Recipient Validation fails for valid recipient

I have entered a single Mail Delivery Server ( and a single Mail Domain ( set to use that server. There is one valid user,

If I telnet to, I am able to manually submit an email to without error.

When I disable recipient verification and try to send an email through the appliance, the rejection message is:

" Recipient address rejected: User unknown in local recipient table."

When I set recipient verification to downstream SMTP look-ahead, the rejection message is:

" Recipient address rejected: undeliverable address: unknown user: 'me'"

I setup a packet capture on the server at, and no traffic is sent from the email appliance(hardware) to that server with either verification setting.

Obviously I'm missing something, but I'm at a loss for what it is. Can anyone offer a hand?

  • Hi Mike,

    Via downstream SMTP look-ahead (recommended): The Email Appliance's mail transfer agent (MTA ) uses SMTP recipient validation. The MTA will connect to the internal mail server to confirm that an address exists.

    I would only use this if your not using AD

    mta connects, post fix responds with .. wait a second... postfix sends a telnet request downstream to exchange and sends an envelope from.. Exchange answers .. Valid. telnet session ends, appliance accepts the message.   the message is processed and delivered down stream.  Once Exchange actually gets and end of DATA command exchange validates the address and rejects it.  This generates a NDR that is delivered back tot he appliance and the appliance in turn trys to send it out for the next 5 days.

    Exchange does not actually validate an address until that final . in the DATA command.

    Via Configuration Sync: You can maintain lists of some configuration data, including recipient validation, in text files. With Configuration Synchronization you can use the SCP protocol to sync those lists to the Email Appliance.

    not to many people use this, but it will allow you to manually create and upload your own lists to the appliance.

    Via directory services: The Email Appliance's mail transfer agent (MTA) uses directory services queries to determine if messages are addressed to valid recipients. You should ensure that your directory services settings are configured correctly.

    by far the best option if you have AD integration.  postfix will query the list immediately when the mta connects and accept or reject the message before it is accepted. This also prevents exchange from generating NDR's down stream.

    Disable recipient validation: Turns off recipient validation. It is recommended that you do not disable recipient validation, unless you have specific requirements.

    Yes, um don't disable validation.. 

    If you wish to test the connection here is a sample email via telnet.

    Telnet 25
    Helo localhost
    Mail from:
    Rcpt to:
    Subject: test from email appliance
    (blank line)

  • In reply to Red_Warrior:


    I'm using with Via directory services. But I'm taking same error :( How can I check users in Gateway?

  • In reply to Ali Erdem Sunar:

    When you go to setup directory services (System --> Directory Services) - In the wizard setup it does some test queries against your AD server. Specifically the "valid recipients" and the "aliases" query should contain all your email addresses. You can click on each of the results and it will give you a TXT output of the recipients/aliases it found in your AD with that query. You can use this to cross check on who are valid recipients.

    You may need to adjust the LDAP query to get better results or ensure the user/email/contact is in AD so that it can be queried.


  • In reply to Ali Erdem Sunar:

    Personally I prefer Callback method BUT recently with Exchange 2013 and 2016 this has been made more difficult as by default Exchange will reject non-valid recipients at the DATA transaction not the RCPT TO transaction as it should.. Microsoft being Microsoft again.

    However it is not impossible you just must setup another receive connector on a different port (2525 etc) and do the recipient verification (or recipient filtering) on that port.

    Sophos really should put their own KB article out there but the details on how to do this are covered in this SpamTitan KB