Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

554: Client host rejected: You are not allowed to connect

  • 1.  554: Client host rejected: You are not allowed to connect

    Posted Sep 25, 2009 07:27 AM

    Hi,

    I am getting an email delay problem when receiving an email from some domain in the Internet. The delay is ranged from several hours to a couple of days. This is part of log from the sender domain.

    "Sep 15 11:40:50 esfsd03 postfix/smtp[28728]: 4A9E73AB7C: to=recipient@destination-domain, relay=destination-ip[destination-ip], delay=0, status=deferred (host destination-ip[destination-ip] refused to talk to me: 554 <unknown[sender-ip]>: Client host rejected: You are not allowed to connect.)"

    I am wondered whether this problem causes from spam filtering feature or maximum number of connections from a single IP address setting on Brightmail or anything else.

    Could anyone advise me please?

    Thanks,
    Nitass



  • 2.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 25, 2009 11:09 AM
    Reputation / Reputation lookup?
    Does the inbound, connecting IP address resolve?

    You are talking about mail from a 3rd party to a domain you control, correct?

    Saw your 450 error discussion.  So yes, this could be due to the sender hitting your connections per IP limit..  Are you limiting inbound connections due to workload, or spam?  If spam, have you tried Connection Classification?


  • 3.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 25, 2009 11:11 AM
    If you are concerned about workload on your inbound mailserver, you might want to limit the delivery connections under STMP / Advanced.

    Maximum number of connections to all internal mail servers:
    Maximum number of connections per single internal mail server:


  • 4.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 25, 2009 01:57 PM

    >Reputation / Reputation lookup?
    The reputation of sender IP is neutral. I looked it up from the Security Response web.

    >Does the inbound, connecting IP address resolve?
    Yes, this is an inbound. The sender IP is not resolvable (no reverse lookup record). However, I do not think this is an issue because finally the message is able to send (but delay).

    >You are talking about mail from a 3rd party to a domain you control, correct?
    Yes, that is correct.

    >Saw your 450 error discussion.  So yes, this could be due to the sender hitting your connections per IP limit..  Are you limiting inbound connections due to workload, or spam?  If spam, have you tried Connection Classification?
    I have set the maximum number of connections from a single IP address to 3 (default is 20). This value is from Symantec Brightmail Gateway - Best Practices: Performance document (Document ID: 2008071612574854). May this cause this issue?

    Thanks,
    Nitass



  • 5.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 25, 2009 05:38 PM
    Might, but the sending IP would need to already have 3 connections on the box.  Do a netstat and see if there are mulitiple active connections


  • 6.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 26, 2009 12:49 AM
    Thanks. I will try.

    Anyway, how do you think about spam filtering features e.g. reputation? May it also cause this issue? If reputation of sender IP which is looked up from Security Response web is neutral, does it mean the sender would not be blocked by spam filtering features on Brightmail?

    Thanks,
    Nitass


  • 7.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 28, 2009 10:56 AM
    Hi phhowe17,

    I think you are correct. I found concurrent connection limit exceeded warning messages in MTA logs. I already raised the number of connections. Please let me monitor it for a couple of days. I will update you soon.

    Thanks,
    Nitass


  • 8.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Sep 30, 2009 11:45 AM
    Hello,

    I think the problem has been solved. However, I am getting another error message instead. The MTA logs keep displaying "DNS TXT query for x.x.x.x.zodiac.brightmail.com failed unexpectedly". I already tested name resolution according to troubleshooting SBG DNS reputation queries knowledge base article (http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008011011032554) and it was fine.

    I just would like to know if there is any effect on SBG operation. If yes, how can I reduce its effect?

    Please advise.

    Ps. SBG is now running 8.0.2-12.

    Thanks,
    Nitass


  • 9.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Oct 09, 2009 01:36 PM
    We have been not receiving emails from certain domains.  In the inbound message queue, the message is there with the action "Abort Message".  Running a trace (thank you Symantec staff for showing how), the trace shows "554 You are not allowed to connect".  I have had reputation checking turned off and it still did it. 
    Furthermore, the DNS TXT query... message you stated Nitass is also occuring on our box.
    I'm following up with Symantec and will update this thread when we get this resolved.



  • 10.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Oct 12, 2009 12:38 PM

    Hi Amxtaylor,

    Thanks for the information. Additionally, would you mind advising me how to run a trace?

    Thank you very much,
    Nitass



  • 11.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Feb 25, 2010 11:57 AM
    Finally a solution... for us anyways...

    Our resolution was in the MTU (Maximum Transmission Unit).  Ours was set at 512, thus anything larger was getting aborted.  It only affected certain domains that were sending.  Setting to 1500 solved the problem completely.

    Administration -> Hosts > Configuration -> Edit Host -> Ethernet -> Maximum Transmission Unit




  • 12.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Feb 25, 2010 01:21 PM
    Alex, thanks for sharing the information.

    Please note that by default, the MTU is set to 1500; you can check it by running the ifconfig command from CLI:

    vm-sflabga> ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0C:29:38:3F:77 
              inet addr:10.160.248.101  Bcast:10.160.248.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    So you must have manually changed it to 512.  What was the reason for changing the MTU from its default value of 1500 to 512?

    Regards,

    Adnan


  • 13.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 11, 2010 03:56 PM
     Hi there,

    did ether two of you have any luck with this issue? we appear have the same issue with email from particular inbound domains

    Cheers


  • 14.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 11, 2010 04:43 PM
    The first thing to check, in this case, is the reputation of the IP that they are trying to connect from.  You can check the reputation of the IP in the Control Center on IP Reputation Lookup page (Reputation > IP Reputation Lookup).

    Regards,

    Adnan


  • 15.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 11, 2010 08:53 PM
     Hi there,

    the reputation of the sender (Message labs in this case) is fine.
    The below is what I get in the mail logs when a message is denied:

    Mar 12, 2010 1:46:54 PM NZDT Error NZSMTP01 Brightmail Engine
    DNS TXT query for "4.136.109.203.zodiac.brightmail.com" failed unexpectedly.
    Mar 12, 2010 1:46:49 PM NZDT Information NZSMTP01 Brightmail Engine
    A connection to the firewall from: <216.82.241.211> returned Di

    It would seem that each time an email is being issued with a 5.5.4 the above error (DNS TXT lookup) is present.
    I can resolve brightmail.com at the moment fine.

    Are the messages being blocked purely due to intermittent DNS issues?


  • 16.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 12, 2010 02:31 AM
    You have given two different IP addresses from the logs, but none of those seem to be the one that's getting rejected with "554: Client host rejected: You are not allowed to connect" error. 

    Can you please provide the log entry that corresponds to the IP address that's getting rejected with the "554: Client host rejected: You are not allowed to connect" error?

    Thanks

    Adnan


  • 17.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 14, 2010 03:23 PM
    Hi there,

    the second line in that table with the ip of 216.82.241.211 is the host being rejected. 
    If you highlight it it will come up with the full error message of <dns_deny> triggering filtering policy <static-deny-dns> with desnitation <<firewall_response message="You are not allowed to connect." type="reject"/>>

    What I have noticed is when I see these rejections in the logs they are accompanied by the DNS TXT error. 
    Is this coincidental or part of my issue?


  • 18.  RE: 554: Client host rejected: You are not allowed to connect

    Posted Mar 14, 2010 04:32 PM
    Ok so it would appear I tell fibs, looking further into the logs I have found another instance of a blockage it is not accompanied by a DNS TXT error, however it is the same IP being blocked.

    Mar 12, 2010 12:58:35 PM NZDT Information NZSMTP01 Brightmail Engine
    A connection to the firewall from: <216.82.241.211> returned Disposition: <dns_deny> triggering filtering policy <static-deny-dns> with destination <<firewall_response message="You are not allowed to connect." type="reject"/>>.
     
    Doing a reputation lookup the ip yeilds it it is happy with Symantec.

    However looking online it appears to be on one of the Blacklists we use, Spamcannibal.org
    Is there a nicer way of getting the logs to report which blacklist/method it uses to reject the ip?

    By adding this to good senders, it will always send through regardless of status on Blacklists/etc ?