error message 554 5.7.1: Exchange 2013 blocking emails (banned words)

Sounds like blacklisting or SPF checking is incorrectly set up.

This is incoming email?

You have filtering "in the cloud", which sends all email into your Exchange server?

Yes incoming email. . There is filtering on the cloud which I want to maintain the control there. I want to disable the filtering feature on the server. I checked the cloud filtering (Trend Micro Email Hosted Security) that the email was released and delivered to the exchange server.

Below is a screenshot from Exchange 2010, don't have a 2013 box handy at the moment. I *think* everything here is identical.

Is everything disabled on your system?

I am using exchange 2013. What ps can I call out for the similar results?

It is also strange. I ask the sender to send to my Gmail and then I forward to the exchange server and it was delivered. So where is the banned word in this case? If banned word, it shd be blocked as well

Do you have any third party Transport Agent?  if yes you may give a try by disabling it

No, I did not install any third part agent on the exchange server

Get-Transportagent  Does it show anything?

Does it behave the same way for internal and External or how does it behave?

Pipeline tracing will help it

Hi Pradiip Singh, i have the follow result . For the blocked email, only some external incoming email has this issue.  Internal email is ok

[PS] C:\Windows\system32>get-transportagent

Identity                                           Enabled         Priority
--------                                           -------         --------
Transport Rule Agent                               True            1
Malware Agent                                           False           2
Text Messaging Routing Agent                True            3
Text Messaging Delivery Agent                True            4

a number of logs against incoming SMTP connections to the Exchange server. please see all related logs from below official guide.

https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/transport-logs?view=exchserver-2019

of course, you don't really need to manually search throughout all the logs, just use "554 5.7.1" as the keyword to check the related logs available on your Exchange server.

please update once you have found something interesting. thanks.

I cant figure anything on the log. Not sure if the logging was disabled.

I ran the following commands
 
[PS] C:\Windows\system32>Get-ContentFilterConfig | Format-List ExternalMailEnabled
ExternalMailEnabled : True

Can i know if the top command shows that content filtering is enable? and i ran the below command


[PS] C:\Windows\system32>Set-ContentFilterConfig -ExternalMailEnabled $false
[PS] C:\Windows\system32>Get-ContentFilterConfig | Format-List ExternalMailEnable
ExternalMailEnabled : False

did i disable the content filtering correctly?

i have yet to test it as i have no way to reach the sender on a weekend

Rdgs

you can do that but you need to verify it if its set for what? and if that specific one is your issue

Well the error message has something to do with ban word. So I guess is the content filtering that causing this. Hence is an trying to disable totally for external email content filtering. I have content filtering on the cloud, so I think I am relatively safe. I will test it tomorrow. Thank you

the error is still there. I have disable content filter for external email,


[PS] C:\Windows\system32>Get-ContentFilterConfig | Format-List ExternalMailEnabled
ExternalMailEnabled : False

but still i have this bounced email
554 5.7.1 This message has been blocked because it contains a banned word. (in reply to end of DATA command)

Anyone expert can help?

Do you have any custom Transport Rules that may be blocking mail by Subject or Message Body content. Run Get-TransportRule to view rules.

yes i do, but those are only forwarding emails to another email addresses. I dont have any rule to check for ban words and bounce it back.

Did you restart the transport services after disabling it ? also you can do the message tracking and see which agent has rejected it while  processing

yes i restart the entire server still cannot. Can teach me how to completely stop or remove the content filtering function?

Try this  - Set-ContentFilterConfig -Enabled $false



Reff - https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/content-filtering-procedures?view=exchserver-2019

The problem seems to be related to the server that sends these emails.
If you can get the same mail from a place like gmail or outlook.com, you should search the problem on sender side.