Solved

Exchange - Telnet Question

Posted on 2006-11-27
10
530 Views
Last Modified: 2012-08-13
******************************************************************
****************I really need immediate help on this issue********************
******************************************************************

My users have been unable to send to a certain domain for the past 3 months and it has become a huge problem. Here are the particulars... We run Exchange 2000 Server and have XP clients. If we email the company we recieve a non deliverable. We can receive but no send. All the mail sits in the queue and eventually times out and shoots us the error.

I have verified that we are not blacklisted etc: (I have done a variety of tests with thier tech support). This is what I have found. If I telnet servername.com 25 the connection fails on both the server and the client. When I telnet servername.com 25 with the ISA Firewall Client off on the XP clients it works fine. I guess my issue issue is a little murky because we have never had a problem sending  to this domain in the past. How can I get this fixed so that I can telnet from my exchange server properly....  

A weird situation in my estimation does anyone have any suggestions, Thanks?
0
Comment
Question by:zyanj
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 18019519
>>If I telnet servername.com 25 the connection fails on both the server and the client

What antivirus software? McAfee famously blocks this....

If McAfee is installed (on the client and server!)

1.      Right Click the McAfee Shield in the task bar
2.      Select Virus Scan console
3.      Double Click Access Protection (usually at the top)
4.      On the Port Blocking Tab ensure "Prevent Mass Mailing worms from sending Mail" is NOT ticked
0
 
LVL 26

Expert Comment

by:jar3817
ID: 18019548
What do the NDR's say? Usually they include some kind of clue as to why the connection failed or the mail was rejected. Do you have this problem sending to any other domains? It sounds like you're tripping some spam filter and the connection is rejected. You may not be listed on some public blacklists, but they might be running an internal private blacklist. Have you called the IT department at this company to see what if anything is going on at their end? They can look in their logs and should be able to tell you exactly why your connection is being rejected.

There are a couple things you should check to make sure your exchange server is setup properly:

1. Make sure you have reverse dns (and corrisponding forward dns) on the ip address that exchange uses for sending email. If your whole networks is NATed behind 1 IP, make sure that ip has PTR and A records

2. Make sure your server is announcing itself as a valid hostname (the same as your PTR record) rather than an internal AD domain name or just a hostname.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 18019577
also heres a handy test tool from M$

Testing Mail with SMTPDiag

First download SMTPDiag
http://www.microsoft.com/downloads/details.aspx?familyid=BC1881C7-925D-4A29-BD42-71E8563C80A9&displaylang=en

Save it on your desktop and run it > It will want to extract some fires > Put them in
C:\windows\system32

Click Start > Run > cmd {enter}
At command line use the following commands

Smtpdiag <senders email address> <recipients email address>

References
Using SMTPDIAG to Diagnose Exchange 2003 Related SMTP and DNS Problems
http://www.msexchange.org/tutorials/SMTPDIAGdiagnose-Exchange-2003-SMTP-DNS.html
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 18019734
Aside from the above are you actually talking to their mail server when you telnet to domain.com, i.e.

nslookup
set type=mx
domain.com
exit

and check the name returned for their mail servers.  It could be they have changed their mail exchangers and for some reason you have a HOSTS table entry at the server for them or something?

Steve
0
 

Author Comment

by:zyanj
ID: 18020386
Ok...

1. We are using Symantec Corp Edition



2. The NDR is as follows...

Your message did not reach some or all of the intended recipients.

      Subject:      test
      Sent:      11/18/2006 11:11 AM

The following recipient(s) could not be reached:

      name@theircompany.com on 11/18/2006 11:43 AM
            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            <mail.mycompany.com #4.4.7>


3. I do not have this problem with any other domains.

I will continue to read the rest of the info provided
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:zyanj
ID: 18021136
This is the result of the SMTPDIAG

Everything passed except for the following...


Checking MX servers listed for castillo.j.17@pg.com.
Connecting to bdc-edge02.na.pg.com [192.44.184.14] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to bdc-edge02.na.pg.com.
Connecting to bdc-edge01.na.pg.com [192.44.184.17] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to bdc-edge01.na.pg.com.
0
 
LVL 1

Expert Comment

by:martin_wilkinson
ID: 18021865
You say that you are able to connect from an XP workstation with the firewall client disabled, which is interesting.  I have a few questions:

When the firewall client is disabled, how are these machines connecting to the internet - Are they effectively becoming SecureNAT clients through the ISA server, or is there some form of direct access through an internet connection router?

What version of ISA server are you running?

How are you sending outbound mail from the exchange server?  Through a spam / virus filtering smarthost, or directly to the internet?  If you are sending it through a filter, is this software located on the ISA server?

Are you running the firewall client on the exchange server?

If you are able to give a basic outline of your network layout, that would be helpful in finding out what exactly is preventing communication.
0
 
LVL 9

Expert Comment

by:crawfordits
ID: 18023803
0
 

Author Comment

by:zyanj
ID: 18028082
***Please forgive me and disregard the firewall client portion I made a mistake with regard to that part of my question.

1. 2000 ISA Server
2. No Firewall Client on servers.
3. Disabled Filtering software

Here are the complete results of the SMTDiag from the mail server
Does the error denote a problem on my end?



Searching for Exchange external DNS settings.
Computer name is MOLLY.
VSI 1 has the following external DNS servers:
67.36.128.26,206.141.192.60

Checking SOA for pg.com.
Checking external DNS servers.

Checking TCP/UDP SOA serial number using DNS server [67.36.128.26].
TCP test succeeded.
UDP test failed.
Serial number: 2006112801

Checking TCP/UDP SOA serial number using DNS server [206.141.192.60].
TCP test succeeded.
UDP test failed.
Serial number: 2006112801
Checking internal DNS servers.

Checking TCP/UDP SOA serial number using DNS server [192.168.1.1].
Failed: DNS server [192.168.1.1] may be down.

Checking TCP/UDP SOA serial number using DNS server [67.36.128.26].
TCP test succeeded.
UDP test failed.
Serial number: 2006112801

Checking TCP/UDP SOA serial number using DNS server [206.141.192.60].
TCP test succeeded.
UDP test failed.
Serial number: 2006112801
SOA serial number match: Passed.

Checking local domain records.
Starting TCP and UDP DNS queries for the local domain. This test will try to
validate that DNS is set up correctly for inbound mail. This test can fail for
3 reasons.
    1) Local domain is not set up in DNS. Inbound mail cannot be routed to
local mailboxes.
    2) Firewall blocks TCP/UDP DNS queries. This will not affect inbound mail,
but will affect outbound mail.
    3) Internal DNS is unaware of external DNS settings. This is a valid
configuration for certain topologies.
Checking MX records using TCP: harrisandford.com.
  MX:    mx2.mail.webexc.com (100)
  MX:    mail.harrisandford.com (10)
  A:     mail.harrisandford.com [69.222.92.54]
  A:     mx2.mail.webexc.com [204.8.11.143]
  A:     ns2.webexc.com [204.8.11.143]
Checking MX records using UDP: harrisandford.com.
  MX:    mx2.mail.webexc.com (100)
  MX:    mail.harrisandford.com (10)
  A:     mail.harrisandford.com [69.222.92.54]
  A:     mx2.mail.webexc.com [204.8.11.143]
  A:     ns2.webexc.com [204.8.11.143]
Both TCP and UDP queries succeeded. Local DNS test passed.

Checking remote domain records.
Starting TCP and UDP DNS queries for the remote domain. This test will try to
validate that DNS is set up correctly for outbound mail. This test can fail for
3 reasons.
    1) Firewall blocks TCP/UDP queries which will block outbound mail. Windows
2000/NT Server requires TCP DNS queries. Windows Server 2003 will use UDP
queries first, then fall back to TCP queries.
    2) Internal DNS does not know how to query external domains. You must
either use an external DNS server or configure DNS server to query external
domains.
    3) Remote domain does not exist. Failure is expected.
Checking MX records using TCP: pg.com.
  MX:    bdc-edge02.na.pg.com (10)
  MX:    bdc-edge01.na.pg.com (10)
  A:     bdc-edge01.na.pg.com [192.44.184.17]
  A:     bdc-edge02.na.pg.com [192.44.184.14]
Checking MX records using UDP: pg.com.
  MX:    bdc-edge02.na.pg.com (10)
  MX:    bdc-edge01.na.pg.com (10)
Both TCP and UDP queries succeeded. Remote DNS test passed.

Checking MX servers listed for castillo.j.17@pg.com.
Connecting to bdc-edge01.na.pg.com [192.44.184.17] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to bdc-edge01.na.pg.com.
Connecting to bdc-edge02.na.pg.com [192.44.184.14] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to bdc-edge02.na.pg.com.

C:\Documents and Settings\Administrator.FORD\Desktop\SmtpDiag>
0
 
LVL 1

Expert Comment

by:martin_wilkinson
ID: 18030926
The DNS is resolving correctly (I get the same answers when I resolve the MX records for pg.com), so it looks like you don't have a DNS issue.

The 10060 error is simply a timeout, so it looks like something somewhere along the path between you and pg.com is filtering out your smtp requests.  Since you are able to send quite happily to most other users of the internet, I would suggest that there is something at their end which is blocking the port.  I know you've checked you're not on a blacklist, but this looks more network related than smtp related - if you do get on a blacklist, you usually get an smtp error back immediately stating that you have been blacklisted - your smtp packets are not making it to the server.

I have had odd issues in the past where the outgoing TCP connection request had a new feature enabled (ECN) which wasn't understood by a 3rd party's firewall, so it just ignored the packet.  If you are able to get a trace with MS Network Monitor or Ethereal, we could rule out this possibility.  It would also tell us if you're having MTU related issues.

As a workaround, you could route mail to the pg.com domain through your ISP's smtp server, by creating an SMTP connector specifically for pg.com as mentioned in the article which has already been referred to:

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_22043945.html

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now