Email delay caused by an Intrusion Prevention System

book

Article ID: 169953

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

One or more users are trying to send emails to a specific domain via Symantec's mail servers but these emails are going into retry as the Email Security.cloud service is unable to connect to the recipient's infrastructure.

421 4.4.0 [internal] no MXs for this domain could be reached at this time

Note that the "MXs" part in error message "421 4.4.0 [internal] no MXs for this domain could be reached at this time" does not refer to MX records in context but rather stands for "Mail Exchanger".

Cause

This is could be caused by an Intrusion Prevention System inspecting SMTP traffic, using specific SMTP rules such as:

  • Block IP address that exceeds unknown user delivery count
  • Block IP address that gets denied for relaying too often
  • Block IP address that exceeds RSET session count
  • Block IP address that exceeds message spam score
  • Block IP address that gets listed on DNSBL
  • Block IP address that exceeds message size

An intrusion prevention system can also have different actions on the amount of time an IP address can be blocked for, such as:

  • Refuse blocked IP address
  • Close Blocked connection
  • Cross session processing

Resolution

The recipient mail server administrator will need to investigate this issue on their side and allow the Symantec Email Security.cloud services IP ranges on port 25 to deliver mail to their infrastructure.