I was really annoyed at Proofpoint; but really it was (partially) my fault

sudo postconf -e 'maximal_queue_lifetime = 1d'

I get it: some random guy sets up a new mail server, and you don’t know him from Adam, so you block his email.

They blocked me with a 400 series error. My new Postfix server had the default configuration of waiting five days before giving up. That wasn’t great, because I thought I’d sent an email, but the recipient never got it.

This failure was particularly irritating because my financial advisor needed me to sign an actual piece of paper to change the business relationship. She emailed me a document. It came across in her email that she was concerned about timing, this was rather urgent. I printed the document, signed it, and then emailed her back (on January 4) that I signed the document, but my schedule was such that I wouldn’t be able to bring the document to her office until Friday the 6th. Now I find out that Proofpoint never let my server send her that email; from her point of view I just completely shined her on.

That explains the weird look the receptionist gave me when I showed up on Friday with the signed document. They thought I had ghosted her. I didn’t: Proofpoint had decided to be a bully by stringing my mail server along with a 400 series error, until my mail server gave up and I finally got the 500 series error: blocked.

500 series errors are “it didn’t work, and it’s never going to work, what you are trying failed, we’re done.” 400 series errors on the other hand are “whoops – something went wrong, but it may be on our end rather than yours.”

I think it is a little disingenuous for Proofpoint to reply with a 400 series error “whoops – something went wrong, but it may be on our end rather than yours” when it was never going to get better. They blocked me because my mail server is new, and doesn’t have any reputation with them. That’s not going to get better on it’s own.

The big difference between 400 and 500 series errors is that 500 series errors are known problems. Because they are known problems, the results should be sent back immediately. 400 series errors have traditionally been allowed five days before the sending mail server reports an error. The idea behind 400 series errors was that perhaps you need time to fix a problem: so the sending mail server will try for five days before giving up. Perhaps you are moving to a new data center and you need a whole weekend to migrate. If you start Friday night and are done my Monday morning, the people sending you email will still get their messages to your users. It took several days, but eventually the email got there.

On the other hand, if I am sending an email to not-an-actual-user@some-real-domain.tld then the receiving mail server can immediately give me a 500 series error: not-an-actual-user does not exist. It didn’t work, it’s never going to work, what you are trying failed, we’re done. The sender (me) learns immediately that I mis-typed the email address or something.

I’ve recently gotten some DSN Fails trying to send to @icloud.com users. Same reason: they don’t know my mail server from Adam; but at least Apple was kind enough to let me know immediately that the mail didn’t go. I can at least text the person what I was going to send them in email.

Off-topic but mildly interesting: I had a user at work mis-type an email address by tacking on an extra period at the end. Like they finished a sentence with a period, but this was an email address. DNS has a top level, but to climb the tree means adding a trailing period and doing another DNS query. In other words, my computer could try to look up “mybox” and if that doesn’t resolve, tack a period on the end and look again. That would resolve to “mybox.mydomain”. If that doesn’t resolve, tack a period on the end and look again. That would resolve to “mybox.mydomain.tld” So when the resolution process finally gets to the very top Top Level Domain (TLD), searching stops. Those TLDs are a defined list; which is how DNS knows that there’s no more searching to be done. But whoops if the user asked for mybox.mydomain.tld. <—notice the trailing period. Then DNS is going to keep returning a 400 series error: it looks like there should be an upper level domain, but nothing responded, so maybe that box is just down right now? Try again in a few minutes. Five days later, my user finally got the DSN Fail. He was ticked off: why couldn’t the computer tell him he’d mistyped the email address? Well, because it kept looking for a mail server higher up in the DNS name hierarchy than .com

Leave a Reply