Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: "550 5.7.1 Command Rejected" error on outbound emails [Gateway mode]

Hi Everyone!

Do you have issues where outbound emails through Sophos Email's Gateway mode fails and the sender is receiving a Non-Delivery Report (NDR) alert that mentions: "550 5.7.1 Command Rejected"? Well, you've come to the right place!

Symptom

Here is a screenshot of how the NDR looks like:

ALSO, this outbound email does not show up in Sophos Email's 'Message History' page.

Causes

  1. The envelope-from header and the from header are different from each other
  2. The domain of the sender email address is not part of the Domain list configured within Central Email
  3. The mailbox for the sender email address does not exist within Central Email
  4. Special circumstances where all of the above points are not the cause but issue persists.

Resolution for each of the above

For #1 Make sure both the envelope-from ('envelope-from' stated in the email headers) and from-header ('from:' stated in the body of the email) of the email are the same otherwise it will be denied. 

For #2 Make sure that sender's email address' domain is listed within the Domain settings within 'Configure > Settings > Email Security > Domain Settings > [Domain] > Edit Domain' page.

Below is the screenshot of the domain settings that should match that of the sender's if its email address is something like 'user@exampledomain.com':

For #3 Make sure that sender's domain is listed in the 'Configure > Settings > Email Security > Domain Settings / Status' list.

Here a screenshot of where the it should be listed:

For #4 There are certain circumstances (although very rare) that even when all three above are configured properly, the issue persists. The current recommendation for this would be to delete the affected user (and mailbox) from Sophos Email's 'People' and 'Mailboxes' page and then recreate it. 

If the user happens to be one that is synchronized via ADsync tool or AzureAD Sync, then deleting the user (and mailbox) from Sophos Email's 'People' and 'Mailboxes' page is also recommended BUT the main difference is to re-synchronize after in order for the account to be recreated.

Warning! Before performing the solution #4 please make sure that the user being deleted is not part of Sophos Mobile. This is because deleting and recreating the user object could affect the mobile application which would result to re-registration. In cases that a lot of users are affected, please get a case created with Sophos support to seek alternative ways.



Edited Title
[edited by: Raphael Alganes at 8:47 AM (GMT -8) on 11 Jan 2024]