[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can't send mail to certain domains!~

Posted on 2006-04-06
16
Medium Priority
?
1,587 Views
Last Modified: 2008-02-26
I am a consulant that has recently set up an in house Exchange2003 server for a client and they are having problems sending mail to certain domains(hotmail.com, aol.com davidmorse.com and a few others. Previously their email was hosted at godaddy and every thing was fine.

Inhouse DNS is set up as a forwarder to ITC deltacom's DNS. We receive mail on one IP, but sent out thru another. Reverse DNS is set up on all of the IP's we use according to ITC and tests that I have done. We get delivery delayed messages 4.4.7 as well as undeliverable messages following that. A non-delivery report with a status code of  5.4.0 is reported in event viewer. An associate says that he believes that it is the fact that ITC (our provider) does not include spf records in their DNS and that is why we are not able to contact these certain domains! I'm stumped!!

Ask away....if more info is needed..ANY Help Appreciated!!!!!!!!!!!!!!.....Roy

P.S. I HAVE CHECKED OTHER POSTS...BUT NO LUCK...........
0
Comment
Question by:rbx123
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16394285
No one is using SPF to block email - not least Hotmail and AOL. They would be silly to do so as the takeup is very low.
Most are using it as another measure to score emails on, so the lack of it shouldn't affect email delivery.

What is your reason for sending out on a different IP address? That might be causing the problem. You have to be careful to ensure that the server announces itself as a valid host name and that the name it announces does resolve somewhere.

Try putting your domain in to dnsreport.com and see what it throws back.

The non-delivery reports would also help, unless they are simple request timed out errors.

You could also do an nslookup on a domain that you are having problems with, then attempting to telnet to port 25 on the MX server that is listed.

For example... microsoft.com:

C:\>nslookup
Default Server:  server.domain.co.uk
Address:  192.168.1.1

> set type=mx
> microsoft.com
Server:  server.domain.co.uk
Address:  192.168.1.1

Non-authoritative answer:
microsoft.com   MX preference = 10, mail exchanger = mailc.microsoft.com
microsoft.com   MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com   MX preference = 10, mail exchanger = mailb.microsoft.com

maila.microsoft.com     internet address = 131.107.1.7
maila.microsoft.com     internet address = 131.107.1.6
mailb.microsoft.com     internet address = 131.107.3.123
mailb.microsoft.com     internet address = 205.248.102.77
mailc.microsoft.com     internet address = 205.248.102.78
mailc.microsoft.com     internet address = 205.248.102.79
>

When you have the MX server information, see if you can telnet to port 25 of the remote server.
For example (using the above information)

telnet maila.microsoft.com 25

Simon.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 16394302
From your Exchange server, do an nslookup on the MX records of domains you are having trouble sending to, then try to telnet to port 25 of the records that are returned.

JJ
0
 
LVL 3

Expert Comment

by:Roshan25
ID: 16394367
I seen this issue beccause hotmail and AOL is looking for PTR record from your domain.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:rbx123
ID: 16396134
Tried Telnet, it works, DNSreport.com.........OK....Whats next
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16396293
Did it pass every test on the dnsreport.com web site?

Simon.
0
 

Author Comment

by:rbx123
ID: 16396360
DNSREPORT Below:

DNS Report for linksinsuranceservices.com
Generated by www.DNSreport.com at 21:29:32 GMT on 06 Apr 2006.
Category Status Test Name Information
Parent

 PASS Missing Direct Parent check OK.
 Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

park21.secureserver.net. [64.202.165.178] [TTL=172800] [US]
park22.secureserver.net. [68.178.211.115] [TTL=172800] [US]

[These were obtained from m.gtld-servers.net]

PASS Parent nameservers have your nameservers listed OK.
 When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.

PASS Glue at parent nameservers OK.
 The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.

PASS DNS servers have A records OK.
 All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

park21.secureserver.net.
park22.secureserver.net.

 
PASS Open DNS servers OK.
 Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).  

PASS Mismatched glue OK.
 The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.

PASS No NS A records at nameservers OK.
 Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.

PASS All nameservers report identical NS records OK.
 The NS records at all your nameservers are identical.  

PASS All nameservers respond OK.
 All of your nameservers listed at the parent nameservers responded.

PASS Nameserver name validity OK.
 All of the NS records that your nameservers report seem valid (no IPs or partial domain names).

PASS Number of nameservers OK.
 You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.

PASS Lame nameservers OK.
 All the nameservers listed at the parent servers answer authoritatively for your domain.

PASS Missing (stealth) nameservers OK.
 All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.

PASS Missing nameservers 2 OK.
 All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.  

PASS No CNAMEs for domain OK.
 There are no CNAMEs for mydomain.com.. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

PASS No NSs with CNAMEs OK.
There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

PASS Nameservers on separate class C's OK.
 You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.

PASS All NS IPs public OK.
 All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.

PASS TCP Allowed OK.
All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions Your nameservers have the following versions:

64.202.165.178: No version info available (timeout on lookup). Could be tinydns 1.00 through 1.04.
68.178.211.115: No version info available (timeout on lookup). Could be tinydns 1.00 through 1.04.
 
PASS Stealth NS record leakage
 Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=86400] is:
Primary nameserver: park21.secureserver.net.
Hostmaster E-mail address: dns.jomax.net.
Serial #: 2005091xxx
Refresh: 28800
Retry: 7200
Expire: 604800
Default TTL: 86400
 
PASS NS agreement on SOA serial # OK.
 All your nameservers agree that your SOA serial number is 2005091xxxhat means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).
 
PASS SOA MNAME Check OK.
 Your SOA (Start of Authority) record states that your master (primary) name server is: park21.secureserver.net.. That server is listed at the parent servers, which is correct.
 
PASS SOA RNAME Check OK.
 Your SOA (Start of Authority) record states that your DNS contact E-mail address is: dns@jomax.net. (techie note: we have changed the initial '.' to an '@' for display purposes).  

PASS SOA Serial Number OK.
Your SOA serial number is: 2005091xxx is appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd change on 02 May 2000, you would use 2000050xxxhis number must be incremented every time you make a DNS change.

PASS SOA REFRESH value OK.
 Your SOA REFRESH interval is : 28800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.

PASS SOA RETRY value OK.
Your SOA RETRY interval is : 7200 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.

PASS SOA EXPIRE value OK.
 Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.

PASS SOA MINIMUM TTL value OK.
 Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:
0 mail.mydomain.com. [TTL=3600] IP=72.242.101.227 [TTL=3600] [US]
 
PASS Low port test OK.
 Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports, but is a good indication that it does not.

PASS Invalid characters OK.
 All of your MX records appear to use valid hostnames, without any invalid characters.

PASS All MX IPs public OK.
 All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.

PASS MX records are not CNAMEs OK.
 Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.

PASS MX A lookups have no CNAMEs OK.
 There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).

PASS MX is host name, not IP OK.
 All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).

INFO Multiple MX records
NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.

PASS Differing MX-A records OK.
 I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).

PASS Duplicate MX records OK.
 You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.

PASS Reverse DNS entries for MX records OK.
 The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:

xxx.242.xxn-addrmydomain.com..arpa mail.. [TTL=60814]

 PASS
 Connect to mail servers OK: I was able to connect to all of your mailservers.

PASS Mail server host name in greeting OK:
 All of your mailservers have their host name in the greeting:

mail.:mydomain.com.
    220 MAIL.mydomain.com. Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 6 Apr 2006 17:29:49 -0400
 
PASS Acceptance of NULL <> sender OK
: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).

PASS Acceptance of postmaster address OK:
 All of your mailservers accept mail to postmaster@mydomain.com.(as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).

PASS Acceptance of abuse address OK:
 All of your mailservers accept mail to abuse@mydomain.com.

INFO Acceptance of domain
 WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mail.mydomain.com.' postmaster@[72.242.101.xxxponse
    >>> RCPT TO:<postmaster@[72.242.101.xxx
    <<< 550 5.7.1 Unable to relay for postmaster@[72.242.101.xxx

 
PASS Open relay test OK:
All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.
mail.mydomain.com.
OK: 550 5.7.1 Unable to relay for Not.abuse.see.www.DNSreport.com.from.IP.205.152.238.75@DNSreport.com
 
WARN SPF record
 Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  
WWW
 INFO WWW Record Your www.mdomain.com.A record is:

www.mydomain.com. [TTL=3600]
mydomain.com.  A  64.202.190.172 [TTL=3600] [US]

 
PASS All WWW IPs public OK.
 All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.

PASS CNAME Lookup OK.
 You do have a CNAME record for www.linksinsuranceservices.com, which can cause some confusion. However, this is legal. Your CNAME entry also returns the A record for the CNAME entry, which is good -- otherwise, it would require an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. Note that if the CNAME points to another CNAME, it will likely cause problems.



More sugestions???????????????
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16396532
You stated above that your email goes out on another IP address.
What is the reason for that?

Everything appears ok for inbound email (which is what that is testing) but if you have email coming from another IP address then you need to look at whether that address has been setup correctly.

Simon.
0
 

Author Comment

by:rbx123
ID: 16396675
Someone else set up the router, the company has 4 or 5 ip's. I'm not that familiar with routing, and I know that the default gateway on the network to the wan is not the same ip as the mail server. It was set up this way when I came along.
When I was installing exchange, I asked the person that set up the router to give me a public address that would be used for the exchange server..he did i used it.........Remember,,,,,,,,the key to this is,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,They CANNOT SEND mail to CERTAIN DOMAINS,,,,,,,, sending and recieving to all others is ok!!!!!

..............................................................Roy
0
 

Author Comment

by:rbx123
ID: 16396700
The returned undeliverable message says
 "could not deliver the message in the time limit specified 4.4.7"
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16397025
You don't have to shout.

The point is that different sites have different measures that they use to protect against spam. Some they make public, many they don't. The trick for email server administrators is to ensure that their servers are setup as correctly as possible.

If the firewall has been set up to do a one to one NAT, then there is a good chance the email is going out on the same IP address as it is coming in on - even though the gateway is different. You can check this using one of the Check IP address web sites such as http://checkip.dyndns.org/

If that is the case, then that is probably not the cause.

The NDR that you have posted above is probably the most generic NDR there is, and doesn't really help.
My instinct still says DNS or transport issues. If the message was being delivered then rejected by the remote site, then you would get a different NDR, usually with a message attached.

Check whether the firewall has any kind of SMTP scanning features. If it does (the Cisco PIX does for example) then get them disabled.

The fall back plan is to use an SMTP Connector to route your email through the ISPs SMTP server.
http://www.amset.info/exchange/smtp-connector.asp

Simon.
0
 

Author Comment

by:rbx123
ID: 16397545
I too believe that it is DNS but......

Here is what I get when I run reverse dns on the IP they are using for INBOUND mail
Answer:
xx.242.101.227 PTR record: mail.mydomain.com. [TTL 86400s] [A=xx.242.101.227]


  Here is what I get when I run reverse dns on the ip they are using for OUTBOUND mail

Answer:
xx.242.101.225 PTR record: mail.mydomain.com. [TTL 86400s] [A=xx.242.101.227] *ERROR* A record does not point back to original IP.

Does this help??????????????
0
 
LVL 3

Expert Comment

by:Roshan25
ID: 16399829
this is a dns issue. PTR record missing.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16402543
Your reverse DNS doesn't tally up.
I would suspect that the firewall isn't doing one to one NAT, so the server appears to come from the default IP address, and not the IP address that has been assigned to it.
My preference would be to get the firewall sorted out, so that the same IP address is used for both incoming and outbound. If that isn't possible then you will have to reconfigure the Exchange server to announce itself as the name known as on the default IP address so that outbound email is coming from a valid address.

Simon.
0
 

Author Comment

by:rbx123
ID: 16413628
OK were close........ Mail now goes out the same ip as it comes in...This Helps ..AOL works but...........When trying to get to Hot Mai,l now I get this:

The following recipient(s) could not be reached:

      rbx1239@hotmail.com on 4/9/2006 7:27 PM
            This message was rejected due to the current administrative policy by the destination server.  Please retry at a later time.  If that fails, contact your system administrator.
            <mail.mydomain.com #4.3.2>

Getting warmer..........lol
0
 
LVL 3

Expert Comment

by:Roshan25
ID: 16414366
try sending another email. This is not a perminent failure error. Which mean the email mail may have eventually delivered. Normaly you get this error if you froze the smtp queue.
Also check you event log is you are getting any error when this happen. You might want to restart your smtp.
0
 

Author Comment

by:rbx123
ID: 16429999
It was a reverse DNS issue caused by the fact that they received mail on on address and sent from another!!!!!!!!!

Once the change was made it took three days to propagate though...Thanks all!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question