How do you know if you are being blocked by Mimecast?
After sending out a mailing you receive an error message for some of your users that make contain the following:
Thu, 29 Oct 2022 13:00:13 Sending email to: recipient@example.com
<-- DNS info available for: example.com
--> Using the existing connection to: example.com (xxx.xxx.xxx.xxx)
--> MAIL FROM: bounce-2401074-67274199@listname.yourlmsite.com
<-- 250 Sender OK [Aj3QXapeMpqZYaeFwWhjzw.us32]
--> RCPT TO:<recipient@example.com>
<-- 451 Internal resource is temporarily unavailable -
https://community.mimecast.com/docs/DOC-1369#451
[Aj3QXapeMpqZYaeFwWhjzw.us32]
Information
This is a known incompatibility between ListManager and Mimecast that has to do with the particular way they handle greylisting.
What is Mimecast?
Mimecast is an email gateway tool that monitors incoming emails to domains that use its services. Mimecast's strategy looks at three pieces of information (which are referred to as the "triplet") about any particular mail delivery attempt:
- The IP address of the host attempting the delivery
- The envelope sender's address
- The envelope recipient's address
With this triplet, Mimecast has a unique relationship for that particular SMTP session. If Mimecast has not seen this triplet before, Mimecast issues a busy server status. This server's busy status is held for 60 seconds, forcing the sending server to queue and retry. SMTP is considered an unreliable transport, subject to failures. The possibility of temporary failures is built into the core spec (see RFC 821). A correctly configured message transfer agent (MTA) will attempt retries if given an appropriate temporary failure code for a delivery attempt.
One of the components of this triplet is the envelope sender address also known as the "mail from", ListManager uses a unique address for each mailing per recipient, as follows:
bounce-messageid-memberid@servername.com
Therefore every time you send a new mailing for Mimecast it's a new triplet so it applies the greylisting block.
How do you know if Mimecast is blocking you?
As with most mailstream blocks, you have to find the actual blocking response sent from the domain. This can be done by viewing the sending details of a specific address that is being blocked, reviewing the "Delivery Dashboard" (Reports > Deliverability Dashboard) or "Mailstream blocked by domain/IP" (Utilities > Administration > MailStream > MailStream Blocked Domains) sections of ListManager, or querying the database tables such as 'lyrdeliveryattemptlog' or 'lyrcompletedrecips' for the specific domain in question.
Please note that "MailStream 'Example' (IP address 192.168.1.100) is known to be blocked by the server(s)" is not the actual blocking response. This is a block notification from ListManager after a block is already detected. Refer to the error message in the Overview for an example of Mimecast's response.
How do you resolve a Mimecast block?
In some cases, the block may only be temporary and is resolved when your message is retried. Mimecast blocks will always include a link to Mimecast with a description of the blocking reason. The link will also include a page anchor that takes you directly to the description for your block.
On the Mimecast website, the above block can be resolved by the receiving domain adding the ListManager to its "Greylistings" or "Sender Policy" within Mimecast. Other blocks may have other resolutions.
Releasing the Mailstream Block in LM
Once you know the Mimecast block is resolved or you want to test to see if it is resolved, you can go into your mailstream blocks or Delivery Dashboard in ListManager and retry/release the block if it is still present. This will let ListManager know it is ok to try and send to this Mimecast domain/IP again.
- Log on to LM as an Administrator
- Navigate to Utilities > Administration > MailStream > MailStream Blocked Domains
The recipient's domain is no longer listed in the list of blocked domains.
Possible Workarounds
If you are unable to resolve the issues with Mimecast or want to try a workaround for their greylisting requirements, you can ask us to set the retry interval for greylisting to 1 minute, rather than the default of 4. However, this will not guarantee success because if LM tried with recipient1 and does not accept the email with 451, LM puts it on the mailstream block and when it tries again it might not necessarily retry with the same recipient1. It could be another recipient for that same domain (different triplet), which if happens to be new for them and can cause a block again. Then it is possible that LM does not get to retry recipient1 before the 12-hour upper limit.
You can also reach out to Mimecast's Support team for their suggestions.
