Scan-to-email is a very useful feature on multi-function printers. That’s where you give the printer the SMTP details for your email server, and users can then scan to their inbox. That’s better than scan to a network share for many reasons including many businesses now longer having a file-server, instead using cloud storage; and it’s better for data-protection as the scan goes one recipient rather than sitting in a share folder that anyone can access.
Setting up scan-to-email is always a bundle of laughs however!
This is mostly because the printers that I’ve used do not give useful troubleshooting or debugging help. When the scan-to-email fails normally you get a not very useful error message. It’s even worse when doing the set-up, whether through the printer’s console or through its admin web page. The communications with the email server can fail in various ways. You’d hope that the printer would tell you at which stage it failed and give you information from that failure. Within the SMTP connection the SMTP server will return a specific error code and more importantly an error message that often includes very useful details. The printer sadly doesn’t report those details.
There are many places it can fail:
- No network cable connected
- No IP address etc assigned
- No response from DNS server
- Non-successful result from DNS server for the given SMTP server name
- No TCP connection to the SMTP server
- TLS or SSL connection fails to the SMTP server
- Then within the SMTP session, there are various steps:
- Initial handshake failed
- Authentication if used, failed
- Sender address not accepted
- Recipient address not accepted. For instance, if the email server thinks you are spamming then it will generally return an error here.
- Email sending failed
On a Ricoh printer, there is no test facility when using the admin web pages to do set-up. The only way to check it is working is to do a test scan and hope that the error message guides you. If you’re doing this remotely you of course have to ask someone near the printer to do the scan for you.
Through the printer’s console, there is a Test button on the page where you set-up the SMTP server name/address. It reports only a success or fail and gives no further information. Worse it is slightly misleading. According to an expert in these printers that test is simply an ICMP ping. So, it’s not any use in checking most of the stages in the SMTP connection where it can fail as listed above and does not give the error reason.
Perhaps there is a whole series or article on this subject, but for now I just want to cover one case where the error code the Ricoh device case was unlisted in any Ricoh manuals I could find on the internet and Google didn’t find anything.
This case: “No Privilege“
In this case the email server was Office 365. We had used that successfully elsewhere. The Test button on the SMTP server page returned success (as had the DNS Test, and pinging remote destination etc). On a scan the only error message it provided was “Error” which is not useful! The help in the scan logging screen showed that it would report some SMTP failure e.g. failure to connect, authenticate, etc.
There were no job logs through the admin web page, but I did eventually find related logging in the Download Logs feature. Analysis of them took some time as they contain multiple lines per job. I eventually found this bunch of logging for each failure:
|2017-11-13T14:12:02.0||Scanner: Sending||Failed||Control Panel||Failed||Output Failure||0x00000022||1||0x00000000000003e0|
I’ve removed tens of columns from the middle of that, so if looking at those logs yourself expect to do lots and lots of horizontal scrolling!
As noted above there is no information I can fine on “No Privilege“.
For comparison a failure when the network is down, it gives this error logging (I’ve removed most right-hand columns) and two rows only:
|2017-12-21T14:41:34.0||Scanner: Sending||Failed||Control Panel||Failed||Output Failure|
|Failed||Failed||Connection Failed with Destination|
After much investigation, as an educated guess we turned on SMTP Authentication. The initial set-up had been done without that as the previous model could not authenticate to Office 365. (The SSL/TLS implementation was far too old and insecure to be accepted by Office 365, and without encryption Office 365 won’t accept authentication).
Authentication fixed the problem. Scanning was working! So, it was something about the SMTP connection that was going wrong.
Job done? No, there’s the why still hanging! Since the printer doesn’t give us any help we need to look at other SMTP debugging methods. One is to use a terminal client (e.g. telnet) to speak to the printer which allows us to the see the email server response — those which the printer sadly does no show us!
This is the SMTP session I did by hand. The indented lines are my commands to the server.
220 DB5EUR03FT015.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 11 Jan 2018 18:43:27 +0000 HELO printer1.example.com 250 DB5EUR03FT015.mail.protection.outlook.com Hello [192.0.2.181] MAIL FROM:email@example.com 250 2.1.0 Sender OK RCPT TO:firstname.lastname@example.org 550 5.7.606 Access denied, banned sending IP [192.0.2.181]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com] QUIT 221 2.0.0 Service closing transmission channel
So, we can immediately see why the email is not sending. If only the printer had shown us that error message we would have been save hours of troubleshooting,
550 5.7.606 Access denied, banned sending IP [192.0.2.181]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) [DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com]
So, we’re on a shared IP address range from our ISP and other are apparently sending spam then the address range is barred from sending. Hence why authentication fixes it: we prove to Office 365 we’re authenticated permitted senders.
Please please printer manufacturers start including better troubleshooting. For instance, please have a test feature that sends a scan email and includes full information as to where it fails, and if it fails during the SMTP session please include the full error message from the SMTP server.