How to fix “554 5.7.1 : Relay access denied” email errors in web hosting servers
In our role as Website Support Specialists for online businesses, we resolve hundreds of email issues every day.
A commonly encountered email bounce error faced by web hosts, website owners and server owners is:
554 5.7.1 <email@example.com>: Relay access denied
‘554 5.7.1 : Relay access denied’ error means that either the sender has failed security checks or the recipient’s mail server is misconfigured, and today, we’ll take a look at:
- What causes Relay Access Denied error
- How we fix it for server owners (eg. web hosting provider)
- How we fix it for mail users
- How we prevent this error in our customer’s (eg. web hosts) servers.
What causes Relay Access Denied Error?
When a mail is sent, it first goes to the sender’s mail server (aka MX). Then it’s RELAYED to the recipient’s MX, and from there to the recipient.
Here, TWO servers are involved – Sender’s MX and Recipient’s MX. If either one of these servers reject the mail, a Relay Access Denied error is shown to the sender.
Case 1 – Sender’s MX rejects the mail
Every mail server requires its users to provide a username and password to send mails. This is to keep spammers out. But very often valid mail users forget to turn on authentication in their mail clients, and the MX rejects their mail.
Bobcares manages the website support of several businesses. A quick look at the support tickets we handle shows that 95% of ‘Relay Access Denied’ errors are caused by incorrect SMTP settings.
So, when customers come to us facing this error, the first thing we check is their mail client settings. By guiding users with the correct settings specific to each mail client and mail server, we help them send emails without this error.
Case 2 – Recipient’s MX rejects the mail
The recipient’s mail server will accept a mail only if it can verify that the recipient is a valid user in that server. For eg. if the recipient’s account is cancelled or inactive, it won’t accept the mail.
Our Support Specialists have often traced the origin of these errors to:
- Improper sender MX configuration (eg. SMTP auth settings disabled)
- Inactive or cancelled recipient mail address
- Recipient’s DNS MX records pointing to the wrong server (often after a migration)
- Recipient’s user database errors
We’ve seen two variations of this error in web hosting servers:
- 554 5.7.1 Relay Access Denied – The recipient’s mail server logs show this error when a mail is rejected.
- 454 4.7.1 Relay Access Denied – This error is seen in server logs when the recipient server is temporarily unable to accept mails. The mail delivery will be attempted again later.
So, if a website owner has started seeing these errors after a recent config change, or migration, or new server setup, we check the MX configuration of the domain and resolve any errors in that.
Pro Tip : If mails to several mail servers are bouncing, the mail server’s configuration could be incorrect. If mails to only a couple of recipient addresses are bouncing, the issue might be specific to those accounts.
[ Are you losing your sleep over undelivered or delayed emails? Get our professional help to fix your email errors at affordable pricing. ]
How we resolve the error for server owners
Here at Bobcares, our engineers act as the Website Support Team of web hosts, VPS hosts and dedicated server providers. These server owners see “Relay Access Denied” error in two situations:
- When a mail user tries to send a mail, and gets a bounce.
- When mails from a remote domain is rejected by the server, and mail users report it to the server owner.
In either case, we’ve seen the error recorded in mail server logs. It looks something like this:
Jan 23 03:10:57 mysev postfix/smtpd: NOQUEUE: reject: RCPT from mail-wg0-f53.google.com[18.104.22.168]: 554 5.7.1 <firstname.lastname@example.org>: Relay access denied; from=<email@example.com> to=<firstname.lastname@example.org> proto=ESMTP helo=<mail-wg0-f53.google.com>
Here are a few reasons we’ve noticed, and how we resolve them:
1. User authentication system could be broken
All modern mail servers have a way to authenticate a user before it accepts a mail to be sent. So, if we notice ALL of the mail server users getting this error, we immediately check the user authentication settings of mail server.
For example, in Postfix mail server, the below setting enables SMTP authentication. If this is disabled in the configuration file, all the users will receive “554 5.7.1 : Relay access denied“.
smtpd_recipient_restrictions = permit_sasl_authenticated
Such failures in mail server capabilities often happen as a result of mail software upgrades or operating system upgrades.
In our Website Support Services, we prevent upgrade errors or config issues by testing the upgrades in a test environment first, verifying for config conflicts and rigorously testing features post-upgrade.
2. Authentication database might be corrupt
Some servers such as Plesk servers store user login details (username & password) and authenticated IP details in databases. For instance, Plesk Qmail servers store details of authenticated IPs in a MySQL database table called smtp_poplocks.
In some cases, these databases could get partially or completely damaged due to file system errors, disk errors, etc. and multiple mail users will be unable to send mails. A quick database integrity check and repair helps us fix this issue.
Databases store critical data such as authentication information, not just for mail services, but for other services such as web, business apps, etc. So, to avoid business downtime, we monitor the database integrity round the clock.
With our 24/7 monitoring and management, we help our customers keep an eye on their servers, and quickly fix server errors any time of the day. This helps our customers maintain high service quality and business uptime.
3. External sending server failed your server’s anti-spam check
In cPanel server management, this is a case where we’ve seen that the mail server users are unable to receive mails from external parties, and the server responds with “Relay Access Denied”.
This happens when the external sending mail server fails your server’s anti-spam check. For example, this Exim mail server (myserv.com) rejected a mail from an external server (otherserver.com) because it failed a anti-spam check called “Sender Verfication Callout”.
2015-06-12 05:12:36 H=(myserv.com) [xx.xx.xx.xx] sender verify fail for <email@example.com>: response to "RCPT TO:<firstname.lastname@example.org>" from otherserv.com [yy.yy.yy.yy] was: 554 <email@example.com>: Relay access denied 2015-06-12 05:12:36 H=(myserv.com) [xx.xx.xx.xx] F=<firstname.lastname@example.org> rejected RCPT <email@example.com>: Sender verify failed
There are three ways we resolve this:
- We examine the mail logs and if we notice repeated instances of valid mails being blocked by such an anti-spam check, we update this particular anti-spam rule.
- If the issue is specific to only one external mail server, we contact their administrator to make their servers compliant to the anti-spam check.
- In certain cases where we know that the sender is a valid and trust-worthy one, we bypass the check for that server by adding it to our white-list.
Anti-spam checks are necessary, but it can damage your business if not used judiciously. In the mail servers we maintain, we stick to RFC compliant spam checks, and implement only those systems that are validated by a majority of service providers.
For eg., there are a lot of aggressive DNS-based blacklists that frequently spam-list legitimate service providers. We make sure that only trusted, reputed lists are used in our customers’ servers.
[ Are your users complaining about email errors? Get our expert server specialists’ assistance to fix your mail servers. ]
4. The recipient mail account is inactive or misconfigured
A mail server accepts only mails that’s addressed to it’s own users. For eg. the mail server of whitehouse.gov will accept only mails to [employee-name]@whitehouse.gov.
However, we’ve seen two cases where a recipient server cannot confirm a user as valid.
- The recipient mail server’s user database gets corrupt, and it is unable lookup a user as valid.
- The recipient has set the wrong IP as their domain’s MX DNS record, and mails are attempted to be delivered to the wrong server.
This issue cannot be fixed at the sender’s mail server. However, we lookup the error details from the mail server logs and contact the recipient MX administrators to issue a quick resolution.
5. Mail user’s email client configuration wrong
This is by far the most common cause of this error. Once we check the mail logs and confirm that the mail server is working fine (that is, no clogged mail queue, not many bounced mails, etc.), we look at the mail user’s email client configuration and fix it.
More on the common issues is explained in the section below.
How we resolve the error for mail users
“Relay Access Denied” error is returned when the mail server is unable to authenticate the mail user. Here are a few common situations where this error is returned.
1. When the server’s authentication settings have changed
If there has been a recent change in your mail service, like a change in email provider, or if your mail provider migrated you to a new server, it is possible that the method of user authentication has changed.
For instance, you could have been using POP-before-SMTP before, but the new server uses “SMTP authentication” now. So, we first confirm the following details for the mail users:
- Mail server name – Eg: mail.yourserver.com
- Mail server IP – Eg: 22.214.171.124
- User name
- Whether to enable SMTP authentication or not
2. When the authenticated IP changes on mobile devices
In servers that are configured with POP before SMTP, domain owners with mobile devices report intermittent relay errors. This happens when they change the WiFi hotspot or their 4G/3G/2G network changes their IP due to a break in coverage.
The email server would be referring to the old IP as the authenticated one, while the domain owner’s mobile device would be using the new IP address.
We prevent these issues by enforcing SMTP password authentication. For example, in Parallels Plesk servers, we disable POP3 authorization and SMTP authentication is turned on by default.
3. When the domain owner tries to connect to the wrong server
This situation happens with newly registered domain owners. They would either try sending mails before the account setup is complete, use their ISP’s mail servers, or keep using their old hosting server’s host name or IP address.
Since the change needs to happen at the domain owner’s device, we focus on lightning fast resolution using step-by-step instructions customized for their mail client.
We maintain a repository of step-by-step email configuration settings for all mail clients, in all popular operating systems and mobile devices. So, we are able to usually give a resolution in as little as 10 minutes.
[ Is your business getting affected by lost or delayed mails? Get our professional help to fix your email errors. ]
4. When an external party fails your server’s spam check
If users are unable to receive mails from an external party, it is possible that their servers failed an anti-spam check. We check the details from the mail server logs and get it resolved by contacting the remote mail server administrators.
5. When the mail server is broken
It is possible that the user authentication system might be broken in the mail server, or your mail was tagged as spam. More on that is described in the section above.
Mail service is perhaps the most important online service that aids day-to-day business transactions. A contract that needs to be signed, a quote that needs to be sent, market trend data that needs to be presented – none of these can wait – We know!
That is why Bobcares engineers give high priority in resolving email errors. We use server logs, user reports and test routines to quickly identify the cause of mail errors, and fix them in as little as 10 minutes. If you’d like to know how you can better support your mail users, we’d be happy to talk to you.