Link to home
Start Free TrialLog in
Avatar of stillsyra
stillsyra

asked on

Exchange Server Emails Bounced Back Suddenly

Some of the outbound emails were bounced back suddenly starting yesterday.

There are three types of undeliverable errors:
1. #552 5.2.0 IB212 msg rejected as spam ##, from secureserver.net
2. #554 5.7.1 [P4] Message blocked due to spam content in the message. ##, from embarq.synacor.com
3. #554 Denied (Mode: normal) ##, from mxlogic.net

I ran a test on mxtoobox.com, and didn't find any error for our domain. It isn't on any blacklist. 4 warnings found:

smtp: mail.domain, SMTP Transaction Time, 8.284 seconds - Not good! on Transaction Time
smtp: mail.domain, SMTP TLS, Warning - Does not support TLS.
dns:  domain, DNS SOA Expire Value, SOA Expire Value out of recommended range
dns: domain, DNS SOA Serial Number Format, SOA Serial Number Format is Invalid

What's causing the problem? Can anyone help please?
ASKER CERTIFIED SOLUTION
Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, a third thing I just remembered, is to make sure you have a PTR (rDNS) record for your mail server, if you're hosting your own email.  The absence of a PTR record can also be a common reason for email being rejected as spam.
You should definitely follow hypercat's advice. It may be the issue.

You can sometimes get more information on reasons for failures by tryign to send email using telnet. I have frequently found the reason why email has been denied from places, including GoDaddy (secureserver.net), by doing so.

Instructions on how to email using telnet: http://www.wikihow.com/Send-Email-Using-Telnet

Run that from your Exchange server. If telnet isn't installed go to windows features in the server manager and install the telnet client feature. Run the telnet on port 25 against the first MX record their domain has listed.
Avatar of stillsyra
stillsyra

ASKER

I just created a SPF record, and there's a PTR record.

When I use telnet on the Exchange server, with command EHLO, the 250-starttls isn't shown, but the 250-x-anonymoustls is shown. So it looks like the opportunistic TLS isn't enabled.

How do I enable the opportunistic TLS on my Exchange 2007 server?
Did you proceed to try to send the email using telnet and see if you get any errors? I would go through the whole process as you may get a more specific reason why your email is blocked, which I have seen before with GoDaddy.

I'm not familiar with Opportunistic TLS, hopefully hypercat can help you with that if it is the issue.
I just double-checked the documentation and opportunistic TLS IS enabled by default in Exchange 2007. So, if you have an SSL certificate properly installed on your Exchange server, and if Exchange 2007 is configured to use this SSL certificate for SMTP communications, then it will automatically use that certificate if the external server it is sending to is configured to request or require TLS.  

Do you have an SSL certificate configured for SMTP on your Exchange server?
stillsyra - if you don't know the answer to my previous question, then you can check by opening the Exchange Management Shell and typing:

get-exchangecertificate | fl

This will produce a list showing you what, if any, certificates are enabled on your server for Exchange and what services (i.e., SMTP, IIS, etc.) the certificate is used for. It will also tell you if the certificates are valid or expired, which would be important to know.
Here's the result of get-exchangecertificate | fl. It doesn't look like the opportunitisct TLS is enabled. If so, how do I enable it?

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyA
                     ccessRule}
CertificateDomains : {mail.domain, www.mail.domain, autodiscover.domain}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scot
                     tsdale, S=Arizona, C=US
NotAfter           : 8/19/2015 2:24:16 PM
NotBefore          : 8/14/2013 11:38:27 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04968AD1BAE896
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain, OU=Domain Control Validated
Thumbprint         : 571C1E094518B6CCA126DC744D7564F7E53E0670
<<Services           : IMAP, POP, IIS, SMTP>>

This shows that the certificate, which is a GoDaddy SSL certificate, is enabled for SMTP, so you're all set with opportunistic TLS.  If you want to confirm that, make sure that your send and receive connectors are set to verbose mode, so that the communications are logged.  Then you can check the SMTP protocol logs (they are in the Exchange folder under [Drive]\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog).  You'll see two folders there, SMTP Receive and SMTP Send.  Look in the SMTP Send folder and open the log in a text reader like Notepad.

What you're looking for is communication like this:

External SMTP Connector,08D0890102A648EF,14,10.10.10.1:56504,24.229.4.10:25,>,STARTTLS,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,15,10.10.10.1:56504,24.229.4.10:25,<,220 2.0.0 SMTP server ready,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,16,10.10.10.1:56504,24.229.4.10:25,*,,Sending certificate
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,17,10.10.10.1:56504,24.229.4.10:25,*,"CN=[Your SMTP server name], OU=Domain Control Validated",Certificate subject
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,18,10.10.10.1:56504,24.229.4.10:25,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,19,10.10.10.1:56504,24.229.4.10:25,*,4F00CF17A03742,Certificate serial number
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,20,10.10.10.1:56504,24.229.4.10:25,*,F037F80DBA3CE48D32CF8BB6368E916B67FC0FBD,Certificate thumbprint
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,21,10.10.10.1:56504,24.229.4.10:25,*,[Your certificate valid server names],Certificate alternate names
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,22,10.10.10.1:56504,24.229.4.10:25,*,,Received certificate
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,23,10.10.10.1:56504,24.229.4.10:25,*,D4AC9CAA518865B1EF4BF3050B8AFFDF7074D02E,Certificate thumbprint
It's been a few days and looks like the problem is solved. Thanks everyone.