res_89
asked on
relaying denied IP name lookup failed
I've been through every question on the board about the 5.7.1 NDR but the solutions are not working.
Here's the skinny:
I am in the military and my unit sets up deployable servers during contingency operations. We have a new set of equipment running windows 2003 enterprise server and Exchange 2003 standard server. We have sidewinder 5.2.1 firewall and a router configured for 3 subnets 192.168.14.0, 192.168.11.0 and 192.168.20.0. The 20 subnet has an external DNS server (not a fake root host) which has info for each of the external burbs of the firewalls (14.0 and 11.0) and MX records for both.
When we try to send mail from the outlook client on one domain to a client on the other domain we recieve a NDR. specifically
SMTP 550 5.7.1.
You do not have permission to send to this recipient
relaying denied IP name lookup failed (IP of the mailserver)
When I do an nslookup and put in IP addresses, they resolve for all of the machines on my networks. So I don't understand at what point the IP name lookup failed.
I've also ensured that the relay access list is on authentication and that every computer on the mail server's class B is on there (192.168.0.0) and it still denies.
since this is training for what we do out in the field, we were following the manuals sent from the government contracted corporation, however, I really want to get this to work.
I've gone through all the common aspects of the exchange portion and I was thinking it might have something to do with the firewall, but I have no way of tracking down where the mail goes.
Any help would be appreciated.
Chris
Here's the skinny:
I am in the military and my unit sets up deployable servers during contingency operations. We have a new set of equipment running windows 2003 enterprise server and Exchange 2003 standard server. We have sidewinder 5.2.1 firewall and a router configured for 3 subnets 192.168.14.0, 192.168.11.0 and 192.168.20.0. The 20 subnet has an external DNS server (not a fake root host) which has info for each of the external burbs of the firewalls (14.0 and 11.0) and MX records for both.
When we try to send mail from the outlook client on one domain to a client on the other domain we recieve a NDR. specifically
SMTP 550 5.7.1.
You do not have permission to send to this recipient
relaying denied IP name lookup failed (IP of the mailserver)
When I do an nslookup and put in IP addresses, they resolve for all of the machines on my networks. So I don't understand at what point the IP name lookup failed.
I've also ensured that the relay access list is on authentication and that every computer on the mail server's class B is on there (192.168.0.0) and it still denies.
since this is training for what we do out in the field, we were following the manuals sent from the government contracted corporation, however, I really want to get this to work.
I've gone through all the common aspects of the exchange portion and I was thinking it might have something to do with the firewall, but I have no way of tracking down where the mail goes.
Any help would be appreciated.
Chris
First - "In the address space tab there's an SMTP * 50 (50 being my arbitrary cost) and the box at the bottom "allow messages to be relayed to these domains" is checked."
You have just turned your server in to an OPEN RELAY.
Either have domains listed on that tab and the option to allowing relaying to those domains enabled, or have a wildcard and that option disabled. Do not have a wildcard and that option enabled at the same time.
Get that fixed first - as it isn't the cause of your problems.
Next.
If you are using an SMTP Connector to send to a bridgehead machine, then all you need to confirm is that the bridgehead machine can be reached on SMTP. If it cannot then that is the cause of the problems.
Once you have confirmed that, move on to the bridgehead machine to see whether that machine can relay on further.
Simon.
You have just turned your server in to an OPEN RELAY.
Either have domains listed on that tab and the option to allowing relaying to those domains enabled, or have a wildcard and that option disabled. Do not have a wildcard and that option enabled at the same time.
Get that fixed first - as it isn't the cause of your problems.
Next.
If you are using an SMTP Connector to send to a bridgehead machine, then all you need to confirm is that the bridgehead machine can be reached on SMTP. If it cannot then that is the cause of the problems.
Once you have confirmed that, move on to the bridgehead machine to see whether that machine can relay on further.
Simon.
ASKER
Simon,
Thanks for letting me know about the open relay. I guess the government does it a little differently. I just want it to work. So I'll remove the check box.
The bridgehead is just the Exchange server.
When I set up the SMTP connection the first tab has the radio button clicked for "forward all messages to this IP" and I have the internal burb of my firewall listed in the brackets [192.168.15.1]
It then asks for a bridgehead and the only thing I can select is the exchange server.
I'm starting to think now that the problem is with the firewall. I don't know much about it, but from what my other admins were telling me, the sidewinder firewall might be killing the port 25 traffic between the burbs.
Thanks for letting me know about the open relay. I guess the government does it a little differently. I just want it to work. So I'll remove the check box.
The bridgehead is just the Exchange server.
When I set up the SMTP connection the first tab has the radio button clicked for "forward all messages to this IP" and I have the internal burb of my firewall listed in the brackets [192.168.15.1]
It then asks for a bridgehead and the only thing I can select is the exchange server.
I'm starting to think now that the problem is with the firewall. I don't know much about it, but from what my other admins were telling me, the sidewinder firewall might be killing the port 25 traffic between the burbs.
Does the firewall have an SMTP server on it?
For a smart host to work, the IP address needs to be another SMTP server - whether this is Exchange, Unix, or something else.
For example, if you telnet to port 25 on 192.168.15.1 - what happens?
telnet 192.168.15.1 25
You should get a banner from an SMTP host - as this is a requirement on the RFC. If you don't, then there isn't anything at the other end to connect to.
I fully understand the "I just want it to work". People start doing all sorts of things that they shouldn't do when it reach es that point. However things should work without turning yourself in to an open relay. Granted if it isn't working properly then the spammers might not be able to relay anything through you - but when working on a sick server you cannot take that risk.
Simon.
For a smart host to work, the IP address needs to be another SMTP server - whether this is Exchange, Unix, or something else.
For example, if you telnet to port 25 on 192.168.15.1 - what happens?
telnet 192.168.15.1 25
You should get a banner from an SMTP host - as this is a requirement on the RFC. If you don't, then there isn't anything at the other end to connect to.
I fully understand the "I just want it to work". People start doing all sorts of things that they shouldn't do when it reach es that point. However things should work without turning yourself in to an open relay. Granted if it isn't working properly then the spammers might not be able to relay anything through you - but when working on a sick server you cannot take that risk.
Simon.
Are you trying to send mail out from your server?
If you are a good site to test your email settings is dnsreport.com and choose the email option on the right.
Then enter the email address in the box and wait you should get a 250 come back this confirms that your exchange server is excepting emails by that account name.
The next step is to check if you have your static IP stored in the relay option in smtp in the exchange manager.
I just ran through this problem with a client where his DNS and MX records are being hosted by godaddy.com and he was unable to sent mail out to any accounts other than those internally to exchange. He tried sending mail to yahoo.com or hotmail.com and when he added his static IP to the relay option in smtp under you exchange manager he was able to send mail out. here are the steps tp get there.
1.Choose Exchange servers (System Manager)
2.Expand servers
3.Expand Protocols
4.Expand Smtp (right click on smtp and choose properties)
5.choose access and then pick relay
6. click add and then choose single computer and enter your static or dynamic IP here
7.Click ok, ok, then apply then test your mail and see if you can send mail to the outside world not to different accounts.
Let me know if this works for you and if this is what you were looking for.
If you are a good site to test your email settings is dnsreport.com and choose the email option on the right.
Then enter the email address in the box and wait you should get a 250 come back this confirms that your exchange server is excepting emails by that account name.
The next step is to check if you have your static IP stored in the relay option in smtp in the exchange manager.
I just ran through this problem with a client where his DNS and MX records are being hosted by godaddy.com and he was unable to sent mail out to any accounts other than those internally to exchange. He tried sending mail to yahoo.com or hotmail.com and when he added his static IP to the relay option in smtp under you exchange manager he was able to send mail out. here are the steps tp get there.
1.Choose Exchange servers (System Manager)
2.Expand servers
3.Expand Protocols
4.Expand Smtp (right click on smtp and choose properties)
5.choose access and then pick relay
6. click add and then choose single computer and enter your static or dynamic IP here
7.Click ok, ok, then apply then test your mail and see if you can send mail to the outside world not to different accounts.
Let me know if this works for you and if this is what you were looking for.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think I provided the answer. The other experts were looking at it from the Windows hosts point of view but Sidewinder isn't a simple firewall, its internal sendmail relays and DNS need setting up correctly.
ASKER
I went into the Sidewinder SMTP server access tables and added the server IPs of the two mail servers.
192.168.15.3 RELAY
That stopped the NDR kickback but now I don't know where the message is going. It is not reaching the intended recipient. I noticed on one of the queues in Exchange 2003 that the message (for a short period of time) was in the "messages with an unreachable destination" queue. Although that queue disappeared and I have yet to be able to recreate the error.
I have an SMTP connector set up that is designed to forward all traffic to the firewall through the bridgehead server.
In the address space tab there's an SMTP * 50 (50 being my arbitrary cost) and the box at the bottom "allow messages to be relayed to these domains" is checked.
Since the two domains are in separate forests, I assume they are considered foreign E-mail servers. How do I set up a connector to forward to them?
I have an MX record in the external DNS for both of the domain's firewalls, but nothing seems to resolve and the messages just dissapear without any errors. Somehow I was thinking that the 5.7.1 error was going to be the big issue, but now I don't know where the message is going. HELP!