Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8910
  • Last Modified:

Hotmail rejects my mail sent by an internal SMTP server.

Hi;

Problem:
- my internal smtp server cannot deliver email to hotmail.com, sympatico.ca, etc

- Error found when using SMTPDiag utility
Error: Expected "250".  Server rejected the sender address. Failed to submit mail to mx3.hotmail.com
Error: Expected "220".  Server is not accepting the connection. Failed to submit mail to mx3.hotmail.com

-In the Event Viewer, I found the following message.

"Message delivery to the remote domain"xxx.com" failed for the following
reason.  The connection was dropped by the remote host"

smtp server infrastructure:
- 1 IIS SMTP email server at local area network - called "ismtp"
- 1 IIS SMTP email server at DMZ - called "dsmtp"

dns server :
- 3 dns server internal
- 2 dns server at DMZ
- using isp's dns as dns forwarders.

internet connection
- using T1 line for internet access normally.
- using cable connection as internet access backup.

The "ismtp" is used for outgoing email only, this server do not receive email. It is being used by Fax Server for "fax to email", or the internal webserver which need email delivery functions.

The "ismtp" server cannot send email to hotmail.com, sympatico.ca, and rogers.com etc because of rejected by them.  However if I use dSMTP server as a SmartHost for "ismtp", it works.

Currently, I am using NAT for iSMTP server to translate a public ip to the local ip at firewall.  I allow any to any from inside network to internet.  The iSMTP server is going to internet via a T1 line.

Also, I tested my iSMTP server with the cable connection, the email for hotmail.com can be delivered when using cable.  When I plug my iSMTP server to cable connection, a public ip will be leased by my cable company.

I called my T1 line isp to add the reverse lookup name for my iSMTP server at their dns server but still no help.

I can do the reverse dns lookup for my smtp server from internet like the tools
provided in www.dnsstuff.com.

My question.

1. Why the same server give me different result when it is connecting to different link for internet access, T1 line and Cable.

2. Why the email for hotmail.com can be delivered if using Smarthost?

3. Someone said, I should register my domain name in SPF (Sender Policy Framework) via http://www.openspf.org to solve this problem but I think that because the email works if I use SmartHost or cable connection, do I need the SPF?

4. I am going to setup my own Exchange 2003 server for sending and receiving email for internal users, I afraid, the same problem still here after setup the Exchange 2003, therefore I must have to overcome this issue before setup the Exchange 2003.

Thanks



Any idea? thanks!
0
KANEWONG
Asked:
KANEWONG
  • 6
  • 6
  • 2
2 Solutions
 
jar3817Commented:
Many sites reject any mail coming from cable/dsl connections (including my own). 90% of the email coming from cable/dsl connections is spam. This might explain why you cant when going through your cable connection. If you use the cable, you should use your isp as a smart host.

As for using the t1, the only thing i can think of is missing reverse dns for your public ip's, unless your mail server is incorrectly configured and not announcing itself correctly. For example make sure it is giving a VALID fully qualified hostname during the HELO/EHLO stage of the smtp connection. You can check that buy looking at the headers from an email you sent (send to a gmail account and look at the source). If it is announcing as your internal domain name or even just the unqualified server name (server1) or even just an ip address that could cause the connection to be rejected.
0
 
flyguybobCommented:
I wanted to add my $0.02... (jar3817 had some good information)
Regarding the SPF records, this is a type of a DNS record.  
It does not hurt to have an SPF record in place for your domain.  

There are not many ISPs that require an SPF record at this point.  Generally they require a PTR record, as jar3817 and you have already discussed.  As Jar also noted, many providers are starting to block e-mail from cable/dsl connections.  What I have noticed is that the dynamic IP addresses, assigned by cable companies, DSL providers, and other home broadband providers, are being blocked.  In addition, some companies block outbound SMTP on these IP ranges.  Why?  Generally businesses have a line with a static IP.  Most home broadband providers require their dynamic IP users to relay SMTP mail through their SMTP servers.  This smarthost setup still allows for spam from the ISP addresses, but it is a bit more controlled and has helped decrease the proliferation of virii and mail messages containing virus packages.
0
 
KANEWONGAuthor Commented:
Hi guys;

Thanks for your response!

Although my internal smtp server is using a "ismtp" as server name, however; I placed a valid fully qualified hostname to the masquerade domain field, therefore when using telnet ismtp 25 to check at the HELO/EHLO stage, it was showing the valid name.

And, I have reverse dns entry added by my isp already.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
flyguybobCommented:
You should have the ismtp.company.com address added as a DNS A record on your external DNS.
0
 
KANEWONGAuthor Commented:
I added ismtp.company.com in my dns as A record and added the SPF record too but still have no luck.

0
 
flyguybobCommented:
This is some support information straight from the Hotmail/MSN support pages:
http://postmaster.msn.com/Troubleshooting.aspx
http://postmaster.msn.com/Services.aspx#SenderSolutions
http://postmaster.msn.com/Guidelines.aspx 
While we have went through many of the steps, it would not hurt for you to review the above information.  In addition, there is an e-mail address for the nocmail at hotmail.  You may want to take the chance to bounce them a message after you have troubleshot and verified the steps.

Send an e-mail to a domain that will recieve from you and get the person on the other end (even your e-mail account) to send you the mail headers.  Look to see what server name you are advertising and what IP you are advertising.  It sounds like you have already changed the setting to masquerade the DNS information to "ismpt.company.com"
0
 
jar3817Commented:
"I placed a valid fully qualified hostname to the masquerade domain field, therefore when using telnet ismtp 25 to check at the HELO/EHLO stage, it was showing the valid name."

There should be another field where you set the masquerade domain called "fully qualified domain name". Fill that in too. When you telnet to the server you see the full name, but that doesnt mean it will give that name when connecting to other mail servers (which is the problem).
0
 
KANEWONGAuthor Commented:
Hi guys;

I compared the full header of my outgoing email that sent to Yahoo and Hotmail, they are no big difference.  The only is the host name and the ip address. When I sent to Yahoo from ismtp WITHOUT SmartHost, the host name is "ismtp.mycompany.com" and the ip address is the public ip that I put to external dns.  When I sent to hotmail from ismtp WITH SmartHost, the host name and the ip address is the one of smarthost, like "esmtp.mycompany.com".
0
 
KANEWONGAuthor Commented:
Hi;

I emailed to nocmail@microsoft.com, the guy response my email and he asked me to clear the problem found in http://www.dnsreport.com, there is a failed checking like this...

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

And the steps to solve the Open DNS is to disable the recursion in my W2K DNS server, however; if I Disable the recursion then my DNS cannot be do name resolution on most of the domain name because I am using my ISP's DNS as forwarder.

0
 
flyguybobCommented:
So, is your internal DNS server also your external DNS server.  Frankly, I would advise against that...  It is always nice to do a split DNS where the external DNS is external and the internal DNS is internal and uses a forwarder.  You may want to consider using your ISP as the primary external NS record.

It's odd that Hotmail checks for this when recieving messages.  This is a new one to me.
0
 
KANEWONGAuthor Commented:
I closed the Open DNS at my DNS server but still no luck.  When I telnet to mail.hotmail.com, it close the connection by them.
0
 
flyguybobCommented:
Write back to the NOC folks at hotmail letting them know that you did this.  They may have a 24-hour hold that they can override.
0
 
KANEWONGAuthor Commented:
Hi flyguybob;

Hotmail technical supports did the investigation for me and they said that it is caused by the email scan software at my network.  Then, I turned off the smtp and pop3 scan on my anti virus gateway and try to send email to hotmail again without using smarthost as middle man, it works.

Apparently, hotmail or some other mail server they would check the origin source of the server if the connection being blocked while checking, the connection will be rejected.
0
 
flyguybobCommented:
WOW!  That is interesting, to say the least.  I have seen similar issues with Exchange and the Symantec Raptor firewall's proxy util.  After calling Symantec and tweaking, all was good.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now