FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
acapalbo
Staff
Staff
Article Id 229320
Description

This article explains how to avoid the 'Recipient Verification – Reject' error that occurs with an incorrect smtp-rcpt-verification configuration.

Scope

FortiMail v7.0+

Solution

When the smtp-rcpt-verification is enabled on protected domains, FortiMail will use the address configured in the mail-from-addr field in the mail-from: attribute to the recipient MTA server.


This verification will fail if the mail-from: field reports an invalid or expired domain.

 

Depending on the specific MTA receiving server, SMTP codes 5xx and 4xx can be received on FortiMail in these cases (by looking at 'Mail Event' Logs):

 

reject=550 5.1.8 <username@invalid-or-expired-domain.com>: Sender address rejected: Domain not found


reject=450 4.1.8 <username@invalid-or-expired-domain.com>: Sender address rejected: Domain not found

 

NOTE:  In the aforementioned example, configuring mailsetting smtp-rcpt-verification looks like this:

 

# config mailsetting smtp-rcpt-verification
  set mail-from-addr username@invalid-or-expired-domain.com
end

 

As the domain example @invalid-or-expired-domain.com is invalid (or expired), the sender validation check failed when the recipient MTA server performed a sender validation check. As a result, it returned the 'Rejected' error with code 5xx or 4xx.

 

To avoid this specific issue, use a 'dummy' email address from a valid domain (i.e. your-fml-instance-id@fortimail.com) as follows:

 

# config mailsetting smtp-rcpt-verification
  set mail-from-addr gw123456@fortimail.com
end

 

In the above example, your-fml-instance-id = gw123456 is appropriate.

 

NOTE: gw123456@fortimail.com is a dummy mail address, but the domain @fortimail.com is a valid domain that will not cause 'Recipient Verification – Reject' on the recipient MTA server when smtp-rcpt-verification is enabled.

Contributors