[SOLVED] PMG bouncing messages with 5.7.1: Sender PRA Not Permitted

[thedab101]

Hello all,
Hoping for some guidance here, I can't figure out the cause of this problem.

Here's the environment:
Internet (Static IP, unable to set RDNS) > Cisco ASA (port forwarding properly configured) > PMG > Exchange 2019
DNS in Cloudflare, SPF records configured and new Email Dmarc configured in Cloudflare

PMG is a recent addition and it's done an excellent job of blocking spam and other undesirable messages, but it's also bouncing several messages - including many which are legitimate. The only way I found this out was by stumbling on the Tracking Centre one day, and found a series of emails I missed because they were marked "accepted/bounced".

The error returned (private IP redacted) is:
May 16 06:59:33 pmg postfix/smtp[55990]: A2E4E4814F9: to=<xxxxx@xxxxx.tld>, relay=nnn.nnn.nnn.nnn[nnn.nnn.nnn.nnn]:25, delay=5.3, delays=0.05/0.01/0/5.2, dsn=5.7.1, status=bounced (host nnn.nnn.nnn.nnn[nnn.nnn.nnn.nnn] said: 550 5.7.1 Sender ID (PRA) Not Permitted (in reply to end of DATA command))

Other messages are getting through.

I'm hitting a brain block: I think this is either a receive connector issue, an SPF issue, or a firewall issue. Has anyone else had similar issues like this, that they've resolved?

Thanks for your help in advance.

 

[Stoiko Ivanov]

(host nnn.nnn.nnn.nnn[nnn.nnn.nnn.nnn] said: 550 5.7.1 Sender ID (PRA) Not Permitted

The message is what host `nnn.nnn.nnn.nnn` responds to PMG - you need to check it's configuration (I assume it's the Exchange - in which case you have to configure it to trust mails from PMG...)

I hope this helps!

 

[thedab101]

The message is what host `nnn.nnn.nnn.nnn` responds to PMG - you need to check it's configuration (I assume it's the Exchange - in which case you have to configure it to trust mails from PMG...)

I hope this helps!

Thanks for the quick reply.
Some research I've done suggest a specific receive connector needs to be created for PMG (and yes, as mentioned earlier in my original post, it's Exchange 2019).
Is this really what's required? I'd assume without it, I'd receive no messages. I'm receiving messages on the default receive connector.
Thanks again.

 

[Stoiko Ivanov]

I don't have experience with Exchange - but from what I've seen in the Microsoft documentation and several threads here in our forum - I think you need a bit of config on the Exchange side, for it to accept mails from a mail proxy like PMG.

from a quick search of the error-message from exchange online it seems that the issue might be related to SPF failing - which is clear - since your PMG sends the mails to exchange and not the MX of the domain (thus you need to allow PMG as trusted relay in exchange) - see e.g.
https://social.technet.microsoft.co...ot-permitted?forum=exchangesvrsecuremessaging

I hope this helps!

 

[thedab101]

I don't have experience with Exchange - but from what I've seen in the Microsoft documentation and several threads here in our forum - I think you need a bit of config on the Exchange side, for it to accept mails from a mail proxy like PMG.

from a quick search of the error-message from exchange online it seems that the issue might be related to SPF failing - which is clear - since your PMG sends the mails to exchange and not the MX of the domain (thus you need to allow PMG as trusted relay in exchange) - see e.g.
https://social.technet.microsoft.co...ot-permitted?forum=exchangesvrsecuremessaging

I hope this helps!

Thanks for the very quick response.
I've disabled Sender ID Filtering on Exchange for now - PMG does a fine job of rejecting messages at that level before it hits Exchange, so I find it unnecessary to have Sender ID filtering enabled on Exchange.
I'll keep an eye on it over the next two days and if there's a problem again I'll reopen this thread.

Thanks again. Very helpful.

 

[thedab101]

Disabling the Sender Content Filtering on Exchange has solved the issue.
Thanks.