550 5.7.1 Unable to relay error on Windows 2003 Server

Follow the article below ,

http://support.microsoft.com/kb/262354/en-us

Amit.

I don't think this is the problem. I have tried to send to several different addresses and they all deny. My domain was just created a few months ago and this is the first time we have attempted to send mail. Are you saying my domain needs to be put on a white list somewhere before anyone will allow mail to be sent to them from us?

I started getting mail to go out but it seems to one domian at the moment. If I send to other domains I get the same error. At the moment, I can send mail to user@domain1.com but if I send to user@domain2.com or domain3.com, I still get the error with the corresponding domain appended to the end of the error message.

I should add that when the mail did go out to the one domain, it only did so after I removed restrictions on relaying. Thought this might help in the diagnosis. I have since re-instated restrictions to relaying via authentication.

Still lookin for some help.

Okay. I have narrowed the problem down to authentication to the e-mail server. If I remove restrictions for relaying on my server, the mail is sent out fine. Of course, I can't leave the server like this but it does so that it is able to send mail.

SO WHAT could the problem be. Where is the authentication break down occuring?

More clues. I have granted relay access to my subnet in the Relay Restrictions options and found that I now can sent mail out. However, if I change this to my domain, it won't work, nor does it work if I pull the subnet out.

How can this be correct since I may have clients that are not on my subnet that need to send Mail?

Have you checked with your ISP to see if they block port 25?  Often that's the case.

You can test it by using telnet.  http://support.microsoft.com/kb/323350

Jeff
TechSoEasy

Otherwise, please review http://support.microsoft.com/kb/323436

Jeff
TechSoEasy

In order to set it to your domain you need to make sure your DNS is configured correctly and the all internal clients (including the server) use only your DNS server.  No ISP DNS should be on any NIC setting anywhere inside your LAN.  Set this on the Forwarder tab of your DNS server.

Greetings, habanagold !

Looks like you have done some troubleshooting and narrowed it down to authentication. I assume you are using Outlook. Here are some troubleshooting steps to try:

1. Register an important send/receive library file.  Go to Start > Run and type regsvr32 inetcomm.dll

2. Check if antivirus email check is slowing sending and receiving.  Disable it.

3. In the account settings, Advanced settings, change the server timeout time from 1 min to 5 min

4. Check if outgoing mail server authentication is required. Select that option in account settings and use same settings as incoming server

5. Your ISP may be blocking port 25. Try using alternate port 587.

6.  Check with email provider Tech Support to determine if server is having trouble.

7. See this troubleshooter for not sending
http://www.slipstick.com/problems/nosend.htm

Best wishes!

First of all, thanks for all of the responses. Perhaps I didn't post this in the correct area to begin with. I am in the process of migrating my company to Exhcange. However, before I do that, I want to make sure that SMTP/POP services are working correctly before this.

I have a test domain that I am working with. Currently I am at home and have just ran a telnet session to test SMTP services. Below are the results. I changed my domain name for security reasons. If those of you that responded and chew this over, perhaps we could narrow this down.

It just seems that I can not get the appropiate credentials for relaying. As I mentioned earlier, adding my subnet resolved the problem for clients sending mail from the office. However, attempts outiside the office fail with the 550 5.7.1 error.

The other odd thing is that the same client outside the office that cannot send mail, succeeds with the OUtlook client test.

220 DHWZT21.MYDOMAIN.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830
ready at  Mon, 10 Jul 2006 21:58:56 -0400
EHLO MYDOMAIN.com
250-DHWZT21.MYDOMAIN.COM Hello [74.133.6.36]
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
mail from:tcpip@MYDOMAIN.COM
250 2.1.0 tcpip@MYDOMAIN.COM ....Sender OK
rcpt to:sisqo@insightbb.com
550 5.7.1 Unable to relay for sisqo@insightbb.com

Okay, then you are getting this because you haven't enabled relaying even from your own machine.  You have to at least allow it for 127.0.0.1, or any other PRIVATE IP address range within your LAN.  But deny it for anything outside.

See http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/58f05ef9-55a3-42b3-9f57-27fdc8723b8a.mspx?mfr=true for all thie info.

Jeff
TechSoEasy

Okay. I think I have not been clear on my last comment. The telnet log was run from my home office to the mail server I am trying to get running. I know that the unable to relay message will appear because of the restrictions I have imposed. This is what I want so that my server will not be abused with relaying spam.

If I run the Telnet session on the network the mail server resides, I can successfully send mail to outside domains.
The only way my test clients can successfully send mail inside my network is if I grant access to my subnet in the Relay Restrictions option for the SMTP service. The box is checked for "Allow all computer which successfully authenticate to relay, regardless of the list above", but my test clients would get the same 550 5.7.1 error if the subnet was left out.

This is where my problem is because it doesn't appear that the authentication is working properly. How will my clients outside of my network be able to use the Mail server. I can't possibly added networks to this list. I thought that is what the "Allow all computer which successfully authenticate to relay, regardless of the list above" box was for.
 
When testing my Outlook client outside of the network, the test is successful for testing configuration settings as well as receiving mail. However, when I try to send mail out the client recieves the 550 5.7.1 error message.

WHY aren't these remote client able to authenticate to my server???????????????

Do you have Active Directory configured?  Because the "successfully authenticate" requires that the client machines to be members of the domain.  As for external clients, you would either configure RPC over HTTPS, use a VPN, or have them use Outlook Web Access.

In your test of Outlook outside the network, were you connected via VPN? or using RPC over HTTPS?

Jeff
TechSoEasy

YES AD. This server is a member server in a Domain. I checked the use of AD authentication when I setup the POP3 Service. I think because I posted this here there may be confusion. This is NOT an Exchange Server. This is Windows 2003 employing the SMTP mail services. Therefore RPC over HTTPS, VPN or Oulook WEB access is irrelevant.

Before I go to Exchange, I want to make sure that we SMTP service is fully funcitonal. Currently our company has SMTP services out sourced to a 3rd party. We want to get away from them because of performance issues.

Clients can connect to their Mail servers from anywhere. It doesn't have to be on their network. Why can't I do the same. I hope I have explained this completely now. Please remove Exchange from your thinking when considering this problem.

Well, I think your method of testing is a bit obtuse... all you need to do is telnet into the server to test.  Please see http://www.petri.co.il/test_smtp_service.htm

Jeff
TechSoEasy

Please see previouse posts on Telnet Tests. Inside network - successful. Outside Network fails and it should because open relay is prohibited.

I just removed all restrictions on relaying and was successfully able to use an external client to send out mail. THIS is telling me that there is something wrong in the authentication part for relaying mail. Let's concentrate on this.

Fine, but when you install Exchange you won't configure authentication in the SMTP service.  That gets configured in Exchange.  So I don't understand what you are trying to test for.

Jeff
TechSoEasy

I have moved this post over to the Windows 2003 Server area. I guess I put this in the wrong place and it just doesn't seem I can make it clear on what I am trying to do.

1. We are using POP mail services from and 3rd party. We want to move to Exchange 2003.
2. First step it to move POP mail services in house to ensure that DNS, receive and send work properly before adding on the Exchange overhead.
3. I know Exchange will handle things a little differently but I thought it prudent to make gradual changes before doing a "pulll and jerk" switch from our existing environment to a new one and then have a something go wrong and have a complex situation to resolve and our company's email out.

If there is a better way to do this then someone let me know.

I agree with Jeff here.

Configuring your server with POP and SMTP is wasting your time and effort.  As soon as Exchange is installed then everything you have done up to now is gone.

You can configure Exchange to use the POP3 mail source you have now and then move over to your own mail store - this much can be done safely.

I guess I forgort to mention that I do have a lab. My company is small so I brought in my own equipment and created a trust from their production domain to my test domain. My test domain is the domain where I have been referring to in all my entries. So, I am not worried about jeapordizing the production domain.

I guess I thought that setting up POP/SMTP mail would be a simple approach to weaning them off of the 3rd party system we have. We have inconsistent performance with our 3rd party and they don't appear to want to make any improvements for us.

Getting to Exchange will be the ultimate goal, but currently, the company has not afforded me with the additional budget to do this. Although I have a legal copy of Exchange, I do not have the backup add-ons I want to ensure a safe environment for disaster recovery. I do not want to have a single Exchange Server running without a budge for a second one for backup.

With that background aside, perhaps you can see why I was moving the way I was. I just want to get them off of the current 3rd party e-mail ASAP and then when the budget is available, I would graduate them to Exchange.

If you are telling me that it is not available to setup Windows 2003 SMTP/POP3 mail for internal and external use then I will quit beating my head against the wall. As I have stated, my clients can send and receive e-mail (in my test domain) when they are on the network. I just have a problem with them sending mail outside the network.

I appreciate your time.

My concern with backups is that restoring a single mailbox is somewhat complicated without additional tools isn't it?

No.  Exhange has a built-in Recovery Store that you use to do this.

I think it's important to point out that the Windows 2003 SMTP and POP3 services are really there to support IIS Web Applications, and are not intended to be used as a company's mail service... which is what Exchange is for.  I wouldn't move them off the 3rd party mail service unless it's causing problems.  The Windows SMTP/POP service without Exchange is probably not as good as what they have.  

Also, as for restoring a single mailbox it isn't complicated at all... other than the built-in recovery store, there are also two methods to recover a mailbox.  One is if Cached Exchange mode is used, then a full copy of the mailbox is cached on the user's workstation and that can be migrated from an .ost file to a .pst file by opening Outlook up offline and exporting everything from the .ost file and then importing it back into a .pst file.

The other way is by using EXMerge http://support.microsoft.com/kb/823176.

And I'll second the use of NTBackup... plus Exchange has a Deleted Item Recovery function that will store deleted items for a specified length of time that can be recovered by users themselves.

Jeff
TechSoEasy

I suppose these answers put an end to my question. I don't know why I get the 550 error outside the network but it appears that it is a direction not worth pursuing. I guess it's frustrating to have wasted so much of my time, and this thread, pursuing something that is pointless.

With that said, I wll pursue installing Excahnge this week and hopefully the 550 error will be non-existent. I will respond when I have completed this.

I took one last glance over this whole thread and the only thing we didn't discuss that I can think would have an effect on any of this is the firewalls you have in place.  

What hardware or softrware firewalls are there both on the source and target networks?

Jeff
TechSoEasy

I have NetGEAR Firewalls in place and rules setup to allow ports 110 and 25 open. They forward into the mail server runinng at a NAT address of 192.168.1.3. I just about given this exercise up. It all works except for external clients can sent mail. They are refused everytime.

I really thought this was a couple of hours work but this has been a wasted effort to even try it. I just can't believe no one has ever tried to do this and not run into the same problems and resolved it.

I'm sure someone has tried to do this, but it wouldn't really be for the reasons you are.  As I mentioned earlier, the Windows STMP service on its own would normally be used to support IIS, and in that case remote relay authentication would be handled by some kind of ASP script.

I wouldn't think it was a wasted effort unless you haven't learned ANYTHING from the exercise... I generally find that even if my efforts do not result in the expected outcome, I still have accomplished something by just making the attempt.

Good luck with your Exchange install when you get to that!

Jeff
TechSoEasy

All I can tell you now is that the server has been working fine since my last comment. Internal client have no problem sending mail. However, it is the external aspect that doesn't seem to work. Somehow the credenitals sent to the server from clients an external network are not being parsed properly or what. As it has been mentioned, once I move to Exchange, I suppose this won't be an issue. It just bugs me that I can't find out why external clients can not send mail through the server.

Because Windows SMTP Service is not a MAIL SERVER.  It's a service to send and receive email messages for the server itself.  It does not have any way to authenticate external clients.

Jeff
TechSoEasy