File Coverage

lib/Sisimai/Rhost/Mimecast.pm

Criterion	Covered	Total	%
statement	26	26	100.0
branch	8	8	100.0
condition	4	6	66.6
subroutine	5	5	100.0
pod	0	1	0.0
total	43	46	93.4

line	stmt	bran	cond	sub	pod	time	code
1							package Sisimai::Rhost::Mimecast;
2	5			5		2369	use v5.26;
	5					21
3	5			5		31	use strict;
	5					10
	5					138
4	5			5		25	use warnings;
	5					43
	5					353
5	5			5		31	use Sisimai::SMTP::Reply;
	5					10
	5					3358
6
7							sub find {
8							# Detect bounce reason from https://www.mimecast.com/
9							# @param [Sisimai::Fact] argvs Decoded email object
10							# @return [String] The bounce reason at Mimecast
11							# @since v4.25.15
12	21			21	0	1189	my $class = shift;
13	21		100			65	my $argvs = shift // return "";
14	20	100				76	return '' unless $argvs->{'diagnosticcode'};
15	19	100				94	return '' unless Sisimai::SMTP::Reply->test($argvs->{'replycode'});
16
17	17					181	state $messagesof = {
18							# - https://community.mimecast.com/s/article/email-security-cloud-gateway-mimecast-smtp-error-codes
19							# - https://mimecastsupport.zendesk.com/hc/en-us/articles/34000709564691-Policies-Mimecast-SMTP-Error-Codes
20							'authfailure' => [
21							# - The inbound message has been rejected because the originated IP address isn't list-
22							# ed in the published SPF records for the sending domain.
23							# - Ensure all the IP addresses for your mail servers are listed in your SPF records.
24							# Alternatively, create a DNS Authentication (Inbound / Outbound) policy with the
25							# "Inbound SPF" or "Reject on Hard Fail" option disabled. Messages that fail our SPF
26							# checks are subjected to spam and RBL checks, instead of being rejected.
27							[550, 'spf sender invalid - envelope rejected'],
28
29							# - The DKIM key for the outbound message is broken and doesn't match the DNS record of
30							# the registered sender.
31							# - Check your organization's DNS record is populated with the right public key as part
32							# of the DNS Authentication Outbound Signing definition. The private key of the key-
33							# pair must be populated in the DNS Authentication policy, along with the domain and
34							# selector of that record.
35							[550, 'dkim sender invalid - envelope rejected'],
36
37							# - The inbound message has been rejected because the originated IP address isn't list-
38							# ed in the published SPF records for the sending domain.
39							# - Ensure all the IP addresses for your mail servers are listed in your SPF records.
40							[550, 'dmarc sender invalid - envelope rejected'],
41							],
42							'badreputation' => [
43							# - The sending mail server is subjected to Greylisting. This requires the server to
44							# retry the connection, between one minute and 12 hours. Alternatively, the sender's
45							# IP address has a poor reputation.
46							# - These reputation checks can be bypassed with an Auto Allow or Permitted Senders
47							# policy. If it's legitimate traffic, amend your Greylisting policy.
48							[451, 'internal resources are temporarily unavailable'],
49
50							# - Ongoing reputation checks have resulted in the message being rejected due to poor
51							# IP reputation. This could occur after a 4xx error.
52							# - Create an Auto Allow or Permitted Senders policy.
53							# Note:
54							# You can request a review of your source IP ranges by completing our online form.
55							[550, 'local ct ip reputation - (reject)'],
56							],
57							'blocked' => [
58							# - Sender address blocked.
59							# A Blocked Senders Policy has blocked the sender's IP address.
60							# - The sender's IP address has been blocked by a Blocked Senders Policy.
61							# - Remove the entry from the policy.
62							[421, 'sender address blocked'],
63
64							# - The Sender's IP address has been placed on the block list due to too many invalid
65							# connections.
66							# - The sender's mail server must retry the connection. The mail server performing the
67							# connection says the recipient address validation isn't responding.
68							[451, 'recipient temporarily unavailable'],
69
70							# - You've reached your mail server's limit.
71							# - Wait and try again. The mail server won't accept any messages until you're under
72							# the limit.
73							[451, 'ip temporarily blacklisted'],
74
75							# - The sender's IP address is listed in an RBL. The text displayed is specific to the
76							# RBL which lists the sender's IP address.
77							# - Bypass the RBL with an Auto Allow or Permitted Senders policy. Additionally request
78							# the associated IP address from the RBL.
79							#[550, '< details of RBL >'], NEED AN ACTUAL ERROR MESSAGE STRING
80							],
81							'emailtoolarge' => [
82							# - The email size either exceeds an Email Size Limit policy or is larger than the
83							# Mimecast service limit. The default is 100 MB for the Legacy MTA, and 200 MB for
84							# "the Latest MTA".
85							# - Resend the message ensuring it's smaller than the limitation set. The transmission
86							# and content-encoding can add significantly to the total message size (e.g. a mes-
87							# sage with a 70 MB attachment, can have an overall size larger than 100 MB).
88							[554, 'maximum email size exceeded'],
89							],
90							'expired' => [
91							# - Journal messages past the expiration
92							# - Attempts are being made to journal mail past the set expiry threshold.
93							# A retry response will replace the failure because the message is marked for retry
94							# if rejected, causing the journal queue to grow.
95							# - Check to confirm there are no significant time discrepancies on the mail server.
96							# Discontinue journaling old messages past the expiry threshold.
97							[550, 'journal messages past the expiration'],
98							],
99							'failedstarttls' => [
100							# - SMTP inbound TLS has been enabled but no SSL certificate (or no valid certificate)
101							# has been selected to be used.
102							# - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS.
103							# Alternatively, ensure the certificates on the mail server haven't expired.
104							# If using a proxy server, ensure it isn't intercepting the traffic and modifying
105							# encryption parameters.
106							["454", "tls not available due to temporary reason"],
107
108							# - This email has been sent using SMTP, but TLS is required by policy.
109							# - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS.
110							# Alternatively, ensure the certificates on the mail server haven't expired. If using
111							# a proxy server, ensure it isn't intercepting the traffic and modifying encryption
112							# parameters.
113							[553, 'this route requires encryption (tls)'],
114
115							# - A TLS connection has been attempted using a TLS version that is lower than TLS 1.2.
116							# - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS.
117							# Alternatively, ensure the mail server attempting to connect is using the appropri-
118							# ate version of TLS.
119							[553, 'this route requires tls version 1.2 or greater'],
120
121							# - A secure connection was attempted using ciphers that do not meet the configured ci-
122							# pher strength.
123							# - Delete or change the Secure Receipt or Secure Delivery policy enforcing TLS. Alter-
124							# natively, ensure the certificates on the mail server haven't expired. If using a
125							# proxy server, ensure it isn't intercepting the traffic and modifying encryption
126							# parameters.
127							[553, 'this route requires high-strength ciphers'],
128
129							# - Validation on your umbrella account's domain name does not conform to your DNS.
130							# - Check you DNS has the required umbrella accounts listed as comma-separated values.
131							[554, 'configuration is invalid for this certificate'],
132							],
133							'networkerror' => [
134							# - The recipients' domains have MX records configured incorrectly
135							# - Check and remove any MX records that point to hostnames with outbound references.
136							# Only Inbound smart hosts are supported on MX records.
137							[451, 'the incorrect hostname used for inbounds'],
138							[550, 'the incorrect hostname used for inbounds'],
139
140							# - The message has too many "received headers" as it has been forwarded across multi-
141							# ple hops. Once 25 hops have been reached, the email is rejected.
142							# - Investigate the email addresses in the communication pairs, to see what forwarders
143							# are configured on the mail servers.
144							[554, 'mail loop detected'],
145							],
146							'norelaying' => [
147							# - Both the sender and recipient domains specified in the transmission are external to
148							# Mimecast, and aren't allowed to relay through the Mimecast service and/or the con-
149							# necting IP address isn't recognized as authorized.
150							# - Mimecast customers should contact Mimecast Support to add the Authorized Outbound
151							# address, or to take other remedial action.
152							[451, 'open relay not allowed'],
153							[451, 'open relay is not allowed'],
154							],
155							'notaccept' => [
156							# - The customer account Inbound emails are disabled in the Administration Console.
157							# - Contact Mimecast Support if the account's inbound traffic should be allowed.
158							[451, 'account inbounds disabled'],
159							],
160							'onhold' => [
161							# - The customer account outbound emails are disabled in the Administration Console.
162							# - Contact Mimecast Support if the account's outbound traffic should be allowed.
163							[451, 'account outbounds disabled'],
164
165							# - Omni Directional hostnames are enabled.
166							# - Disable Omni Directional hostnames.
167							[451, 'hostname is not authorized'],
168
169							# - Attempts are being made to journal mail that is past the set expiry threshold. The
170							# failure will be replaced by a retry response because the message is marked for re-
171							# try if rejected, causing the journal queue to grow.
172							# - Check to confirm there are no significant time discrepancies on the mail server.
173							# Discontinue journaling old messages past the expiry threshold.
174							[550, 'journal message past expiration'],
175							],
176							'policyviolation' => [
177							# - The message has triggered an Anti-Spoofing policy.
178							# - Create an Anti-Spoofing policy to take no action for the sender's address or IP ad-
179							# dress.
180							[550, 'anti-spoofing policy - inbound not allowed'],
181							[550, 'rejected by header-based anti-spoofing policy'],
182
183							# - The message has triggered a Content Examination policy.
184							# - Either create a Content Examination Bypass policy or adjust the Content Examination
185							# policy as required.
186							[550, 'message bounced due to content examination policy'],
187
188							# - The message has triggered a Geographical Restriction policy.
189							# - Delete or amend the policy.
190							[554, 'host network not allowed'],
191							[554, 'host network, not allowed'],
192							],
193							'ratelimited' => [
194							# - There are too many concurrent inbound connections for the account. The default is 20.
195							# - The IP address is automatically removed from the block list after five minutes.
196							# Continued invalid connections result in the IP being readded to the block list. En-
197							# sure you don't route outbound or journal messages to Mimecast from an IP address
198							# that hasn't been authorized to do so.
199							[451, 'account service is temporarily unavailable'],
200
201							# - The sending server issues more than 100 RCPT TO entries. By default, Mimecast only
202							# accepts 100 RCPT TO entries per message body (DATA). The error triggers the sending
203							# mail server to provide the DATA for the first 100 recipients before it provides the
204							# next batch of RCPT TO entries.
205							# - Most mail servers respect the transient error and treat it as a "truncation request".
206							# If your mail server, firewall, or on-site solution doesn't respect the error, you
207							# must ensure that no more than 100 recipients are submitted.
208							# Note:
209							# Solutions like SMTP Fix-Up / MailGuard and ESMTP inspection on Cisco Pix and
210							# ASA Firewalls are known not to respect the transient error. We advise you to
211							# disable this functionality.
212							[452, 'too many recipients'],
213
214							# - There are too many concurrent outbound connections for the account.
215							# - Send the messages in smaller chunks to recipients.
216							[550, 'exceeding outbound thread limit'],
217							],
218							'rejected' => [
219							# - The sender's email address or domain has triggered a Blocked Senders Policy or
220							# there's an SPF hard rejection.
221							# - Delete or modify the Blocked Senders policy to exclude the sender address.
222							[550, 'administrative prohibition envelope blocked'],
223
224							# - A personal block policy is in place for the email address/domain.
225							# - Remove the email address/domain from the Managed Senders list.
226							[550, 'envelope blocked - user entry'],
227							[550, 'envelope blocked - user domain entry'],
228							[550, 'rejected by header-based manually blocked senders - block for manual block'],
229
230							# - A Block Sender Policy has been applied to reject emails based on the Header From or
231							# Envelope From address.
232							# - Delete or change the Blocked Senders policy.
233							[550, 'rejected by header-based blocked senders - block policy for header from'],
234							[550, 'envelope rejected - block policy for envelope from address'],
235							],
236							'securityerror' => [
237							# - Messages submitted to SMTP port 587 require authentication. This error indicates
238							# the authentication details provided were incorrect.
239							# - Check your authentication details match an internal email address in Mimecast, with
240							# a corresponding Mimecast cloud password. Alternatively, consider sending the mes-
241							# sage on SMTP port 25.
242							[535, 'incorrect authentication data'],
243							[550, 'submitter failed to disabled'],
244							[550, 'submitter failed to authenticate'],
245							],
246							'spamdetected' => [
247							# - A signature was detected that could either be a virus, or a spam score over the
248							# maximum threshold. The spam score isn't available in the Administration Console. If
249							# you aren't a Mimecast customer but have emails rejected with this error code, con-
250							# tact the recipient to adjust their configuration and permit your address. If unsuc-
251							# cessful, your IT department can submit a request to review these email rejections
252							# via our Sender Feedback form.
253							# - Anti-virus checks cannot be bypassed. Contact the sender to see if they can stop
254							# these messages from being blocked. Anti-spam checks can be bypassed using a Per-
255							# mitted Senders or Auto Allow policy. Rejected emails can be viewed in your Outbound
256							# Activity and searching for the required email address.
257							[554, 'email rejected due to security policies'],
258							],
259							'systemerror' => [
260							# - The Mimecast server is under maximum load.
261							# - No action is required from the end-user. The message will retry 30 times and when
262							# server resources are available, the message is processed.
263							[451, 'unable to process connection at this time'],
264
265							# - The message was incorrectly terminated. This can be caused by:
266							# - Files that previously contained a virus, but haven't been cleaned by an anti-virus
267							# product, leaving traces in the message.
268							# - Firewall issues on the sender's side.
269							# - Incorrectly configured content rules on a security device.
270							# - Investigate the Intrusion Detection software or other SMTP protocol analyzers. If
271							# running a Cisco Firewall, ensure the Mail- guard or SMTP Fixup module is disabled.
272							[451, 'message ended early'],
273
274							# - Generic error if the reason is unknown
275							# - Contact Mimecast Support.
276							[451, 'unable to process command'],
277
278							# - Generic error if the reason is unknown
279							# - Contact Mimecast Support.
280							[451, 'unable to process an email at this time'],
281							],
282							'userunknown' => [
283							# - The email address isn't a valid SMTP address.
284							# - The sender must resend the message to a valid internal email address.
285							[501, 'invalid address'],
286
287							# - The server has encountered a bad sequence of commands, or it requires an authenti-
288							# cation.
289							# - In case of a "bad sequence", the server has pulled off its commands in the wrong
290							# order, usually because of a broken connection. If authentication is needed, enter
291							# your username and password.
292							[503, 'user unknown'],
293
294							# - Known recipient, LDAP, or SMTP call forwarding recipient validation checks haven't
295							# returned a valid internal user.
296							# - The sender must resend the message to a valid internal recipient address.
297							[550, 'invalid recipient'],
298							],
299							};
300
301	17		50			80	my $issuedcode = lc $argvs->{'diagnosticcode'} // 0;
302	17		50			70	my $esmtpreply = int $argvs->{'replycode'} // 0;
303	17					31	my $reasontext = '';
304
305	17					102	REASON: for my $e ( keys %$messagesof ) {
306							# Try to find with each error message defined in $messagesof
307	244					333	for my $f ( $messagesof->{ $e }->@* ) {
308							# Find an error reason
309	683	100				1091	next unless $esmtpreply == $f->[0];
310	155	100				295	next unless index($issuedcode, $f->[1]) > -1;
311	12					19	$reasontext = $e;
312	12					28	last REASON;
313							}
314							}
315	17					105	return $reasontext;
316							}
317
318							1;
319							__END__