Solved

Exchange not sending out emails

Posted on 2006-07-24
9
479 Views
Last Modified: 2008-02-01
Some e-mails are going out and some randomly are not. These are the return error's i'm getting from exchange to the person. This seems to be happening all over the place with different people's emails. Any idea's of what is going on?


XXXxxx@email.com on 7/23/2006 8:04 AM
            The recipient was unavailable to take delivery of the message
      The MTS-ID of the original message is: c=US;a= ;p=SELHSDOMAIN;l=SELHSSERVER-060721120322Z-48
            MSEXCH:IMS:SELHSDOMAIN:SELHSSERVER:SELHSSERVER 3499 (000B09AA) Host unreachable

      John Doe (chairman) on 7/23/2006 8:02 AM
            The recipient was unavailable to take delivery of the message
      The MTS-ID of the original message is: c=US;a= ;p=SELHSDOMAIN;l=SELHSSERVER-060721120150Z-47
            MSEXCH:IMS:SELHSDOMAIN:SELHSSERVER:SELHSSERVER 3499 (000B09AA) Host unreachable


On the server end i'm getting this
Event ID 3010
Source:MSExchangeIMC
Type:Warning
Category: SMTP Interface Events
Computer: SELHSSERVER

An Attemp to connect to host XXXxxx.email.com failed.


0
Comment
Question by:selhs
9 Comments
 
LVL 4

Expert Comment

by:jasonduncan76
ID: 17170188
Do you have a firewall or webshield?

Check the logs on those for problems on port 25.

Check for viruses of course,

Reboot!
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 17170667
Check your DNS server ... a connection to host failing could simply be that the Exchange server could not resolve the IP address to make the connection.

To test, pick one of the destinations and go to a command prompt and run nslookup on it.
Check your DNS settings on the server.  If you have more than one server defined then run the server <alternate DNS server IP> and check the domain again.  Since you are getting intermittent responses this implies that it is not a firewall or "physical" blocking of the connection but that it is specific to the destinations that are having the problem ... again, the most likely candidate for this is bad DNS entries.
0
 
LVL 17

Expert Comment

by:upul007
ID: 17173651
Hi,

Your email server may be listed in any number of RBL's. Thus those who use RBL checking would not accept connections from your server. Also possible if SPF records are not in place and if reverse dns is not set up either.

Visit www.dnsreport.com and run a DNS Report on your domain. For how to set up SPF, visit www.openspf.org any errors with regard to your domain would appear in red and will require your urgent attention.

To see if you are listed in any RBL's visit www.dnsstuff.com and use the SPAM Database Lookup. If you are listed, it would show up but if it is a black list maintained by the recieving side, it would not show up.

Let us know how it works out for you.

Upul
0
 

Author Comment

by:selhs
ID: 17175496
Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

dns2.dejazzd.com. [66.109.229.6 (NO GLUE)] [US]
dns1.dejazzd.com. [66.109.229.5 (NO GLUE)] [US]

[These were obtained from tld6.ultradns.co.uk]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.

WARN Glue at parent nameservers WARNING. The parent servers (I checked with tld6.ultradns.co.uk.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.

PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.

NS INFO NS records at your nameservers Your NS records at your nameservers are:

dns2.dejazzd.com. [66.109.229.6] [TTL=10800]
dns1.dejazzd.com. [66.109.229.5] [TTL=10800]

 
FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 66.109.229.6 reports that it will do recursive lookups. [test]
Server 66.109.229.5 reports that it will do recursive lookups. [test]


See this page for info on closing open DNS servers.
 
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.

PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.

PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.  

PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.

PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).

PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.

PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.

PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.

PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.  

PASS No CNAMEs for domain OK. There are no CNAMEs for selhs.org. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.

WARN Nameservers on separate class C's WARNING: We cannot test to see if your nameservers are all on the same Class C (technically, /24) range, because the root servers are not sending glue. We plan to add such a test later, but today you will have to manually check to make sure that they are on separate Class C ranges. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.

PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions Your nameservers have the following versions:

66.109.229.6: "none"
66.109.229.5: "none"
 
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=10800] is:
Primary nameserver: dns1.dejazzd.com.
Hostmaster E-mail address: dnsadmin.dejazzd.com.
Serial #: 2004101301
Refresh: 10800
Retry: 600
Expire: 259200
Default TTL: 10800
 
PASS NS agreement on SOA serial # OK. All your nameservers agree that your SOA serial number is 2004101301. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).
 
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: dns1.dejazzd.com.. That server is listed at the parent servers, which is correct.
 
PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: dnsadmin@dejazzd.com. (techie note: we have changed the initial '.' to an '@' for display purposes).  

PASS SOA Serial Number OK. Your SOA serial number is: 2004101301. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 13 Oct 2004 (and was revision #1). This number must be incremented every time you make a DNS change.

PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 10800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.

PASS SOA RETRY value OK. Your SOA RETRY interval is : 600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master
nameserver again if the last attempt failed.

WARN SOA EXPIRE value WARNING: Your SOA EXPIRE time is : 259200 seconds. This seems a bit low. You should consider increasing this value to about 1209600 to 2419200 seconds (2 to 4 weeks). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.

PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 10800 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:
10 mx.selhs.org. [TTL=10800] IP=66.109.229.62 [TTL=10800] [US]
 
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports, but is a good indication that it does not.

PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.

PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.

PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.

PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).

PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.

PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).

PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although
technically valid, duplicate MX records can cause a lot of confusion, and waste resources.

FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:
62.229.109.66.in-addr.arpa [No reverse DNS entry; 'Server Failure' (check it)]
 
Mail PASS Connect to mail servers OK: I was able to connect to all of your mailservers.
WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mx.selhs.org claims to be host smtp.dejazzd.com [but that host is at 66.109.229.65 (may be cached), not 66.109.229.62].
 
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
FAIL Acceptance of postmaster address ERROR: One or more of your mailservers does not accept mail to postmaster@selhs.org. Mailservers are required (RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1) to accept mail to postmaster.
mx.selhs.org's postmaster response: >>> RCPT TO:<postmaster@selhs.org> <<< 550 Invalid recipient: <postmaster@selhs.org>  
WARN Acceptance of abuse address WARNING: One or more of your mailservers does not accept mail to abuse@selhs.org. Mailservers are expected by RFC2142 to accept mail to abuse.

mx.selhs.org's abuse response:
    >>> RCPT TO:<abuse@selhs.org>
    <<< 550 Invalid recipient: <abuse@selhs.org>

 
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mx.selhs.org's postmaster@[66.109.229.62] response:
    >>> RCPT TO:<postmaster@[66.109.229.62]>
    <<< 550 relaying mail to mx.dhhslancaster.org is not allowed

 
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.
mx.selhs.org OK: 550 relaying mail to DNSreport.com is not allowed
 
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  
WWW
 INFO WWW Record Your www.selhs.org A record is:

www.selhs.org.  A  66.109.229.34 [TTL=10800] [US]

 
PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
PASS CNAME Lookup OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.selhs.org, which is good.

This was the DNS report
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 17

Expert Comment

by:upul007
ID: 17182010
FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:
62.229.109.66.in-addr.arpa [No reverse DNS entry; 'Server Failure' (check it)]


Please add the reverse dns records. I would recommend that you do so with your ISP with a comprehensive DNS hosting package rather than hosting your own records. The issue is that certain servers are set to reject emails from domains with out reverse DNS set up.
0
 
LVL 17

Expert Comment

by:upul007
ID: 17182022
as per this:
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mx.selhs.org's postmaster@[66.109.229.62] response:
    >>> RCPT TO:<postmaster@[66.109.229.62]>
    <<< 550 relaying mail to mx.mindtrustengineering.com is not allowed
 
If your domain is selhs.org, why the heck is it resolving to mindtrustengineering.com as above? Do you have routing between domains in place?
0
 
LVL 17

Expert Comment

by:upul007
ID: 17182059
Contact your ISP. Get the highest level of support that is available. Ask them to run the DNSreport on your domain. It will display the errors like No RDNS/ no postmaster address/ no abuse address/No SPF records/MX resolving to different company etc.

Get them to fix it ASAP. Oh yeah, you had not taken enough steps to cover of alter your info on the DNSREPORT. Please remember in future to alter with names like "MYDOMAIN.COM" or for IP's "1.1.1.1" so that you are safe.

I refered your who is records and those are not properly concealing your email addresses either. Take a note to get your ISP to hide those or alter those later on.

Good luck.

Upul
0
 

Author Comment

by:selhs
ID: 17202041
Our email is not housed in house. We go through our ISP who houses the email, out NT server then draws off their pop server to get it. When we send email, out NT pushes it out through DEJazzd.com which is the IP being displayed. We haven't ever had a problem before until last week. Do you think it's the ISP mail servers or our NT box that would be causing this problem.
0
 
LVL 17

Accepted Solution

by:
upul007 earned 500 total points
ID: 17206273
Your email server will only be relaying the emails to and from your domain. The setup at the ISP side seems to be wonky since it is their RDNS/MX records that are at fault with regard to your domain.

Contact the ISP asap and ask them to check on all your DNS records. Get them to add
1. Reverse DNS entry
2. SPF entry
 and verify
3. That all your records are accurate.

For your info, as of now:

> set q=ptr
> selhs.org
Server:  localhost
Address:  127.0.0.1

selhs.org
        primary name server = dns1.dejazzd.com
        responsible mail addr = dnsadmin.dejazzd.com
        serial  = 2004101301
        refresh = 10800 (3 hours)
        retry   = 600 (10 mins)
        expire  = 259200 (3 days)
        default TTL = 10800 (3 hours)
> set q=any
> selhs.org
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
selhs.org       MX preference = 10, mail exchanger = mx.selhs.org
selhs.org       internet address = 66.109.229.34
selhs.org       nameserver = dns2.dejazzd.com
selhs.org       nameserver = dns1.dejazzd.com

selhs.org       nameserver = dns1.dejazzd.com
selhs.org       nameserver = dns2.dejazzd.com
mx.selhs.org    internet address = 66.109.229.62
dns1.dejazzd.com        internet address = 66.109.229.5
dns2.dejazzd.com        internet address = 66.109.229.6
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Skype uninstall 8 83
merging MP3 audio files 10 87
Usage of Windows 8.1 Sysprep 5 74
Tool to email me when a website changes 29 106
This article shows how to convert a multi-page PDF file into multiple image files, with one image file created for each page of the PDF. It does this by utilizing an excellent, free software package called GraphicsMagick. The solution is amazingly s…
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
This video shows how use content aware, what it’s used for, and when to use it over other tools.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now