Access_errors MTA option

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

Error text and error interpretation MTA options: access_errors (0 or 1)

As of MS 6.2, if access_errors is set to 0 (the default), then when a recipient address encounters a recipient address *_ACCESS mapping table access failure (that does not supply explicit rejection text of its own), the MTA will report it as if the error were an "unknown host" error. That is, the text of the error_text_unknown_host MTA option will be used, so by default the error will be reported as an "unknown host or domain" error, corresponding to the SMTP error:

550 5.7.1 unknown host or domain: recipient-address

This is the same error that would be reported if the address were simply illegal. Although confusing, this usage nevertheless provides an important element of security in circumstances where information about access restrictions should not be revealed. Setting access_errors to 1 will override this default and provide a more descriptive default error text, as specified by the error_text_access_failure MTA option, defaulting to 5.7.1 you are not allowed to use this address, corresponding to the SMTP error:

550 5.7.1 you are not allowed to use this address: recipient-address

But in any case, the setting of access_errors merely controls the default error text issued for recipient address *_ACCESS mapping table rejections; entries that perform rejections may override such default rejection text by supplying their own explicit rejection text. Prior to MS 6.2, this access_errors option did not affect the default text used for recipient address *_ACCESS mapping table $N rejections, which was instead the error_text_permanent_failure text, normally "unknown host or domain".

This option also controls the default error text issued when a spam/virus filter package rejects a recipient address with an other-than-temporary rejection.

This option also, in versions prior to 7.0-0.04, affected the now obsolete-and-removed feature whereby MTA provided facilities to restrict access to channels on the basis of group ids on UNIX (the analogue of rightslist identifiers in PMDF for OpenVMS). That is, in versions prior to 7.0-0.04, the error text issued in cases of address rejections due to access failures due to non-matching group id would also be affected by this option. Indeed, prior to MS 6.2, this (control of the error text due to group id mismatch) was the only purpose and only effect of this option.

See also: