，默认用Pickup方式，让本地的SMTP Service来向外发送邮件却是可以的 (脚本示范在附录A中)	弹出一个标题为“Windows 脚本宿主”的错误对话框。错误描述为： 错误： the Server rejected one or more recipient address.The server response was:550 5.7.1 Unable to relay for zhengyun_ustc@XXX.com 代码： 8004020F
	5.7.1错误号一般会伴随有应用程序日志的事件ID 1709和1710: Event Type: Warning   Event Source: MSExchangeTransport   Event Category: SMTP Protocol   Event ID: 1709   Date: 9/6/2000   Time: 5:21:28 AM   User: N/A   Computer: SERVERNAME   Description: An SMTP client did not authenticate before attempting to send mail. Access was denied. Data: 0000: 05 00 07 80  ...?     Event Type: Warning   Event Source: MSExchangeTransport   Event Category: SMTP Protocol   Event ID: 1710   Date: 9/5/2000   Time: 3:31:03 PM   User: N/A   Computer: SERVERNAME   Description: An SMTP client authenticated as user "NT AUTHORITY/ANONYMOUS LOGON" attempted to send as "User.one@domain.edu". Access was denied because the authenticated client does not have permission to Send As this SMTP address. Data: 0000: 05 00 07 80 ...?
向一个不允许中继的远程域发送邮件	Non-Delivery Report (NDR)详细错误报告: The following recipient(s) could not be reached:     User@Remotedomain.com on 1/6/00 7:58 PM     The originator does not have permission to submit message  dns;Wsilver.com failed 5.7.1 smtp;550 5.7.1 Unable to relay for User@Remotedomain.com

 

我们先来了解一下前面报告的错误号的含义:

0X8004020F的错误号的定义：

可以参看CDO For Exchange 2000或者CDO For Windows 2000的错误号定义：

Error Name	Value	Remarks
CDO_E_RECIPIENTS_REJECTED	0x8004020FL	The server rejected one or more recipient addresses. The server response was: %1.

 

5.7.1错误号的定义：

DSN(Delivery Status Notifications in Exchange 2000 Server)描述了三种情况：

Ø        Success (as 2. numerical codes)

Ø        Persistent transient failure (as 4. numerical codes)

Ø         Permanent failures (as 5. numerical codes)

详细定义可以参见RFC 1891和RFC1893。

 

 Numerical Code: 5.7.1：

Possible Cause:

n      General access denied, sender access denied ? the sender of the message does not have the privileges necessary to complete delivery.

 

n      You are trying to relay your mail via another SMTP server and it does not permit you to relay.

 

n      The recipient might have mailbox delivery restrictions enabled. For example, a recipient’s mailbox delivery restriction was sent to receive from a Distribution List only and non-member’s email will be rejected with this error.

 

Troubleshooting: Check system privileges and attributes for the contact and

  retry the message. Also make sure you are running Exchange 2000 Service Pack

  1 or later for other potential known issues.

 

附录A：

Dim objMessage set objMessage = CreateObject("CDO.Message")   With objMessage     .from = "User@XXX.com"     .To = "zhengyun_ustc@XXX.com"     .TextBody = "body"     .Subject = "Subject"     With .Configuration      .Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'cdoSendUsingPort      .Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailserver.tomocorp.com"      .Fields(cdoSMTPServerPort) = 25         .Fields.update     End With End With objMessage.send

 

原因与解决方法：

出错的几种原因：

第一种解释：

《XCON: NDRs May Result Based on SMTP Configuration [Q274638]》给出的适合Exchange的解释：

 

发生5.7.1错误可能是由于Exchange的System Manager中的SMTP虚拟服务器的设置中没有选中“allow computers which successfully authenticate to relay”复选框。如下所示，

先打开SMTP Virtual Server的属性页的Access页：

然后点击“Relay”按钮，察看“Allow all computers which successfully authenticate to relay,regardless of the list above”是否选中：

 

 

或者是DNS没有被正确配置。应该确保MX纪录指向正确的SMTP虚拟服务器。如果DNS没有配正确，incoming SMTP connection可能会随机连接到错误的SMTP虚拟服务器。

 

也可能收件人的邮件地址并不符合现有的收件人策略。

 

解决办法：正确地配置DNS  MX记录；

允许验证通过的机器能够被中继；

让所有的SMTP虚拟服务器允许匿名访问。

然后重启这些虚拟服务、SMTP服务、Routing Engine服务等来使设置起效。

 

第二种解释：

《OL2000: SMTP Relay Blocking Error Sending E-mail [Q214402]》给出了的解释：

 

ü        You are logged in to a Local Area Network (LAN) that has an Internet gateway and attempt to send e-mail through an Internet Service Provider's SMTP gateway.

 

ü        You are logged onto an Internet Service Provider (ISP) and attempt to send e-mail through another Internet Service Provider's SMTP gateway.

 

ü         You are using a cable modem or ADSL to get to another Internet Service  Provider and attempt to send e-mail through that ISP's SMTP gateway.

 

这种问题的发生是ISP们的设置所造成的，ISP们这样做，是为了防止SPAM(垃圾邮件)。比如SOHU和新浪的SMTP服务就是ESMTP命令集，用这些服务器发送邮件，就需要先通过身份验证，否则会得到如下所示的提示：

 

SOHU的反应：

220 smtp01.sohu.com ESMTP
250 smtp01.sohu.com
505 Error:Client was not authenticated

 

新浪的反应：

220 sina.com ESMTP

250 sina.com

553 -------------------------------------------------------

SMTP登录出错。

-------------------------------------------------------------

 

第三种解释：

《XCON: SMTP Clients Receive Relaying Prohibited Error Message [Q295164]》给出了一种解释：可能是Outlook Express所在的客户端与服务器端之间有一个Cisco防火墙，而该火墙启用了SMTP inspection。

(Extension to SMTP (ESMTP) commands can also be removed by Pix firewall software.)

 

解决之道：不让火墙进行SMTP inspection。

 

第四种解释：

《XCON: Misleading NDR Sending to Remote Domain [Q262354]》说，也可能是Remote Domain已经禁止Sending Domain中继。也就是说，是对方禁止，而不是本地服务器禁止这种行为。

 

给出错误解决步骤比较详细的文档：

《Health Monitor Is Unable to Send E-Mail via Local SMTP Server [Q280043]》中给出的检查步骤比较详细，这里就简单列出两个检查点：

n         Verify the Binding Order

n         Verify the Relay Settings for the Exchange SMTP Virtual Server

 

小结：

这种“Unable to relay user@externaldomain.com”的错误通常属于设计意图。也就是说，为了防止Internet上的Unsolicited Commercial E-Mail (UCE)，Microsoft的SMTP服务，默认，是不允许一封邮件通过它中继到外面的邮件地址的！

详细情况可以参看《SMTP Service Release Notes》。

 

下面是其中的一段话：

------------------------------------------------------------

 Restrictions on Relaying Mail Through Microsoft SMTP Service

------------------------------------------------------------

 

Because of the growing problem on the Internet concerning Unsolicited Commercial

E-Mail (UCE), Microsoft SMTP Service, by default, does not allow mail to be

relayed through it to an external e-mail address. Mail addressed to any domain

not configured for the SMTP site is rejected with the error "550 Unable to relay

for ." To allow mail to be relayed from specific IP

addresses, change the settings in the "Relay Restrictions" section of the

"Directory Security" property sheet.

 

NOTE: Changing the settings to allow unrestricted relay through your SMTP server

on the Internet makes your site a prime target for UCE. UCE can consist of

special offers, commentaries, or any message a sender wants to convey to as many

recipients as possible across the Internet. Often, senders relay UCE through

well-known, trusted servers on the Internet to make messages appear as though

they originated from a trusted host, or to make it difficult to determine the

origin of the messages.

 

 

Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=12665