Using nslookup to troubleshoot an email problem.

What is the problem that you are facing?

nslookup is a command-line utility found in Win2000 and higher (I don't think it was in NT4).  You start it from a CMD prompt; so first, open a command prompt box from your start menu, and type in the word nslookup .  It has a good help system that you can access by entering a question mark ? , and you terminate by typing exit .  It is generally used to troubleshoot DNS issues, but when you are interested specifically in email delivery, you confine its display to MX records.  A typical session consists of just two lines (ignoring the nslookup and exit lines):

nslookup
set type=mx
yourdomain.com
exit

Check this for event id 3018:

As per Microsoft: "This event is logged when a non-delivery report is generated because of a problem with DNS or an IP address. The numeric code is generally 5.4.0. This indicates that an "Authoritative Host was not found".

This usually indicates the recipient's DNS address couldn't be resolved; maybe the sender mistyped the address. Try nslookup on the domain part of “user@domain”. It's also possible a literal IP address was used, and the IP address was invalid.

To solve the outbound DNS issue please do the foolowing:

-Click Start->RUN->CMD
-Type nslookup
-press enter
-type-> www.google.com
-press enter.

check if you get the IPs of Google,

if yes

then you must check the DNSs configured in your SMTP protocol

-Open Exchange System manager
-go to: Servers->Your Server->Protocols->SMTP
-Right Click on Default SMTP Virtual Server (or whatever you name it)
-Properties
-Delivery->Advanced->Configure

Make sure the list is EMPTY

if no

Check the DNS which ur server is using in the local area connection, it must be a vaild DNS IP address and routable.

Please note if you are using a proxy browsing the Internet doesn't meen that you have a valid DNS IP configured.

Thank you.

Rather than trying to work around the suggested solutions, it would be better to look at the problem. We can probably tell you how to fix the issue rather than trying to work with the solution suggested elsewhere.

If you are getting error messages about non-delivery reports, then these are normal. Users will make mistakes.
If you are getting LOTS of error messages about non-delivery reports then that could indicate a problem.

Simon.

OK, msghaleb.  You've explained it so that someone with little Exchange troubleshooting experience (like myself;) could understand quickly.  I was able to use nslookup as per your instructions.  Then I opened system manager and the field external DNS field was blank.

I left out the fact that this server is running GFI MailEssentials for Exchange/SMTP v11...not sure if that will help.

How do I check to see if a server is being used as an open relay?

I saw some messages suggesting to check my route and topology and to use WinRoute to ensure routes are properly replicated between servers and routing groups.  I ran WinRoute on the server and not sure how to interpret it...I know, I'm a mess!  Just picked up a MS Exchange Server 2003 reference over the weekend.  Can you explain WinRoute like you did nslookup?

here what you want, but I would be really thankful if you can explain for me your problem in details.

1st of all how to check if your server has open relay?

-Open Exchange System manager
-go to: Servers->Your Server->Protocols->SMTP
-Right Click on Default SMTP Virtual Server (or whatever you name it)
-Properties
-Click on the Access tab
-Click Relay

make sure that "only the list below" is selected
the list is empty
"Allow all computers that succefully authinticate to relay..." is Selected.

2nd to check routing

-Click Start->Run->CMD
-Type in: tracert www.google.com
-Press Enter.

You should get something like the following: (you are ok in this case)

Tracing route to www.l.google.com [72.14.203.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.26.27.1
  2    <1 ms    <1 ms    <1 ms  10.24.252.211
  3    <1 ms     1 ms     1 ms  62.6.89.141
  4     8 ms     8 ms     8 ms  62.239.56.1
  5     8 ms     7 ms     7 ms  10.24.5.145

IF you didn't get similar results, and you for example get something like the following:

Unable to resolve target system name www.google.com

Then you have 100% DNS problem.

Please make sure that your File System Antivirus is not securing port 25 or 110, e.g. if you have Symantec Corp. 9 or later disable the internet mail security on the Exchange server.

Thank you.

My original problem was that some users were complaining of NDR's.  Here is one of the users NDR that was forwarded to me.  this happened to be one of the owners of the company so I was a little pressured..sorry for the lack of a better description.

From:       System Administrator  
Sent:      Saturday, June 24, 2006 9:48 PM
To:      'Ron Rattray'
Subject:      Undeliverable: Neriki Valve Purchasing

Your message did not reach some or all of the intended recipients.

      Subject:      Neriki Valve Purchasing
      Sent:      6/22/2006 9:52 AM

The following recipient(s) could not be reached:

      'Ron Rattray' on 6/24/2006 9:48 PM
            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            <sgibb2k3mail1.spectra-gases.com #4.4.7>

Anyway, I ran a virus scan of the server from a Symantec AV console yesterday and it came cack with w32.beagle@mm!zip, trojan.tooso.R, and w32.netsky.D@mm!enc.  I deleted the viruses and have not had any complaints since.
I'm not sure if that resolved the problem yet but I will keep you posted.
One more thing.  I did follow your instructions to check to see if the server was setup to relay and it was not.  Is there a site that I can check to see if I have been black listed as an open relay server?

There is no a specific web site which will tells you if you are black listed or not, as it's all organizations and it depends you are black listed with which one of them.

Example:
I'm an employee at xyz.com you send me e-mail, and my company is using ORDB for preventing e-mails from black listed domains (or companies), so if you are black listed at ORDB I wont see your mail, and if not I will receive it, even if you are black listed in other organizations.

The solution is, use your mail normally, and if you are black listed anywhere, you will get an NDR which states that you are black listed at Organization (e.g. ORDB), please close your relay and inform us.

What you have to do it, to take the organization name and go to there website, check ur mail server and if you find your self black listed, just send them an e-mail informing them that you closed your relay, they will check your server and then they will remove you from their list.


I highly recommend for you some things:

1 - Disable or Remove the Internet Mail option in Symantec Corp. from your Exchange server.
2 - Use Symantec Mail Security for Exchange to secure your Exchange server.
3 - Make sure that the Symantec Corp. is not scanning the Exchange folders, please follow this like:
http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2000110108382448?OpenDocument&ExpandSection=2%2C1%2C5%2C3#_Section2

More Information:

When you have a virus on your file system, Symantec Corp will remove it, but if you have a virus in an attachment in a mail message, Symantec Corp will delete the Exchange log file which contain the virus, and Exchange will not start because of a missing log file, that's why Symantec Corp. should not scan your Exchange files, and Symantec Mail Security should be used instead.

ORDB is one of the open relay organizations, www.ordb.org.