smtp 550-"The recipient cannot be verified Error

BTW this is the domain, custombuildingsystems.net

You have a PIX.
Turn off the Fixup SMTP option.

http://support.microsoft.com/default.aspx?kbid=320027

Can't see any further to see if there is anything else.

However I am almost positive that error isn't an Exchange error, so the question has to be, what else do you have that is scanning email? Any other settings on the firewall? Antispam or antivirus products?

Simon.

We have 2 domains, our other domain that is hosted on the exchange server can receive email from the un-receivable hosts fine....

We have GFI Mail Essentials and Symantec Coporate 10.0.3.  We have no software firewall enabled on the Exchange machine only a Cisco Pix 515 between the Exchange Server and the net.

We just had that domain transferred and a new mx record created.  I am thinking that could be the issue however, we can receive other mail perfectly fine.

How long ago was the domain moved? It might be domain propagation taking affect.

I would still recommend removing the fixup SMTP. It will cause you problems as it stops the server announcing itself correctly which will trip some antispam filters.

Simon.

I will remove that...

Anyway it was changed March 22nd....I thought as well the changes didnt propogate but when I saw the bounce messge 550 The recipient cannot be verified, that made me think different.  It also changed my mind when the company that cannot send mail helo 'ed fine to our domain......

Domain changes take up to 48 hours to fully propagate, and then you can get stale or cached entries.

I would also look at the configuration of GFI Mail Essentials to see whether any of its recipient filtering has been enabled. The message isn't an Exchange message, so something else is generating it.

Simon.

The problem may be due to the fact that your mailserver is spewing out an invalid hostname:  http://www.dnsreport.com/tools/dnsreport.ch?domain=custombuildingsystems.net

Many mailservers may balk at this output.  Be sure to set it correctly in your DNS at the ISP.

Also, it would be a good idea for you to create an SPF record.  Info on that is towards the bottom of that link.

Jeff
TechSoEasy

I am not sure what you are asking me to check at our DNS hosting provider...

The message I see from DNSreport speaks of our SMTP helo announce, I checked the properties of that and it is set as the FQDN of the exchange server.

Is there something else I need to enable to announce the server name properly?

I will definately create an SPF record, thanks.

GFI also is normal and no configuration has changed in about 3 months.

Well, both actually... the hostname of your Exchange server needs to match the A record in your DNS Zone file at your hosting provider.

The problem is that your reverse IP lookup for  216.144.168.194  gives www.norrychristian.net.  Assuming you are not related to this organization, and not sharing an Exchange server with them, you need to get this fixed ASAP.

The SPF record will help as well.

Jeff
TechSoEasy

The helo announcement is currently the ****************. That isn't your server doing that, but the PIX. It is how I know that you have a Cisco PIX. You need to disable the Fixup SMTP so that the true SMTP banner is shown, not the one generated by the PIX.

Simon.

Simon's the man!

(I don't play well with PIX's so I'm usually not allowed to get near them).

But lemme at that DNS Zone file!

:-)

Hope all of that helps.

Jeff
TechSoEasy

Thanks guys for all your help will do the things listed and give approtiate points....

The change to the PIX has been made and it is announcing the hostname.

However, since the hostname does not contain that domain name it still gives a warning, will this still be ok?

This still did not fix the issue however the reverse IP is still not changed.  The hosting provider has been contacted to correct this.

You need to change what the server announces itself as. The invalid name is as bad as what you had before because it doesn't resolve correctly.

ESM, Servers, <your server>, SMTP. Right click on the default SMTP VS and choose Properties. Click on the tab Delivery and then Advanced. Change the Fully Qualified Domain Name to mail.custombuildingsystems.net. Apply/OK out.

However if you are still getting the error even though the PIX is no longer interfering, then it has to be something else.

Has recipient filtering been enabled on this machine?
What else is on the machine? AV, Antispam etc?

Simon.

This is the second domain we have hosted on this exchange box.  So wouldnt changing the host name for one domain affect the other?  How is this resolved?

We have recipient filtering enabled but it has always been enabled.

Symantec Corporate 10.0.3

GFI Mail Essentials 11.0

With Exchange those are the only 2 things installed on the box.

This issue was not happening before the DNS change, but that was done March 22nd.  By now wouldnt everything have propogated correctly?

I think our next step is disabling GFI for a moment and having the person send a test message with it disabled and see what that brings.

Update:
Just disabled GFI and Symantec Auto-Protect and sent a test message, still nothing.

I am almost certain now it has to be a DNS/MX record issue.

Like I said other domain's email is hosted on this exchange server and they can all receive mail from the problem receipients fine.

I just wanted to thank you guys for all your ongoing help as well, I very much appreciate you sharing your knowledge!

On the other end we have been doing telnet commands to see in which step it fails and have found this:

All the commands run fine EXCEPT when the VRFY command is run.  This is the result:

Cannot verify user but will accept message for use @ custombuildingsystems.net

So it seems that it cant verify the user and just generates an NDR.



DNS was moved to a new host and the MX record stayed the same however was recreated and the A record has been changed.

Mail: stayed 216......

Website or A: changed from a 216 to 67....

It seems now that is normal for the VRFY command to return that....since one can run that command and find a valid address.

Anyway, we did get an email through from using the telnet commands.  Their mailserver is also Exchange 2003.

That adds something to the mix.....

Thanks again for your help.

VRFY not working is by design: http://support.microsoft.com/?kbid=289521

If the sending site requires that, then they need to review their setup.

Simon.

Y'know... I have a feeling that this is somewhat due to your DNS change and the recent updating of your PTR (reverse record).

There are still a number of inconsistencies showing for your domain throughout the Internet.  

A DNS Slueth search still shows no reverse record:
http://atrey.karlin.mff.cuni.cz/~mj/sleuth/?domain=custombuildingsystems.net&verbose=ON&server=&serverip=&action=Submit&.cgifields=verbose

DNS Stuff's reverse check DOES show the right reverse record:
http://www.dnsstuff.com/tools/ptr.ch?ip=216.144.168.194

But their PTR check shows nothing:
http://www.dnsstuff.com/tools/lookup.ch?name=mail.custombuildingsystems.net&type=PTR

While MXToolBox does show the correct reverse record but shows a problem with transaction time:
http://www.mxtoolbox.com/diagnostic.aspx?HOST=mail.custombuildingsystems.net

My guess is that if you just recently asked PTD.net to update the PTR record for custombuildingsystems.net it may not have gotten around to all root servers yet.  However, if it doesn't start resolving within the next couple of days, I'd contact them again to make sure it was done correctly.

Jeff
TechSoEasy

Since we are hosting multiple domains is there anyway to have more than 1 PTR record?

One of our other domains is pbsmodular.com, which is going to be eventually rehosted as well.  However, all mail comes through fine to that domain from the hosts that cannot send to custombuildingsystems.net.....and there is no PTR record for pbsmodular.com.

Thanks for your help Jeff and Simon.

This is killing me and my users are about to tar and feather me!

P. S.  Set up the free monitoring at mxtoolbox.com and you will be able to see a report of 24-hour cumulative data for both connection and response times.

Jeff
TechSoEasy

I'm interested... what happened?

Jeff
TechSoEasy

Sorry for not closing this kind of forgot about it. :)

Anyway, it seemed to by a dns issue as the companies that could not send us mail, one-by-one could start getting mail through.  It just took about 3-4 days.

So I would like to give both of you points, how is this done?

Glad it all worked out for you.

To close this out, click the "split points" button at the bottom of the question.

Jeff
TechSoEasy

THANKS AGAIN GUYS...