Solved

Mail delivery to outside world sometimes fails

Posted on 2004-08-16
9
512 Views
Last Modified: 2012-05-05
I am running Exchange 2003. The DNS server on this machine points to our internal DNS servers, running Windows 2000. The DNS servers have our ISP's DNS servers listed under the forwarders tab, and the 'do not allow recursion' box is not checked.

The problem I am having is that email message destined for an outside domain are smetimes being bounced the to senders. The message they receive is:
Subject: Underliverable: <original subject line>

Your message did not reach some or all of the intended recipients.
 Subject:  <subject>
 Sent:  <Date time sent>

The following recipenat(s) could not be reached:
  name@domain.com on <datetime>
    You do not have permission to send to this recipient. For assistance, contact your system administrator.
 <mail.peachtreedata.com #5.7.1 smtp; 550 5.7.1 Unable to relay for <name@domain.com>

I do not know is this is a DNS issue looking up the domain name to send the message to, or if for some reason the recipient domain mail server is rejecting our mail message. I do have reverse DNS pointer records for mail.peachtreedata.com setup.

If we resend the same message again, or maybe two or hree times, the message eventually goes through with no changes being made to to system setup.

Can anyone please help with this issue? It only happens on maybe 1 out of 100 messages being sent, but it is still a problem.

Thanks!
0
Comment
Question by:richard_west
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Microtech
ID: 11818729
went to www.dnsstuff.com and www.dnsreport.com and these were my findings... hope this will help you to troubleshoot.


Getting MX record for mail.peachtreedata.com...   There is no MX record for mail.peachtreedata.com!  That's bad.
Checking for an A record... Got it!

Host Preference IP(s) [Country] mail.peachtreedata.com 0 69.15.72.66 [US] --------------------------------------------------------------------------------


Step 1:  Try connecting to the following mailserver:
         mail.peachtreedata.com - 69.15.72.66

Step 2:  If still unsuccessful, queue the E-mail for later delivery.


Note: if you enter an entire E-mail address (such as postmaster@mail.peachtreedata.com), we will try to connect
to each mailserver to ensure that they are live and accept mail to the mail.peachtreedata.com domain.


--------------------------------------------------------------------------------
Preparation:
The  reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 69.15.72.66 is found by looking up the PTR record for
 66.72.15.69.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking a.root-servers.net for 66.72.15.69.in-addr.arpa PTR record:  
       a.root-servers.net says to go to indigo.arin.net. (zone: 69.in-addr.arpa.)
Asking indigo.arin.net. for 66.72.15.69.in-addr.arpa PTR record:  
       indigo.arin.net says to go to BEYOND.CBEYOND.NET. (zone: 72.15.69.in-addr.arpa.)
Asking BEYOND.CBEYOND.NET. for 66.72.15.69.in-addr.arpa PTR record:  Reports mail.peachtreedata.com.

Answer:
69.15.72.66 PTR record: mail.peachtreedata.com. [TTL 3600s] [A=69.15.72.66]
69.15.72.66 PTR record: peachtreedata.com. [TTL 3600s] [A=69.15.72.67] *ERROR* A record does not point back to original IP.

Details:
You have more than one PTR record for 69.15.72.66.  This is legal, but most programs will only use the first PTR record listed (which may vary).
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11818732
I cannot telnet to your ip address on port 25
0
 
LVL 1

Author Comment

by:richard_west
ID: 11822225
All mail for us is first routed through an outsie company that preforms spma/virus scans. These records have priority in our DNS MX records. They are:
  peachtreedata.com. MX IN 10 usp1.mailhostsxode.net. [Preference = 30]
  peachtreedata.com. MX IN 10 use1.mailhostsxode.net. [Preference = 20]
  peachtreedata.com. MX IN 10 av-1.peachtreedata.com. [Preference = 60]

Then, on my firewall I block anyone execpt this 3rd party (mailhotsxode.net) from connecting to av-1.peachtreedata.com, thus preventing any mail entering my site without first being scanned. This is why you can not telnet to port 25 - my firewall is bocking it.

Now I do an A record for mail.peachtreedata.com, however it is not returning the same Ip address that the outgoing address is being NATed to. Could that be the problem? I can certainly change it.

Also, would a mail server I'm connecting to send outgoing mail to need port 25 access back to my mail server during a different connection? If so that might be a problem.

The strange thing is that we can resend a bounced message once or twice and it eventutally goes through.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 17

Expert Comment

by:Microtech
ID: 11825874
I was doing the firewall blocking on one site and I got the same problem, I have gone for GFI mail esentials for my spam needs, I do not believe that the mail server tries to connet on port 25... I know that it does a reverse DNS lookup to see that the mail is coming from an authorised source. it may try you rdns record and fail but the 3rd time may get through... it is due to the rdns record being validated on the 3rd attempt.......maybe someone will correct me.

not sure what you should change, but if you get an error from the dnsstuff.com then you know that mail servers with rdns lookup will also have the same problem.

I only have one site using rdns so my knowledge is a little limited to the specifics of this one site..

I think if you can chnage the ip so that the same going in to going out is recognised by a server then you are good to go.

... but as i say... I may be corrected.
0
 
LVL 1

Author Comment

by:richard_west
ID: 11855042
I still need some help from someone to help get this issue resolved.

I can go to dnsstuff.com and see the 63.116.147.250 is in the reverse DNS system, and does return mail.peachtreedata.com

However, I am still getting these errors in my SMTP log thorugh Exchange:
... Relaying denied. IP name lookup failed [63.116.147.250]

This only occurs with some email domains (I'm assuming that not everyone is doing RDNS, or that RDNS might be working to some servers, like dnsstuff.com!)

Can anyone advise on what to try next?
0
 
LVL 17

Expert Comment

by:Microtech
ID: 11921614
you could try and add a smart host just for this domain and see if it helps http://support.microsoft.com/default.aspx?kbid=297988&product=exch2k
0
 
LVL 17

Accepted Solution

by:
Microtech earned 500 total points
ID: 14273651
Smarthost should have worked..
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question