stillsyra
asked on
Exchange Server Emails Bounced Back Suddenly
Some of the outbound emails were bounced back suddenly starting yesterday.
There are three types of undeliverable errors:
1. #552 5.2.0 IB212 msg rejected as spam ##, from secureserver.net
2. #554 5.7.1 [P4] Message blocked due to spam content in the message. ##, from embarq.synacor.com
3. #554 Denied (Mode: normal) ##, from mxlogic.net
I ran a test on mxtoobox.com, and didn't find any error for our domain. It isn't on any blacklist. 4 warnings found:
smtp: mail.domain, SMTP Transaction Time, 8.284 seconds - Not good! on Transaction Time
smtp: mail.domain, SMTP TLS, Warning - Does not support TLS.
dns: domain, DNS SOA Expire Value, SOA Expire Value out of recommended range
dns: domain, DNS SOA Serial Number Format, SOA Serial Number Format is Invalid
What's causing the problem? Can anyone help please?
There are three types of undeliverable errors:
1. #552 5.2.0 IB212 msg rejected as spam ##, from secureserver.net
2. #554 5.7.1 [P4] Message blocked due to spam content in the message. ##, from embarq.synacor.com
3. #554 Denied (Mode: normal) ##, from mxlogic.net
I ran a test on mxtoobox.com, and didn't find any error for our domain. It isn't on any blacklist. 4 warnings found:
smtp: mail.domain, SMTP Transaction Time, 8.284 seconds - Not good! on Transaction Time
smtp: mail.domain, SMTP TLS, Warning - Does not support TLS.
dns: domain, DNS SOA Expire Value, SOA Expire Value out of recommended range
dns: domain, DNS SOA Serial Number Format, SOA Serial Number Format is Invalid
What's causing the problem? Can anyone help please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, a third thing I just remembered, is to make sure you have a PTR (rDNS) record for your mail server, if you're hosting your own email. The absence of a PTR record can also be a common reason for email being rejected as spam.
You should definitely follow hypercat's advice. It may be the issue.
You can sometimes get more information on reasons for failures by tryign to send email using telnet. I have frequently found the reason why email has been denied from places, including GoDaddy (secureserver.net), by doing so.
Instructions on how to email using telnet: http://www.wikihow.com/Send-Email-Using-Telnet
Run that from your Exchange server. If telnet isn't installed go to windows features in the server manager and install the telnet client feature. Run the telnet on port 25 against the first MX record their domain has listed.
You can sometimes get more information on reasons for failures by tryign to send email using telnet. I have frequently found the reason why email has been denied from places, including GoDaddy (secureserver.net), by doing so.
Instructions on how to email using telnet: http://www.wikihow.com/Send-Email-Using-Telnet
Run that from your Exchange server. If telnet isn't installed go to windows features in the server manager and install the telnet client feature. Run the telnet on port 25 against the first MX record their domain has listed.
ASKER
I just created a SPF record, and there's a PTR record.
When I use telnet on the Exchange server, with command EHLO, the 250-starttls isn't shown, but the 250-x-anonymoustls is shown. So it looks like the opportunistic TLS isn't enabled.
How do I enable the opportunistic TLS on my Exchange 2007 server?
When I use telnet on the Exchange server, with command EHLO, the 250-starttls isn't shown, but the 250-x-anonymoustls is shown. So it looks like the opportunistic TLS isn't enabled.
How do I enable the opportunistic TLS on my Exchange 2007 server?
Did you proceed to try to send the email using telnet and see if you get any errors? I would go through the whole process as you may get a more specific reason why your email is blocked, which I have seen before with GoDaddy.
I'm not familiar with Opportunistic TLS, hopefully hypercat can help you with that if it is the issue.
I'm not familiar with Opportunistic TLS, hopefully hypercat can help you with that if it is the issue.
I just double-checked the documentation and opportunistic TLS IS enabled by default in Exchange 2007. So, if you have an SSL certificate properly installed on your Exchange server, and if Exchange 2007 is configured to use this SSL certificate for SMTP communications, then it will automatically use that certificate if the external server it is sending to is configured to request or require TLS.
Do you have an SSL certificate configured for SMTP on your Exchange server?
Do you have an SSL certificate configured for SMTP on your Exchange server?
stillsyra - if you don't know the answer to my previous question, then you can check by opening the Exchange Management Shell and typing:
get-exchangecertificate | fl
This will produce a list showing you what, if any, certificates are enabled on your server for Exchange and what services (i.e., SMTP, IIS, etc.) the certificate is used for. It will also tell you if the certificates are valid or expired, which would be important to know.
get-exchangecertificate | fl
This will produce a list showing you what, if any, certificates are enabled on your server for Exchange and what services (i.e., SMTP, IIS, etc.) the certificate is used for. It will also tell you if the certificates are valid or expired, which would be important to know.
ASKER
Here's the result of get-exchangecertificate | fl. It doesn't look like the opportunitisct TLS is enabled. If so, how do I enable it?
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System.Security.AccessCont rol.Crypto KeyAccessR ule, System.Security.AccessCont rol.Crypto KeyA
ccessRule}
CertificateDomains : {mail.domain, www.mail.domain, autodiscover.domain}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scot
tsdale, S=Arizona, C=US
NotAfter : 8/19/2015 2:24:16 PM
NotBefore : 8/14/2013 11:38:27 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 04968AD1BAE896
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=mail.domain, OU=Domain Control Validated
Thumbprint : 571C1E094518B6CCA126DC744D 7564F7E53E 0670
AccessRules : {System.Security.AccessCon
ccessRule}
CertificateDomains : {mail.domain, www.mail.domain, autodiscover.domain}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scot
tsdale, S=Arizona, C=US
NotAfter : 8/19/2015 2:24:16 PM
NotBefore : 8/14/2013 11:38:27 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 04968AD1BAE896
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=mail.domain, OU=Domain Control Validated
Thumbprint : 571C1E094518B6CCA126DC744D
<<Services : IMAP, POP, IIS, SMTP>>
This shows that the certificate, which is a GoDaddy SSL certificate, is enabled for SMTP, so you're all set with opportunistic TLS. If you want to confirm that, make sure that your send and receive connectors are set to verbose mode, so that the communications are logged. Then you can check the SMTP protocol logs (they are in the Exchange folder under [Drive]\Program Files\Microsoft\Exchange Server\TransportRoles\Logs \ProtocolL og). You'll see two folders there, SMTP Receive and SMTP Send. Look in the SMTP Send folder and open the log in a text reader like Notepad.
What you're looking for is communication like this:
External SMTP Connector,08D0890102A648EF ,14,10.10. 10.1:56504 ,24.229.4. 10:25,>,ST ARTTLS,
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,15,10.10. 10.1:56504 ,24.229.4. 10:25,<,22 0 2.0.0 SMTP server ready,
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,16,10.10. 10.1:56504 ,24.229.4. 10:25,*,,S ending certificate
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,17,10.10. 10.1:56504 ,24.229.4. 10:25,*,"C N=[Your SMTP server name], OU=Domain Control Validated",Certificate subject
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,18,10.10. 10.1:56504 ,24.229.4. 10:25,*,"S ERIALNUMBE R=07969287 , CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,19,10.10. 10.1:56504 ,24.229.4. 10:25,*,4F 00CF17A037 42,Certifi cate serial number
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,20,10.10. 10.1:56504 ,24.229.4. 10:25,*,F0 37F80DBA3C E48D32CF8B B6368E916B 67FC0FBD,C ertificate thumbprint
2013-09-27T00:54:42.034Z,E xternal SMTP Connector,08D0890102A648EF ,21,10.10. 10.1:56504 ,24.229.4. 10:25,*,[Y our certificate valid server names],Certificate alternate names
2013-09-27T00:54:51.331Z,E xternal SMTP Connector,08D0890102A648EF ,22,10.10. 10.1:56504 ,24.229.4. 10:25,*,,R eceived certificate
2013-09-27T00:54:51.331Z,E xternal SMTP Connector,08D0890102A648EF ,23,10.10. 10.1:56504 ,24.229.4. 10:25,*,D4 AC9CAA5188 65B1EF4BF3 050B8AFFDF 7074D02E,C ertificate thumbprint
This shows that the certificate, which is a GoDaddy SSL certificate, is enabled for SMTP, so you're all set with opportunistic TLS. If you want to confirm that, make sure that your send and receive connectors are set to verbose mode, so that the communications are logged. Then you can check the SMTP protocol logs (they are in the Exchange folder under [Drive]\Program Files\Microsoft\Exchange Server\TransportRoles\Logs
What you're looking for is communication like this:
External SMTP Connector,08D0890102A648EF
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:42.034Z,E
2013-09-27T00:54:51.331Z,E
2013-09-27T00:54:51.331Z,E
ASKER
It's been a few days and looks like the problem is solved. Thanks everyone.