smtp 550-"The recipient cannot be verified Error

Hello,

    We are receiving this, (smtp;550-"The recipient cannot be verified) error on only certain people trying to send mail to our domain.  Can someone please tell me why this might be happening and how to solve it?

Thanks,
krik0011Asked:
Who is Participating?
 
SembeeCommented:
How much control is possible over the other end?
Can they look at the logs to see what server it is connecting to?
Can they do an nslookup on the mail server itself and see what results come back?

It could be stale DNS records somewhere.

How much did you change?
Just the IP address?
The host as well?

(post.isp.net to mail.domain.com, or mail.domain.com pointing at 123.123.123.123 and now pointing at 456.456.456.456 for example).

Simon.
0
 
krik0011Author Commented:
BTW this is the domain, custombuildingsystems.net
0
 
SembeeCommented:
You have a PIX.
Turn off the Fixup SMTP option.

http://support.microsoft.com/default.aspx?kbid=320027

Can't see any further to see if there is anything else.

However I am almost positive that error isn't an Exchange error, so the question has to be, what else do you have that is scanning email? Any other settings on the firewall? Antispam or antivirus products?

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
krik0011Author Commented:
We have 2 domains, our other domain that is hosted on the exchange server can receive email from the un-receivable hosts fine....

We have GFI Mail Essentials and Symantec Coporate 10.0.3.  We have no software firewall enabled on the Exchange machine only a Cisco Pix 515 between the Exchange Server and the net.

We just had that domain transferred and a new mx record created.  I am thinking that could be the issue however, we can receive other mail perfectly fine.
0
 
SembeeCommented:
How long ago was the domain moved? It might be domain propagation taking affect.

I would still recommend removing the fixup SMTP. It will cause you problems as it stops the server announcing itself correctly which will trip some antispam filters.

Simon.
0
 
krik0011Author Commented:
I will remove that...

Anyway it was changed March 22nd....I thought as well the changes didnt propogate but when I saw the bounce messge 550 The recipient cannot be verified, that made me think different.  It also changed my mind when the company that cannot send mail helo 'ed fine to our domain......
0
 
SembeeCommented:
Domain changes take up to 48 hours to fully propagate, and then you can get stale or cached entries.

I would also look at the configuration of GFI Mail Essentials to see whether any of its recipient filtering has been enabled. The message isn't an Exchange message, so something else is generating it.

Simon.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The problem may be due to the fact that your mailserver is spewing out an invalid hostname:  http://www.dnsreport.com/tools/dnsreport.ch?domain=custombuildingsystems.net

Many mailservers may balk at this output.  Be sure to set it correctly in your DNS at the ISP.

Also, it would be a good idea for you to create an SPF record.  Info on that is towards the bottom of that link.

Jeff
TechSoEasy
0
 
krik0011Author Commented:
I am not sure what you are asking me to check at our DNS hosting provider...

The message I see from DNSreport speaks of our SMTP helo announce, I checked the properties of that and it is set as the FQDN of the exchange server.

Is there something else I need to enable to announce the server name properly?

I will definately create an SPF record, thanks.

GFI also is normal and no configuration has changed in about 3 months.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, both actually... the hostname of your Exchange server needs to match the A record in your DNS Zone file at your hosting provider.

The problem is that your reverse IP lookup for  216.144.168.194  gives www.norrychristian.net.  Assuming you are not related to this organization, and not sharing an Exchange server with them, you need to get this fixed ASAP.

The SPF record will help as well.

Jeff
TechSoEasy
0
 
SembeeCommented:
The helo announcement is currently the ****************. That isn't your server doing that, but the PIX. It is how I know that you have a Cisco PIX. You need to disable the Fixup SMTP so that the true SMTP banner is shown, not the one generated by the PIX.

Simon.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Simon's the man!

(I don't play well with PIX's so I'm usually not allowed to get near them).

But lemme at that DNS Zone file!

:-)

Hope all of that helps.

Jeff
TechSoEasy
0
 
krik0011Author Commented:
Thanks guys for all your help will do the things listed and give approtiate points....
0
 
krik0011Author Commented:
The change to the PIX has been made and it is announcing the hostname.

However, since the hostname does not contain that domain name it still gives a warning, will this still be ok?

This still did not fix the issue however the reverse IP is still not changed.  The hosting provider has been contacted to correct this.
0
 
SembeeCommented:
You need to change what the server announces itself as. The invalid name is as bad as what you had before because it doesn't resolve correctly.

ESM, Servers, <your server>, SMTP. Right click on the default SMTP VS and choose Properties. Click on the tab Delivery and then Advanced. Change the Fully Qualified Domain Name to mail.custombuildingsystems.net. Apply/OK out.

However if you are still getting the error even though the PIX is no longer interfering, then it has to be something else.

Has recipient filtering been enabled on this machine?
What else is on the machine? AV, Antispam etc?

Simon.
0
 
krik0011Author Commented:
This is the second domain we have hosted on this exchange box.  So wouldnt changing the host name for one domain affect the other?  How is this resolved?

We have recipient filtering enabled but it has always been enabled.

Symantec Corporate 10.0.3

GFI Mail Essentials 11.0

With Exchange those are the only 2 things installed on the box.

This issue was not happening before the DNS change, but that was done March 22nd.  By now wouldnt everything have propogated correctly?

I think our next step is disabling GFI for a moment and having the person send a test message with it disabled and see what that brings.

0
 
krik0011Author Commented:
Update:
Just disabled GFI and Symantec Auto-Protect and sent a test message, still nothing.

I am almost certain now it has to be a DNS/MX record issue.

Like I said other domain's email is hosted on this exchange server and they can all receive mail from the problem receipients fine.

I just wanted to thank you guys for all your ongoing help as well, I very much appreciate you sharing your knowledge!
0
 
krik0011Author Commented:
On the other end we have been doing telnet commands to see in which step it fails and have found this:

All the commands run fine EXCEPT when the VRFY command is run.  This is the result:

Cannot verify user but will accept message for use @ custombuildingsystems.net

So it seems that it cant verify the user and just generates an NDR.



DNS was moved to a new host and the MX record stayed the same however was recreated and the A record has been changed.

Mail: stayed 216......

Website or A: changed from a 216 to 67....
0
 
krik0011Author Commented:
It seems now that is normal for the VRFY command to return that....since one can run that command and find a valid address.

Anyway, we did get an email through from using the telnet commands.  Their mailserver is also Exchange 2003.

That adds something to the mix.....

Thanks again for your help.
0
 
SembeeCommented:
VRFY not working is by design: http://support.microsoft.com/?kbid=289521

If the sending site requires that, then they need to review their setup.

Simon.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Y'know... I have a feeling that this is somewhat due to your DNS change and the recent updating of your PTR (reverse record).

There are still a number of inconsistencies showing for your domain throughout the Internet.  

A DNS Slueth search still shows no reverse record:
http://atrey.karlin.mff.cuni.cz/~mj/sleuth/?domain=custombuildingsystems.net&verbose=ON&server=&serverip=&action=Submit&.cgifields=verbose

DNS Stuff's reverse check DOES show the right reverse record:
http://www.dnsstuff.com/tools/ptr.ch?ip=216.144.168.194

But their PTR check shows nothing:
http://www.dnsstuff.com/tools/lookup.ch?name=mail.custombuildingsystems.net&type=PTR

While MXToolBox does show the correct reverse record but shows a problem with transaction time:
http://www.mxtoolbox.com/diagnostic.aspx?HOST=mail.custombuildingsystems.net

My guess is that if you just recently asked PTD.net to update the PTR record for custombuildingsystems.net it may not have gotten around to all root servers yet.  However, if it doesn't start resolving within the next couple of days, I'd contact them again to make sure it was done correctly.

Jeff
TechSoEasy
0
 
krik0011Author Commented:
Since we are hosting multiple domains is there anyway to have more than 1 PTR record?

One of our other domains is pbsmodular.com, which is going to be eventually rehosted as well.  However, all mail comes through fine to that domain from the hosts that cannot send to custombuildingsystems.net.....and there is no PTR record for pbsmodular.com.

Thanks for your help Jeff and Simon.
0
 
krik0011Author Commented:
This is killing me and my users are about to tar and feather me!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It's not necessary to have a PTR record that matches your domain, it's just necessary to HAVE ONE.  On one of my web servers, for instance, there are over 150 domains which all use email services of that server.

In fact, PBSMODULAR.COM's PTR record is now mail.custombuildingsystems.net which is technically no problem at all.

I think you've actually solved MOST of the problems... but the one that's still causing an issue as far as I can see is the TTL setting for mail.pbsmodular.com which is set at 86400 while mail.custombuildingsystems.net is set at 14400 (you'll note that I use even a shorter TTL because of the amount of domains that have to pass through sometimes).

Probably the best way for you to see what's going on here is to review these three reports from DNSReport -- I've included mine so that you can see how it SHOULD be reacting to your configuration:

custombuildingsystems.net
http://dnsreport.com/tools/dnsreport.ch?domain=custombuildingsystems.net

PBSModular.com
http://dnsreport.com/tools/dnsreport.ch?domain=PBSMODULAR.COM

TechSoEasy.com
http://dnsreport.com/tools/dnsreport.ch?domain=techsoeasy.com

So, what's happening is that an email gets sent to custombuildingsystmes.net which has to refer it to mail.custombuildingsystems.net which then has to be referred to mail.pbsmodular.com before it can finally arrive at host pbsmail.pbsmodular.com.  The problem is that it times out at mail.pbsmodular.com depending on the sending server's configuration.

Check out these two screens:
http://mxtoolbox.com/diagnostic.aspx?HOST=mail.custombuildingsystems.net
http://mxtoolbox.com/diagnostic.aspx?HOST=mail.pbsmodular.com

So... you need to change the TTL settings in pbsmodular.com's DNS zone file to 14400.  (Or have your ISP do this if they manage these records).

Then you should see vast improvements.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
P. S.  Set up the free monitoring at mxtoolbox.com and you will be able to see a report of 24-hour cumulative data for both connection and response times.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I'm interested... what happened?

Jeff
TechSoEasy
0
 
krik0011Author Commented:
Sorry for not closing this kind of forgot about it. :)

Anyway, it seemed to by a dns issue as the companies that could not send us mail, one-by-one could start getting mail through.  It just took about 3-4 days.

So I would like to give both of you points, how is this done?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Glad it all worked out for you.

To close this out, click the "split points" button at the bottom of the question.

Jeff
TechSoEasy
0
 
krik0011Author Commented:
THANKS AGAIN GUYS...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.