File Coverage

lib/Sisimai/Rhost/Mimecast.pm
Criterion Covered Total %
statement 25 25 100.0
branch 6 8 75.0
condition 4 6 66.6
subroutine 4 4 100.0
pod 0 1 0.0
total 39 44 88.6


line stmt bran cond sub pod time code
1             package Sisimai::Rhost::Mimecast;
2 4     4   1630 use feature ':5.10';
  4         9  
  4         426  
3 4     4   25 use strict;
  4         8  
  4         86  
4 4     4   16 use warnings;
  4         10  
  4         1976  
5              
6             sub get {
7             # Detect bounce reason from https://www.mimecast.com/
8             # @param [Sisimai::Data] argvs Parsed email object
9             # @return [String] The bounce reason at Mimecast
10             # @since v4.25.15
11 13     13 0 1651 my $class = shift;
12 13   100     50 my $argvs = shift // return undef;
13              
14 12 50       43 return undef unless length $argvs->{'diagnosticcode'};
15 12 50       62 return undef unless $argvs->{'replycode'} =~ /\A[245]\d\d\z/;
16              
17 12         124 state $messagesof = {
18             # https://community.mimecast.com/s/article/Mimecast-SMTP-Error-Codes-842605754
19             'blocked' => [
20             # - The sender's IP address has been blocked by a Blocked Senders Policy.
21             # - Remove the entry from the policy.
22             [421, 'sender address blocked'],
23              
24             # - The Sender's IP address has been placed on the block list due to too many invalid
25             # connections.
26             # - The sender's mail server must retry the connection. The mail server performing the
27             # connection says the recipient address validation isn't responding.
28             [451, 'recipient temporarily unavailable'],
29              
30             # - You've reached your mail server's limit.
31             # - Wait and try again. The mail server won't accept any messages until you're under
32             # the limit.
33             [451, 'ip temporarily blacklisted'],
34              
35             # - The sending mail server is subjected to Greylisting. This requires the server to
36             # retry the connection, between one minute and 12 hours. Alternatively, the sender's
37             # IP address has a poor reputation.
38             # - These reputation checks can be bypassed with an Auto Allow or Permitted Senders
39             # policy. If it's legitimate traffic, amend your Greylisting policy.
40             [451, 'internal resources are temporarily unavailable'],
41              
42             # - Ongoing reputation checks have resulted in the message being rejected due to poor
43             # IP reputation. This could occur after a 4xx error.
44             # - Create an Auto Allow or Permitted Senders policy.
45             # Note:
46             # You can request a review of your source IP ranges by completing our online form.
47             [550, 'local ct ip reputation - (reject)'],
48              
49             # - The sender's IP address is listed in an RBL. The text displayed is specific to the
50             # RBL which lists the sender's IP address.
51             # - Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally request
52             # the associated IP address from the RBL.
53             #[550, '< details of RBL >'], NEED AN ACTUAL ERROR MESSAGE STRING
54              
55             # - The inbound message has been rejected because the originated IP address isn't list-
56             # ed in the published SPF records for the sending domain.
57             # - Ensure all the IP addresses for your mail servers are listed in your SPF records.
58             # Alternatively, create a DNS Authentication (Inbound / Outbound) policy with the
59             # "Inbound SPF" or "Reject on Hard Fail" option disabled. Messages that fail our SPF
60             # checks are subjected to spam and RBL checks, instead of being rejected.
61             [550, 'spf sender invalid - envelope rejected'],
62              
63             # - The DKIM key for the outbound message is broken and doesn't match the DNS record of
64             # the registered sender.
65             # - Check your organization's DNS record is populated with the right public key as part
66             # of the DNS Authentication Outbound Signing definition. The private key of the key-
67             # pair must be populated in the DNS Authentication policy, along with the domain and
68             # selector of that record.
69             [550, 'dkim sender invalid - envelope rejected'],
70              
71             # - The inbound message has been rejected because the originated IP address isn't list-
72             # ed in the published SPF records for the sending domain.
73             # - Ensure all the IP addresses for your mail servers are listed in your SPF records.
74             [550, 'dmarc sender invalid - envelope rejected'],
75             ],
76             'mesgtoobig' => [
77             # - The email size either exceeds an Email Size Limit policy or is larger than the
78             # Mimecast service limit. The default is 100 MB for the Legacy MTA, and 200 MB for
79             # "the Latest MTA".
80             # - Resend the message ensuring it's smaller than the limitation set. The transmission
81             # and content-encoding can add significantly to the total message size (e.g. a mes-
82             # sage with a 70 MB attachment, can have an overall size larger than 100 MB).
83             [554, 'maximum email size exceeded'],
84             ],
85             'networkerror' => [
86             # - The message has too many "received headers" as it has been forwarded across multi-
87             # ple hops. Once 25 hops have been reached, the email is rejected.
88             # - Investigate the email addresses in the communication pairs, to see what forwarders
89             # are configured on the mail servers.
90             [554, 'mail loop detected'],
91             ],
92             'norelaying' => [
93             # - Both the sender and recipient domains specified in the transmission are external to
94             # Mimecast, and aren't allowed to relay through the Mimecast service and/or the con-
95             # necting IP address isn't recognized as authorized.
96             # - Mimecast customers should contact Mimecast Support to add the Authorized Outbound
97             # address, or to take other remedial action.
98             [451, 'open relay not allowed'],
99             ],
100             'notaccept' => [
101             # - The customer account Inbound emails are disabled in the Administration Console.
102             # - Contact Mimecast Support if the account's inbound traffic should be allowed.
103             [451, 'account inbounds disabled'],
104             ],
105             'onhold' => [
106             # - The customer account outbound emails are disabled in the Administration Console.
107             # - Contact Mimecast Support if the account's outbound traffic should be allowed.
108             [451, 'account outbounds disabled'],
109              
110             # - Omni Directional hostnames are enabled.
111             # - Disable Omni Directional hostnames.
112             [451, 'hostname is not authorized'],
113              
114             # - Attempts are being made to journal mail that is past the set expiry threshold. The
115             # failure will be replaced by a retry response because the message is marked for re-
116             # try if rejected, causing the journal queue to grow.
117             # - Check to confirm there are no significant time discrepancies on the mail server.
118             # Discontinue journaling old messages past the expiry threshold.
119             [550, 'journal message past expiration'],
120             ],
121             'policyviolation' => [
122             # - The message has triggered an Anti-Spoofing policy.
123             # - Create an Anti-Spoofing policy to take no action for the sender's address or IP ad-
124             # dress.
125             [550, 'anti-spoofing policy - inbound not allowed'],
126             [550, 'rejected by header-based anti-spoofing policy'],
127              
128             # - The message has triggered a Content Examination policy.
129             # - Either create a Content Examination Bypass policy or adjust the Content Examination
130             # policy as required.
131             [550, 'message bounced due to content examination policy'],
132              
133             # - The message has triggered a Geographical Restriction policy.
134             # - Delete or amend the policy.
135             [554, 'host network not allowed'],
136             ],
137             'rejected' => [
138             # - The sender's email address or domain has triggered a Blocked Senders Policy or
139             # there's an SPF hard rejection.
140             # - Delete or modify the Blocked Senders policy to exclude the sender address.
141             [550, 'administrative prohibition envelope blocked'],
142              
143             # - A personal block policy is in place for the email address/domain.
144             # - Remove the email address/domain from the Managed Senders list.
145             [550, 'envelope blocked – user entry'],
146             [550, 'envelope blocked – user domain entry'],
147             [550, 'rejected by header-based manually blocked senders - block for manual block'],
148              
149             # - A Block Sender Policy has been applied to reject emails based on the Header From or
150             # Envelope From address.
151             # - Delete or change the Blocked Senders policy.
152             [550, 'rejected by header-based blocked senders - block policy for header from'],
153             [550, 'envelope rejected - block policy for envelope from address'],
154             ],
155             'securityerror' => [
156             # - Messages submitted to SMTP port 587 require authentication. This error indicates
157             # the authentication details provided were incorrect.
158             # - Check your authentication details match an internal email address in Mimecast, with
159             # a corresponding Mimecast cloud password. Alternatively, consider sending the mes-
160             # sage on SMTP port 25.
161             [535, 'incorrect authentication data'],
162             [550, 'submitter failed to disabled'],
163              
164             # - This email has been sent using SMTP, but TLS is required by policy.
165             # - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS.
166             # Alternatively, ensure the certificates on the mail server haven't expired. If using
167             # a proxy server, ensure it isn't intercepting the traffic and modifying encryption
168             # parameters.
169             [553, 'this route requires encryption (tls)'],
170              
171             # - A TLS connection has been attempted using a TLS version that is lower than TLS 1.2.
172             # - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS.
173             # Alternatively, ensure the mail server attempting to connect is using the appropri-
174             # ate version of TLS.
175             [553, 'this route requires tls version 1.2 or greater'],
176              
177             # - A secure connection was attempted using ciphers that do not meet the configured ci-
178             # pher strength.
179             # - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alter-
180             # natively, ensure the certificates on the mail server haven't expired. If using a
181             # proxy server, ensure it isn't intercepting the traffic and modifying encryption
182             # parameters.
183             [553, 'this route requires high-strength ciphers'],
184              
185             # - Validation on your umbrella account's domain name does not conform to your DNS.
186             # - Check you DNS has the required umbrella accounts listed as comma-separated values.
187             [554, 'configuration is invalid for this certificate'],
188             ],
189             'systemerror' => [
190             # - The Mimecast server is under maximum load.
191             # - No action is required from the end-user. The message will retry 30 times and when
192             # server resources are available, the message is processed.
193             [451, 'unable to process connection at this time'],
194              
195             # - The message was incorrectly terminated. This can be caused by:
196             # - Files that previously contained a virus, but haven't been cleaned by an anti-virus
197             # product, leaving traces in the message.
198             # - Firewall issues on the sender's side.
199             # - Incorrectly configured content rules on a security device.
200             # - Investigate the Intrusion Detection software or other SMTP protocol analyzers. If
201             # running a Cisco Firewall, ensure the Mail- guard or SMTP Fixup module is disabled.
202             [451, 'message ended early'],
203              
204             # - Generic error if the reason is unknown
205             # - Contact Mimecast Support.
206             [451, 'unable to process command'],
207              
208             # - Generic error if the reason is unknown
209             # - Contact Mimecast Support.
210             [451, 'unable to process an email at this time'],
211             ],
212             'toomanyconn' => [
213             # - There are too many concurrent inbound connections for the account. The default is 20.
214             # - The IP address is automatically removed from the block list after five minutes.
215             # Continued invalid connections result in the IP being readded to the block list. En-
216             # sure you don't route outbound or journal messages to Mimecast from an IP address
217             # that hasn't been authorized to do so.
218             [451, 'account service is temporarily unavailable'],
219              
220             # - The sending server issues more than 100 RCPT TO entries. By default, Mimecast only
221             # accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending
222             # mail server to provide the DATA for the first 100 recipients before it provides the
223             # next batch of RCPT TO entries.
224             # - Most mail servers respect the transient error and treat it as a "truncation request".
225             # If your mail server, firewall, or on-site solution doesn't respect the error, you
226             # must ensure that no more than 100 recipients are submitted.
227             # Note:
228             # Solutions like SMTP Fix-Up / MailGuard and ESMTP inspection on Cisco Pix and
229             # ASA Firewalls are known not to respect the transient error. We advise you to
230             # disable this functionality.
231             [452, 'too many recipients'],
232              
233             # - There are too many concurrent outbound connections for the account.
234             # - Send the messages in smaller chunks to recipients.
235             [550, 'exceeding outbound thread limit'],
236             ],
237             'userunknown' => [
238             # - The email address isn't a valid SMTP address.
239             # - The sender must resend the message to a valid internal email address.
240             [501, 'invalid address'],
241              
242             # - The server has encountered a bad sequence of commands, or it requires an authenti-
243             # cation.
244             # - In case of a "bad sequence", the server has pulled off its commands in the wrong
245             # order, usually because of a broken connection. If authentication is needed, enter
246             # your username and password.
247             [503, 'user unknown'],
248              
249             # - Known recipient, LDAP, or SMTP call forwarding recipient validation checks haven't
250             # returned a valid internal user.
251             # - The sender must resend the message to a valid internal recipient address.
252             [550, 'invalid recipient'],
253             ],
254             'virusdetected' => [
255             # - A signature was detected that could either be a virus, or a spam score over the
256             # maximum threshold. The spam score isn't available in the Administration Console. If
257             # you aren't a Mimecast customer but have emails rejected with this error code, con-
258             # tact the recipient to adjust their configuration and permit your address. If unsuc-
259             # cessful, your IT department can submit a request to review these email rejections
260             # via our Sender Feedback form.
261             # - Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop
262             # these messages from being blocked. Anti-spam checks can be bypassed using a Per-
263             # mitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound
264             # Activity and searching for the required email address.
265             [554, 'email rejected due to security policies'],
266             ],
267             };
268              
269 12   50     56 my $esmtperror = lc $argvs->{'diagnosticcode'} // 0;
270 12   50     54 my $esmtpreply = int $argvs->{'replycode'} // 0;
271 12         21 my $reasontext = '';
272              
273 12         68 REASON: for my $e ( keys %$messagesof ) {
274             # Try to find with each error message defined in $messagesof
275 70         76 for my $f ( @{ $messagesof->{ $e } } ) {
  70         128  
276             # Find an error reason
277 161 100       283 next unless $esmtpreply == $f->[0];
278 29 100       110 next unless index($esmtperror, $f->[1]) > -1;
279 12         21 $reasontext = $e;
280 12         26 last REASON;
281             }
282             }
283 12         53 return $reasontext;
284             }
285              
286             1;
287             __END__