vtsinc
asked on
Unable to relay to contact in Exchange 2003 - denied by local server
After looking at virtually all other 5.7.1-related relay errors I could locate, I am unable to find one that matches my specific problem.
When attempting to send SMTP to a recipient that is set up as a contact at a remote domain in the local active directory the following error appears immediately:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<server.mydomain.com #5.7.1 smtp;550 5.7.1
For example, joe blow is set up in the local AD as a contact with address joeblow@remotedomain.local .
John Doe is not set up as a local contact in AD, and has address johndoe@remotedomain.local
If sending to Joe Blow the 5.7.1 NDR is generated. If sending to John Doe it is not and the mail is delivered.
I am certain that it is the local server that generates the NDR, thus not concerned about relay permissions, etc. on the remote end. If I telnet to the local server from an IP with relay permissions the follwing is a sample transcript of the session:
Successful session:
220 server.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 read
y at Thu, 17 Mar 2005 12:34:43 -0500
helo
250 server.mydomain.com Hello [127.0.0.1]
mail from:administrator@mydomai n.com
250 2.1.0 administrator@mydomain.com ....Sender OK
rcpt to:johndoe@remotedomain.lo cal
250 2.1.5 johndoe@remotedomain.local
Unsuccessful session:
220 server.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 read
y at Thu, 17 Mar 2005 12:34:43 -0500
helo
250 server.mydomain.com Hello [127.0.0.1]
mail from:administrator@mydomai n.com
250 2.1.0 administrator@mydomain.com ....Sender OK
rcpt to:joeblow@remotedomain.lo cal
550 5.7.1 Unable to relay for joeblow@remotedomain.local
The problem is reported as being intermittent, however the Exchange server has only a single SMTP virtual server, and I was able to witness and duplicate the problem in testing today.
Thanks in advance for any suggestions leading to resolution!
Mike
When attempting to send SMTP to a recipient that is set up as a contact at a remote domain in the local active directory the following error appears immediately:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<server.mydomain.com #5.7.1 smtp;550 5.7.1
For example, joe blow is set up in the local AD as a contact with address joeblow@remotedomain.local
John Doe is not set up as a local contact in AD, and has address johndoe@remotedomain.local
If sending to Joe Blow the 5.7.1 NDR is generated. If sending to John Doe it is not and the mail is delivered.
I am certain that it is the local server that generates the NDR, thus not concerned about relay permissions, etc. on the remote end. If I telnet to the local server from an IP with relay permissions the follwing is a sample transcript of the session:
Successful session:
220 server.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 read
y at Thu, 17 Mar 2005 12:34:43 -0500
helo
250 server.mydomain.com Hello [127.0.0.1]
mail from:administrator@mydomai
250 2.1.0 administrator@mydomain.com
rcpt to:johndoe@remotedomain.lo
250 2.1.5 johndoe@remotedomain.local
Unsuccessful session:
220 server.mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 read
y at Thu, 17 Mar 2005 12:34:43 -0500
helo
250 server.mydomain.com Hello [127.0.0.1]
mail from:administrator@mydomai
250 2.1.0 administrator@mydomain.com
rcpt to:joeblow@remotedomain.lo
550 5.7.1 Unable to relay for joeblow@remotedomain.local
The problem is reported as being intermittent, however the Exchange server has only a single SMTP virtual server, and I was able to witness and duplicate the problem in testing today.
Thanks in advance for any suggestions leading to resolution!
Mike
ASKER
Unfortunately not. Now I am told this is an intermittent issue, and in further testing I did get denied access to someone who was not an AD contact. So, the initial problem description changes to:
Intermittent (but frequent) problem sending to a recipient in a specific remote domain, but it holds true that it is the "local" server that is issuing the "relay denied".
The only relay restrictions on the default (and only) SMTP virtual server are standard, such as permit relay from a specific IP range, permit authenticated users, deny all others. Actually I have opened up relay permissions as shown above simply in order to troubleshoot this.
I think my next step will be to very temporarily allow relay for all via SMTP just to see what the effect is, unless someone has a better idea.
Thanks for the input, and please let me know if you see any other possible explanations!
Also, the server is Exchange 2003 SP1 on a Win2003 Enterprise box, and is also a DC with all AD roles assigned.
Regards,
Mike
Intermittent (but frequent) problem sending to a recipient in a specific remote domain, but it holds true that it is the "local" server that is issuing the "relay denied".
The only relay restrictions on the default (and only) SMTP virtual server are standard, such as permit relay from a specific IP range, permit authenticated users, deny all others. Actually I have opened up relay permissions as shown above simply in order to troubleshoot this.
I think my next step will be to very temporarily allow relay for all via SMTP just to see what the effect is, unless someone has a better idea.
Thanks for the input, and please let me know if you see any other possible explanations!
Also, the server is Exchange 2003 SP1 on a Win2003 Enterprise box, and is also a DC with all AD roles assigned.
Regards,
Mike
ASKER
The problem was resolved. Turns out that the recipient server administrator had moved the recipient domain to a new server without informing his colleagues. There was a problem with the recipient policy on the recieving end.
I will leave the question open for the time being in the hope that someone can tell me why the sending server would report an "unable to relay for" message before the message is actually sent (how did the sender server know?). I am thinking this is because there is an Active Directory trust between the two forests, although the Exchange organizations are not linked, but for my own edification it would be nice if someone could say for sure.
Thanks,
Mike
I will leave the question open for the time being in the hope that someone can tell me why the sending server would report an "unable to relay for" message before the message is actually sent (how did the sender server know?). I am thinking this is because there is an Active Directory trust between the two forests, although the Exchange organizations are not linked, but for my own edification it would be nice if someone could say for sure.
Thanks,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Simon.