IT Services



Mail Relay


Contents

The University's mail relay service is provided by oxmail.ox.ac.uk . This system acts in one of two roles.

Mail Exchanger
A mail exchanger is responsible for receiving the mail destined for a mail domain. DNS MX records describe the exchangers linked to each domain. When oxmail acts as an MX it is normally receiving mail from servers outside Oxford.
Smarthost
A smarthost delivers mail on behalf of other mail servers. It makes the routing decisions and handles any errors that arise. Oxmail only acts as a smarthost for Oxford mail servers.


1. Overview

Oxmail aims to provide a reliable mail relay service. No messages are discarded or filtered.

There are three possible outcomes for each message presented.

Accept-and-deliver
As much checking as is practical is performed prior to acceptance of a message to maximise the chance of delivery. For mail from outside Oxford, the recipient address is checked with the downstream MTA. The sender address is verified in order to help ensure that in the event of non-delivery after acceptance that an error message can be sent to the sender.
Accept-retry-and-bounce
Pre-acceptance checking tries to ensure that all accepted messages are deliverable. Any message that cannot be immediately delivered is queued and further delivery attempts are made from time to time. The retry interval starts small and increases with time. A message will be queued for 7 days before being returned to the sender.
Rejection
Rejection occurs at SMTP time. The sending MTA is responsible for informing the sender of this.


2. Junk Mail

It is important to note that oxmail does not filter mail on the basis of its content.

Messages arriving from outside Oxford are analysed by the Apache SpamAssassin Project. Only messages smaller than 512KB are processed by SpamAssassin. This is because the SpamAssassin scanning process is extremely resource-intensive and few junk mails are larger than this. The results of this are recorded in the message headers. Interpretation of this information is left for a downstream process. More details are available on mail scanning.



3. Malware

All messages are scanned by ClamAV. Any message found to contain malware is rejected after the DATA command.



4. Sending mail from inside Oxford

This section relates to sending mail from inside Oxford to oxmail in its smarthost role. This should be done by MTAs. MUAs should use the message submission service.

Connection

ICTC Regulations require hosts to be registered in the DNS. Hosts that are not are denied service.

HELO/EHLO

Mail transactions must start with HELO.

Since all Oxford IPs must be registered in the .ox.ac.uk domain, the HELO argument must end in .ox.ac.uk . This is effective protection against compromised hosts running ratware which forges the HELO.

MAIL FROM

Although there is no restriction on the sender address, if it isn't valid then you won't know about delivery errors and may fail the recipients' sender address checks.

RCPT TO

The maximum number of recipients allowed for one message is 500. Excess recipients are temporarily rejected.

DATA

The maximum message size is 100 Mbytes.



5. Sending mail from outside Oxford

This section relates to sending mail from outside Oxford to oxmail in its mail exchanger role.

Mail to postmaster@ox.ac.uk and abuse@ox.ac.uk bypasses most checks in order to allow queries about problems.

DNS-based blacklists

The following DNSBLs are used

Name Zone Web
MAPS RBL+ rbl-plus.mail-abuse.ja.net http://www.mail-abuse.com/
PSBL psbl.surriel.com http://psbl.org/
Spamcop bl.spamcop.net http://spamcop.net/
Spamhaus ZEN zen.dnsbl.ja.net http://www.spamhaus.org/zen/

Mail coming from a server listed in one of these DNSBLs won't be rejected. It will attract a weighting in the SpamAssassin scoring and also experience small delays in response to some SMTP commands.

HELO/EHLO

Mail transactions must start with HELO.

The HELO argument must be syntactically correct. See RFC1123 section 5.2.5 and RFC5321 section 4.1.1.1 for guidance on choosing your HELO argument. A common mistake is to use the underscore character; this is not allowed.

MAIL FROM

The envelope sender must be valid and accept error messages (aka bounces). A common mistake is to send mail from a script without thinking about the sender address e.g. apache@foo.example.com . If there's neither an MX record for nor an MTA on foo.example.com then the sender address will be invalid.

RCPT TO

No recipient local-part may contain any of the following characters @ ! % / | "

The maximum number of recipients allowed for one message is 500. Excess recipients are temporarily rejected.

DATA

The maximum message size is 100 Mbytes.



6. Explanations of our error messages

Here is a list of error messages given by the University mail relay service.

When the term HELO is used it should also be taken to include EHLO.

Words beginning with $ are variables which are substituted with applicable values in each message.



6.1. DAT-CLM: Message contains malware ($malware_name)

Explanation

Message contains malware. The name Oversized.Foo means that an archive of format Foo had too high a compression ratio (currently limited to 300:1).

Solution

Remove the malware. For Oversized.Foo you can try one of the following
  • Reduce the compression ratio to below 300:1
  • Encrypt the archive to prevent unpacking
  • Use a protocol designed for file transfer (SMTP wasn't)


6.2. HLO-FOR: Forged HELO

Explanation

The sending MTA is forging the HELO command by using another host's identity.

Solution

The sending MTA must use its own identity.



6.3. HLO-INT: Oxford host claiming non-Oxford identity

Explanation

An Oxford host is claiming an identity with the HELO command that is not in the ox.ac.uk domain. All Oxford IP addresses must be registered in ox.ac.uk .

Solution

Use a HELO argument in the ox.ac.uk domain.

If you are unable to configure your mail server correctly then you should smarthost to smtp.ox.ac.uk instead which does not impose this condition.



6.4. HLO-MIS: No HELO before mail transaction

Explanation

The mail transaction was started without first using the HELO command. See RFC5321 section 4.1.4.

Solution

Use the HELO command before starting the mail transaction.



6.5. HLO-SYN: HELO is syntactically invalid

Explanation

The HELO command does not meet basic syntax standards. Read RFC1123 section 5.2.5 and RFC5321 section 4.1.1.1 for the rules of choosing the HELO argument.

Solution

Use a valid HELO. If your mail server is called foo.example.com then issue the command HELO foo.example.com .



6.6. HLO-UND: HELO contains invalid underscore character

Explanation

The HELO argument contains an underscore. The underscore character (_) is not a member of the SMTP character set. A common mistake is for MS Windows administrators to use the host's NetBIOS name containing an underscore.

Solution

Use a HELO argument without an underscore.



6.7. HST-BAN: Sending host blacklisted

Explanation

The sending host is blacklisted.

Solution

Contact us for details.



6.8. HST-PTR: Oxford host has no PTR record

Explanation

The Oxford sending host has no PTR record in the DNS. This is a contravention of ICTC Regulations.

Solution

Contact your local IT staff and get your host registered.



6.9. RLY-OPN: Open relay not permitted

Explanation

You are attempting to use our MTA as an open relay.

Solution

Use the MTA appropriate for your IP address or the recipient domain.



6.10. RPT-ALU: Recipient unknown

Explanation

The recipient is unknown at Oxford.

Solution

Check that you are using the correct address. Search for alumni email addresses on the Oxford Alumni Email website (members only).



6.11. RPT-BAN: Recipient blacklisted

Explanation

The recipient is blacklisted.

Solution

Contact us for details.



6.12. RPT-CAL: Callout verification failed

Explanation

The downstream MTA will not accept the recipient address. Any error message given by that MTA is included in our error message.

Solution

Check with the recipient as to his/her correct address.



6.13. RPT-CHR: Recipient local-part contains a banned character

Explanation

The recipient local-part contains one of of the following banned characters @ ! % / | "

Solution

Use a recipient local-part without a banned character.



6.14. RPT-OBS: Recipient domain is obsolete

Explanation

The recipient domain is no longer in use.

Solution

Use the suggested new address or our contact search pages



6.15. RPT-UNK: Recipient unknown.

Explanation

The recipient is unknown at Oxford.

Solution

Check that you are using the correct address. Search for email addresses on our contact search pages.



6.16. SND-BAN: Sender address blacklisted

Explanation

The sender address is blacklisted.

Solution

Contact us for details.



6.17. SND-VFY: Sender domain verification failed

Explanation

The sender domain is not correctly registered in the DNS.

Solution

Make sure that the sender domain is correctly registered in the DNS and that the authoritative DNS servers are accessible.



7. Statistics

Some mail relay statistics are available.