Cannot receive SMTP mail on SBS Exchnage 2003

X-quisite
X-quisite used Ask the Experts™
on
I am trying to configure small business server 2003 to exchnage server 2003.
I want exchange server to recieve all smtp e-mails.
Currently users are able to send outbound e-mails.

I have carried out the following with ISP DNS
Added an MX record: @ 10 smtp.domain.com.
Added a Host record: A 111.111.11.11
when i ping smtp.domain.com i get my external WAN IP address
I have opend port 25 on the firewalll forwarded the smtp traffic to SBS.

Can someone please advise me on what iam doing wrong.

Thank you

Nazmul


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Check out this article to test the smtp communication using telnet.

http://technet.microsoft.com/en-us/library/bb123686.aspx

Author

Commented:
jsvor:

the smtp port is open and working.

I think it may be to with a configuration with exchange or SBS

Any ideas?
Expert of the Year 2007
Expert of the Year 2006

Commented:
I would start with putting your domain in to dnsreport.com and see whether anything is flagged in the mail server section. That will indicate if the DNS is correct.

As this is SBS, have you run the Connect to the Internet and Email wizard (or whatever it is called) and configured everything that it needs?

Simon.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Simon,
 here is the report from dnsreport.com
i entered in the e-mail address:
Getting MX record for domain.co.uk (from local DNS server, may be cached)... Got it!

Host      Preference      IP(s) [Country]
smtp.domain.co.uk.      10      xx.xx.xx.xx [GB]
mta4.hosting.com.      50      xx.xx.xx.xx [GB]
mta3. hosting.com.      50      xx.xx.xx.xx [GB]
mta1. hosting.com.      50      xx.xx.xx.xx [GB]
mta2. hosting.com.      50      xx.xx.xx.xx [GB]

________________________________________



Step 1:  Try connecting to the following mailserver:
         smtp. domain.co.uk. – xx.xx.xx.xx (WAN IP)

Step 2:  If unsuccessful in step 1, Try connecting to all of these (in a random order, per RFC1123 5.3.4):
         mta4. .hosting.com.– xx.xx.xx.xx
         mta3. .hosting.com.- xx.xx.xx.xx
         mta1. .hosting.com.- xx.xx.xx.xx
         mta2. .hosting.com.- xx.xx.xx.xx

Step 3:  If still unsuccessful, queue the E-mail for later delivery.

________________________________________

Trying to connect to all mailservers:

   smtp.domain.co.uk. - xx.xx.xx.xx  [Successful connect: Got a good response [250 2.1.5 nazmul@domain.co.uk ]] (took 1.438 seconds)
   mta4.hosting.com. - xx.xx.xx.xx  [Successful connect: Got a good response [250 2.1.5 < nazmul@domain.co.uk >... Recipient ok]] (took 1.359 seconds)
   mta3. hosting.com. - xx.xx.xx.xx  [Successful connect: Got a good response [250 2.1.5 < nazmul@domain.co.uk >... Recipient ok]] (took 1.266 seconds)
   mta1. hosting.com. - xx.xx.xx.xx  [Successful connect: Got a good response [250 2.1.5 < nazmul@domain.co.uk >... Recipient ok]] (took 1.297 seconds)
   mta2. hosting.com. - xx.xx.xx.xx  [Successful connect: Got a good response [250 2.1.5 < nazmul@domain.co.uk >... Recipient ok]] (took 1.359 seconds)

I have a hosted e-mail with ISP, but this has no mailboxes setup as a secondary backup if local server is down.

Expert of the Year 2007
Expert of the Year 2006

Commented:
Not a fan of having ISPs mail servers in the DNS records. How does the ISP get email to you?
I would suggest removing them so that the only host listed is your own.

Simon.
Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
Have you rerun the Configure Email and Internet Connection Wizard (CEICW -- linked as "Connect to the Internet on the To-Do list in the Server Management Console) to reconfigure the SBS for proper email retrieval?

A visual how-to for that is here:  http://sbsurl.com/ceicw

Then, you can always check your Email Server's performance at www.mxtoolbox.com.

I too agree that you should remove the ISP's MX records.

Jeff
TechSoEasy

Author

Commented:
Jeff,

I have rerun the wizard several times and still have had no success.
I currently have one NIC card configured to the server, i am going to install a second, may be that is the problem?

When i send mail to a user in SBS 2003, i get the following retruned mail message:

The original message was received at Thu, 31 May 2007 10:07:29 +0100 from hostxxx-xx-xx-xxx.in-addr.btopenworld.com [xxx.xx.xx.xxx]

   ----- The following addresses had permanent fatal errors ----- <nazmul@domain.co.uk>
    (reason: 550 5.1.1 <administrator@localhost>... User unknown)
    (expanded from: <nazmul@domain.co.uk>)

   ----- Transcript of session follows ----- ... while talking to [127.0.0.1]:
>>> DATA
<<< 550 5.1.1 <administrator@localhost>... User unknown 550 5.1.1 <nazmul@x-domain.co.uk>... User unknown <<< 503 Need RCPT (recipient)

the erro message implies that it cannot find the user for the mail account,

Something is blocking it from recognising the account


Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Can you please post a COMPLETE ipconfig /all from the server as well as from a workstation?

Thanks.

Jeff
TechSoEasy
Expert of the Year 2007
Expert of the Year 2006

Commented:
The message you have posted is NOT an Exchange message.
If you still have the ISPs SMTP Servers in your MX records then I would suggest removing them so that you can be sure that email is delivered to just your Exchange server.

Simon.

Author

Commented:
jeff

From Server
Windows IP Configuarion
      Host Name                  SBS2003
      Primary DNS Suffix            domain.local
      Node Type                  Unknown
      IP Routing Enabled            No
      WINS Proxy Enabled            Yes
      DNS Suffix Search List      domain.local

Ethernet adapter Local Area Connection
      Connection-specific DNS suffix:
      Description:                  Intel pro/1000
      Physical Address:            00-15-20-14-4d-8e
      Dhcp Enabled                  No
      IP Address                  192.168.0.220
      Subnet mask:                  255.255.55.0
      Default gateway:            192.168.0.201
      DNS Servers                  192.168.0.220
      Primary WINS Server            192.168.0.220

From Work station
Windows IP Configuarion
      Host Name                  Client1
      Primary DNS Suffix            domain.local
      Node Type                  Unknown
      IP Routing Enabled            No
      WINS Proxy Enabled            No
      DNS Suffix Search List      domain.local

Ethernet adapter Local Area Connection
      Connection-specific DNS suffix:
      Description:                  Intel pro/1000
      Physical Address:            00-15-20-14-4d-8e
      Dhcp Enabled                  No
      IP Address                  192.168.0.100
      Subnet mask:                  255.255.55.0
      Default gateway:            192.168.0.201
      DNS Servers                  192.168.0.220
 hope this helps

Author

Commented:
simon,

I have updated the MX records waiting for DNS to update

Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Actually if you are getting an NDR from "administrator@localhost" then your built-in Administrator account is either disabled, or doesn't have a mailbox and email address.  Did you disable this account?

I'm also curious about why the NDR shows domain.co.uk as well as x-domain.co.uk

I'm thinking these aren't even being generated by the Exchange server, but rather from your ISP MX servers.  Can you look at the full headers of one of the NDR's and see what it says on the line starting with "From: MAILER-DAEMON" ?

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
guess I should have refreshed before posting.  :-)
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Okay... so the fact that you aren't using DHCP on your workstation is causing one problem.  You need to have a WINS server configured on the clients.  Exchange still uses it.  (In this case it needs to be your SBS of 192.168.0.220.

Then I see a rather big problem as well... your Subnet Mask is 255.255.55.0 and it needs to be 255.255.255.0.  Otherwise, you're throwing out all sorts of wrong DNS traffic.  

Correct that on the NIC and rerun the CEICW.  

Ideally, you should be running DHCP on the workstations... which would suggest to me that you did not join them to the domain properly... using http://<servername>/connectcomputer.  However, that's another issue.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
And again, I'd suggest that you test the server using www.mxtoolbox.com.  It tends to be a bit more unforgiving than dnsreport.com.

Jeff
TechSoEasy

Author

Commented:
Jeff,
The subnet mask is actually 255.255.255.0, i made type error

here is the result from mxtoolbox:

RESULT: smtp.domain.co.uk
Banner: domain.co.uk Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 31 May 2007 11:52:02 +0100 [125 ms]  
Connect Time: 0.125 seconds - Good
Transaction Time: 10.891 seconds - Not good!
Relay Check: OK - This server is not an open relay.
Rev DNS Check: OK - 111.11.11.11resolves to host217-34-50-122.in-addr.btopenworld.com
GeoCode Info: Geocoding server is unavailable
Session Transcript: HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx 
501 5.5.4 Invalid Address [5125 ms]
HELO mxtoolbox.com
250 domain.co.uk Hello [64.20.227.131] [125 ms]
MAIL FROM: <test@mxtoolbox.com>
250 2.1.0 test@mxtoolbox.com....Sender OK [125 ms]
RCPT TO: <test@mxtoolbox.com>
550 5.7.1 Unable to relay for test@mxtoolbox.com [5125 ms]
QUIT
221 2.0.0 domain.co.uk Service closing transmission channel [141 ms]
 

Author

Commented:
Do you guys think that it could be to do with the firewall?
I am running a cisco pix 501below is the confihure, also i changed the SMTP internal IP address, just a few days back:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname pix
domain-name xxxxxxx
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25                        
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pptp
access-list inbound permit tcp any interface outside eq 1433
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 4122
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 444
pager lines 24
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.201 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp interface pptp 192.168.0.220 pptp netmask 255.255.25                                                                                
5.255 0 0        
static (inside,outside) tcp interface 1433 192.168.0.220 1433 netmask 255.255.25                                                                                
5.255 0 0        
static (inside,outside) tcp interface 3389 192.168.0.220 3389 netmask 255.255.25                                                                                
5.255 0 0        
static (inside,outside) tcp interface 4122 192.168.0.220 4122 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface ftp 192.168.0.224 ftp netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface smtp 192.168.0.220 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface https 192.168.0.220 https netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface 444 192.168.0.220 444 netmask 255.255.255.
255 0 0
access-group inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 130.88.202.49 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ADSL request dialout pppoe
vpdn group ADSL localname xxxxx
vpdn group ADSL ppp authentication chap
vpdn username xxxxxx password ********* store-local
terminal width 80
Cryptochecksum:909891d482268bf03021aec6710be999
: end


Expert of the Year 2007
Expert of the Year 2006

Commented:
I have modified your config above to remove the password.

However this has nothing to do with the firewall as you are getting the SMTP banner from Exchange. If the firewall was blocking the traffic then you wouldn't see that.

Simon.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
"The subnet mask is actually 255.255.255.0, i made type error"

I thought you may have hand-typed the IPCONFIG.  

TIP FYI: you can easily copy and paste from a command window if you enable "Quick Edit".  Right click on the title bar of the command window and select Properties > Options Tab.  enable Quick Edit Mode and Insert Mode.  Then click OK and change the option to "Modify shortcut that started this window" (if you started CMD with a shortcut) or "Save properties for future windows with same title" (if you used Run... CMD).

--------------------------------------------------------------------------------

Okay, back to the issue at hand...

I think that your attempt to mask your actual domain may be inhibiting our ability to help you.  Because if I were to just guess now that your server's external IP address is 217.34.50.122, that doesn't actually correspond to a valid MX Server.  

Since you had made a typo the IPCONFIG, it's possible you've made a similar mistake in configuring your DNS Zone File.  Without knowing the actual domain name, it's really not possible for us to give you a second/third set of eyes on that to confirm.  

Jeff
TechSoEasy

Author

Commented:
jeff
Here is the domain name
www.x-quisiteweddings.co.uk

Author

Commented:
Jeff, Simon,

I have logged onto the pix using PDM.
The pix is on a different .local domain to the SBS2003
This is becuase currently we are running W2k server on a different domain i am  planning to move to sbs 2003 once i have ironed all the problems.

Would having the PIX on a differant .local domain to SBS 2003 be a possible cause to the problem?
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Well, your DNS must have finally propagated, because now that the ISP hosts are gone, MX is failing... which would then point to the PIX not being configured properly.

It's time to bite the bullet and properly configure the PIX for your SBS 2003.  Just back up the config first so that you can quickly revert should it be necessary.

Jeff
TechSoEasy

Author

Commented:
jeff,

I have very little experience with the PIX, i did not do the initial configuartion and also i got help to make changes to the pix from aonther post.

I will start a new post to help configure PIX 501 if this works i can then accept your above comment

How do save the config of pix?
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
I probably have less experience with PIX' than you... ;-)  I never use them.

So, when you want to know the answer to a question like that?
http://www.google.com/search?q=save+pix+configuration

Jeff
TechSoEasy
Expert of the Year 2007
Expert of the Year 2006

Commented:
I disagree that it is the PIX at fault.
The test that you have carried out above shows the SMTP banner from an Exchange server. That means the PIX is allowing the traffic through.

Simon.

Author

Commented:
I carried out s fresh installation of SBS 2003, and carried out all the config, requried.
I still have no success, so this leaves me to look at the pix as i had problems with smtp access list.
I plan to restore the pix to factory default and start from scratch with the pix

i will update on progress.

Nazmul

Author

Commented:
I have searching on the web for pix and found this:

"The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
Microsoft Exchange administrators should take special note that by default their mail servers use the extended command set of ESMTP. The PIX SMTP fixup does not cover everything that may be needed for a transaction between two ESMTP servers.  Therefore, be aware that the limited set of supported Mail Guard commands may be at the root of some mail flow problems. See the documentation for more details of getting PIX and Exchange to play well together. "

On my pix config i have no fixup protocol 25, could the problem be here?

Nazmul
Expert of the Year 2007
Expert of the Year 2006
Commented:
The no fixup means the feature is disabled. It gets in the way. You do not want to enable it.

Have you tried sending to the server manually using telnet?
http://www.amset.info/exchange/telnet-test.asp

Simon.

Author

Commented:
Simon, Jeff,

I dont think its the PIX, i had spare netgear firewall which i tried and go the same problem.

Simon, i will try your link when i get home.

Nazmul
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Well, according to www.mxtoolbox.com, your server is now accepting mail, although it does show the transaction time to be slow.  I've often found that this is caused by having your Anti-Virus program misconfigured by not excluding the Exchange Databases from scanning.

Jeff
TechSoEasy

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial