Mail delivery to outside world sometimes fails

I am running Exchange 2003. The DNS server on this machine points to our internal DNS servers, running Windows 2000. The DNS servers have our ISP's DNS servers listed under the forwarders tab, and the 'do not allow recursion' box is not checked.

The problem I am having is that email message destined for an outside domain are smetimes being bounced the to senders. The message they receive is:
Subject: Underliverable: <original subject line>

Your message did not reach some or all of the intended recipients.
 Subject:  <subject>
 Sent:  <Date time sent>

The following recipenat(s) could not be reached:
  name@domain.com on <datetime>
    You do not have permission to send to this recipient. For assistance, contact your system administrator.
 <mail.peachtreedata.com #5.7.1 smtp; 550 5.7.1 Unable to relay for <name@domain.com>

I do not know is this is a DNS issue looking up the domain name to send the message to, or if for some reason the recipient domain mail server is rejecting our mail message. I do have reverse DNS pointer records for mail.peachtreedata.com setup.

If we resend the same message again, or maybe two or hree times, the message eventually goes through with no changes being made to to system setup.

Can anyone please help with this issue? It only happens on maybe 1 out of 100 messages being sent, but it is still a problem.

Thanks!
LVL 1
richard_westAsked:
Who is Participating?
 
MicrotechConnect With a Mentor Commented:
Smarthost should have worked..
0
 
MicrotechCommented:
went to www.dnsstuff.com and www.dnsreport.com and these were my findings... hope this will help you to troubleshoot.


Getting MX record for mail.peachtreedata.com...   There is no MX record for mail.peachtreedata.com!  That's bad.
Checking for an A record... Got it!

Host Preference IP(s) [Country] mail.peachtreedata.com 0 69.15.72.66 [US] --------------------------------------------------------------------------------


Step 1:  Try connecting to the following mailserver:
         mail.peachtreedata.com - 69.15.72.66

Step 2:  If still unsuccessful, queue the E-mail for later delivery.


Note: if you enter an entire E-mail address (such as postmaster@mail.peachtreedata.com), we will try to connect
to each mailserver to ensure that they are live and accept mail to the mail.peachtreedata.com domain.


--------------------------------------------------------------------------------
Preparation:
The  reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 69.15.72.66 is found by looking up the PTR record for
 66.72.15.69.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking a.root-servers.net for 66.72.15.69.in-addr.arpa PTR record:  
       a.root-servers.net says to go to indigo.arin.net. (zone: 69.in-addr.arpa.)
Asking indigo.arin.net. for 66.72.15.69.in-addr.arpa PTR record:  
       indigo.arin.net says to go to BEYOND.CBEYOND.NET. (zone: 72.15.69.in-addr.arpa.)
Asking BEYOND.CBEYOND.NET. for 66.72.15.69.in-addr.arpa PTR record:  Reports mail.peachtreedata.com.

Answer:
69.15.72.66 PTR record: mail.peachtreedata.com. [TTL 3600s] [A=69.15.72.66]
69.15.72.66 PTR record: peachtreedata.com. [TTL 3600s] [A=69.15.72.67] *ERROR* A record does not point back to original IP.

Details:
You have more than one PTR record for 69.15.72.66.  This is legal, but most programs will only use the first PTR record listed (which may vary).
0
 
MicrotechCommented:
I cannot telnet to your ip address on port 25
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
richard_westAuthor Commented:
All mail for us is first routed through an outsie company that preforms spma/virus scans. These records have priority in our DNS MX records. They are:
  peachtreedata.com. MX IN 10 usp1.mailhostsxode.net. [Preference = 30]
  peachtreedata.com. MX IN 10 use1.mailhostsxode.net. [Preference = 20]
  peachtreedata.com. MX IN 10 av-1.peachtreedata.com. [Preference = 60]

Then, on my firewall I block anyone execpt this 3rd party (mailhotsxode.net) from connecting to av-1.peachtreedata.com, thus preventing any mail entering my site without first being scanned. This is why you can not telnet to port 25 - my firewall is bocking it.

Now I do an A record for mail.peachtreedata.com, however it is not returning the same Ip address that the outgoing address is being NATed to. Could that be the problem? I can certainly change it.

Also, would a mail server I'm connecting to send outgoing mail to need port 25 access back to my mail server during a different connection? If so that might be a problem.

The strange thing is that we can resend a bounced message once or twice and it eventutally goes through.
0
 
MicrotechCommented:
I was doing the firewall blocking on one site and I got the same problem, I have gone for GFI mail esentials for my spam needs, I do not believe that the mail server tries to connet on port 25... I know that it does a reverse DNS lookup to see that the mail is coming from an authorised source. it may try you rdns record and fail but the 3rd time may get through... it is due to the rdns record being validated on the 3rd attempt.......maybe someone will correct me.

not sure what you should change, but if you get an error from the dnsstuff.com then you know that mail servers with rdns lookup will also have the same problem.

I only have one site using rdns so my knowledge is a little limited to the specifics of this one site..

I think if you can chnage the ip so that the same going in to going out is recognised by a server then you are good to go.

... but as i say... I may be corrected.
0
 
richard_westAuthor Commented:
I still need some help from someone to help get this issue resolved.

I can go to dnsstuff.com and see the 63.116.147.250 is in the reverse DNS system, and does return mail.peachtreedata.com

However, I am still getting these errors in my SMTP log thorugh Exchange:
... Relaying denied. IP name lookup failed [63.116.147.250]

This only occurs with some email domains (I'm assuming that not everyone is doing RDNS, or that RDNS might be working to some servers, like dnsstuff.com!)

Can anyone advise on what to try next?
0
 
MicrotechCommented:
you could try and add a smart host just for this domain and see if it helps http://support.microsoft.com/default.aspx?kbid=297988&product=exch2k
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.