Solved

Mail delivery to outside world sometimes fails

Posted on 2004-08-16
9
468 Views
Last Modified: 2012-05-05
I am running Exchange 2003. The DNS server on this machine points to our internal DNS servers, running Windows 2000. The DNS servers have our ISP's DNS servers listed under the forwarders tab, and the 'do not allow recursion' box is not checked.

The problem I am having is that email message destined for an outside domain are smetimes being bounced the to senders. The message they receive is:
Subject: Underliverable: <original subject line>

Your message did not reach some or all of the intended recipients.
 Subject:  <subject>
 Sent:  <Date time sent>

The following recipenat(s) could not be reached:
  name@domain.com on <datetime>
    You do not have permission to send to this recipient. For assistance, contact your system administrator.
 <mail.peachtreedata.com #5.7.1 smtp; 550 5.7.1 Unable to relay for <name@domain.com>

I do not know is this is a DNS issue looking up the domain name to send the message to, or if for some reason the recipient domain mail server is rejecting our mail message. I do have reverse DNS pointer records for mail.peachtreedata.com setup.

If we resend the same message again, or maybe two or hree times, the message eventually goes through with no changes being made to to system setup.

Can anyone please help with this issue? It only happens on maybe 1 out of 100 messages being sent, but it is still a problem.

Thanks!
0
Comment
Question by:richard_west
  • 5
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Microtech
Comment Utility
went to www.dnsstuff.com and www.dnsreport.com and these were my findings... hope this will help you to troubleshoot.


Getting MX record for mail.peachtreedata.com...   There is no MX record for mail.peachtreedata.com!  That's bad.
Checking for an A record... Got it!

Host Preference IP(s) [Country] mail.peachtreedata.com 0 69.15.72.66 [US] --------------------------------------------------------------------------------


Step 1:  Try connecting to the following mailserver:
         mail.peachtreedata.com - 69.15.72.66

Step 2:  If still unsuccessful, queue the E-mail for later delivery.


Note: if you enter an entire E-mail address (such as postmaster@mail.peachtreedata.com), we will try to connect
to each mailserver to ensure that they are live and accept mail to the mail.peachtreedata.com domain.


--------------------------------------------------------------------------------
Preparation:
The  reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 69.15.72.66 is found by looking up the PTR record for
 66.72.15.69.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking a.root-servers.net for 66.72.15.69.in-addr.arpa PTR record:  
       a.root-servers.net says to go to indigo.arin.net. (zone: 69.in-addr.arpa.)
Asking indigo.arin.net. for 66.72.15.69.in-addr.arpa PTR record:  
       indigo.arin.net says to go to BEYOND.CBEYOND.NET. (zone: 72.15.69.in-addr.arpa.)
Asking BEYOND.CBEYOND.NET. for 66.72.15.69.in-addr.arpa PTR record:  Reports mail.peachtreedata.com.

Answer:
69.15.72.66 PTR record: mail.peachtreedata.com. [TTL 3600s] [A=69.15.72.66]
69.15.72.66 PTR record: peachtreedata.com. [TTL 3600s] [A=69.15.72.67] *ERROR* A record does not point back to original IP.

Details:
You have more than one PTR record for 69.15.72.66.  This is legal, but most programs will only use the first PTR record listed (which may vary).
0
 
LVL 17

Expert Comment

by:Microtech
Comment Utility
I cannot telnet to your ip address on port 25
0
 
LVL 1

Author Comment

by:richard_west
Comment Utility
All mail for us is first routed through an outsie company that preforms spma/virus scans. These records have priority in our DNS MX records. They are:
  peachtreedata.com. MX IN 10 usp1.mailhostsxode.net. [Preference = 30]
  peachtreedata.com. MX IN 10 use1.mailhostsxode.net. [Preference = 20]
  peachtreedata.com. MX IN 10 av-1.peachtreedata.com. [Preference = 60]

Then, on my firewall I block anyone execpt this 3rd party (mailhotsxode.net) from connecting to av-1.peachtreedata.com, thus preventing any mail entering my site without first being scanned. This is why you can not telnet to port 25 - my firewall is bocking it.

Now I do an A record for mail.peachtreedata.com, however it is not returning the same Ip address that the outgoing address is being NATed to. Could that be the problem? I can certainly change it.

Also, would a mail server I'm connecting to send outgoing mail to need port 25 access back to my mail server during a different connection? If so that might be a problem.

The strange thing is that we can resend a bounced message once or twice and it eventutally goes through.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 17

Expert Comment

by:Microtech
Comment Utility
I was doing the firewall blocking on one site and I got the same problem, I have gone for GFI mail esentials for my spam needs, I do not believe that the mail server tries to connet on port 25... I know that it does a reverse DNS lookup to see that the mail is coming from an authorised source. it may try you rdns record and fail but the 3rd time may get through... it is due to the rdns record being validated on the 3rd attempt.......maybe someone will correct me.

not sure what you should change, but if you get an error from the dnsstuff.com then you know that mail servers with rdns lookup will also have the same problem.

I only have one site using rdns so my knowledge is a little limited to the specifics of this one site..

I think if you can chnage the ip so that the same going in to going out is recognised by a server then you are good to go.

... but as i say... I may be corrected.
0
 
LVL 1

Author Comment

by:richard_west
Comment Utility
I still need some help from someone to help get this issue resolved.

I can go to dnsstuff.com and see the 63.116.147.250 is in the reverse DNS system, and does return mail.peachtreedata.com

However, I am still getting these errors in my SMTP log thorugh Exchange:
... Relaying denied. IP name lookup failed [63.116.147.250]

This only occurs with some email domains (I'm assuming that not everyone is doing RDNS, or that RDNS might be working to some servers, like dnsstuff.com!)

Can anyone advise on what to try next?
0
 
LVL 17

Expert Comment

by:Microtech
Comment Utility
you could try and add a smart host just for this domain and see if it helps http://support.microsoft.com/default.aspx?kbid=297988&product=exch2k
0
 
LVL 17

Accepted Solution

by:
Microtech earned 500 total points
Comment Utility
Smarthost should have worked..
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now