• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Mail to certain domains not leaving queues

The server is  Exchange 2003 w/SP2

Some of the terms below may miss some people as they are military terms so if you need any help understanding them please let me know.

Here is a detailed list of troubleshooting steps that have been taken.
1. We checked our connection to our step (connection to the world), we have no transmission issues and are running on a 1544k link.
2. We restarted the Exchange services, with no results, so we restarted the server, also no results.
3. Checked our DNS on the server, as well as the firewall

4. We are able to do an nslookup and resolve any of the domains we are having trouble sending to.  We also connect to the distant end exchange servers on port 25 through telnet successfully.

5. Made a Virtual Machine on our Domain controller and created a second exchange box. This exchange box is replicating the same issue.

6. We have tried pulling DNS from Unit X by putting in forwarders for their DNS, not the firewall, and we get the same results.

7. We have installed new SMTP connectors, with the same result each time.
8. No pattern to the domains in which we cannot send to, some are CONUS domains, some are theater domains to include army, centcom and socom domains.

9. Domains we can send to also seem not to have a pattern, we can send to several domains in theater as well as army.smil.mil and our shipboard domain.

I am posting this for one of the units out here that I am trying to trouble shoot with.  I have personally looked at the server and I can't seem to find anything wrong as to why it will send mail to most domains  but not others.  I have checked www.spamhaus.org to make sure they were not on the spam list and they were not.  Thanks for the help in advance.
Tom
0
tej071
Asked:
tej071
1 Solution
 
daveforsterCommented:
Some mail servers require that you have a reverse DNS lookup (PTR Record) to be able to send to the domain.  Do you have this setup?

Do you get any error messages back from the domains when you don't get through to them?  If so, can you post the errors that they are returning on here so we can see what's going on?

Cheers,

Dave
0
 
Stacy SpearCommented:
You shouldn't be able to send to smil.mil on NIPR, so that one is mute. Did you do a full telnet session or just the connect part? The connect is easy sometimes, while the full telnet will let you know if the server will successfully accept the message.

if you did do that, was it by IP or DNS name? DNS name is better as it could show that issue lays somewhere else. And as Dave said, if things are not right in house (or onboard in your case) with DNS, you will be blocked. I block mail from units all over because of DNS. Those guys figure that since they are .mil we should just accept them. They fail to realize that a script kiddie in his basement can say he is .mil too.

A good external check is to get a DNS report at http://www.dnsstuff.com/. That will let you know if it is local.
0
 
tej071Author Commented:
this is not on NIPR so the DNS report will not work as I am sure you are aware.  We did do the entire telnet session (by name and by IP) as pointed out on Sembee's website (http://www.amset.info/exchange/).  There are no errors that are generated and the email eventually goes out near the two day time limit that is set.  On my domain I can send to those same exact recipients that the other unit has problems with and mine gets there within seconds.  I am really stumped on this one.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SembeeCommented:
When you click on the queues with the messages waiting, what does Exchange report as being the problem?

Simon.
0
 
Stacy SpearCommented:
If not on NIPR, not sure why you went to SpamHaus.

Check that the forward and reverse DNS are the same. Lots of SIPR gateways do reverse lookup. Also check that he didn't authentication on the wrong links.
0
 
tej071Author Commented:
The queues say connection dropped by remote host.


As for the Spamhaus; I'm just an idiot.  I check that on a regular basis and I just got done checking it and not thinking I posted that as not being the problem.  I was correct though :-D
0
 
Stacy SpearCommented:
What's the status on the DNS?
0
 
tej071Author Commented:
Our mail servers are setup with a reverse lookup for DNS.
0
 
Stacy SpearCommented:
Do a NSLOOKUP on the domain in question. Set type=mx or all. does the mail server name and IP match whats on the actual server?
0
 
tej071Author Commented:
Yes, we've done that and everything is fine. That was the first thing I tried.  It's just weird that that unit can't send to specific sites but I can just fine.  I appreciate all your help and keep asking the questions cause maybe I am missing one.
0
 
tej071Author Commented:
Well I have some more information for you.  I can't believe I didn't catch this the first time.  When we go through the "telnet" process using port 25 we never get the quit command to complete.  We believe the server is sending the mail but never receives the word from the distant server that the message has been complete so eventually the connection times out and is dropped by the remote host.  Does that sound about right?
0
 
Stacy SpearCommented:
Have you checked the remote end to see what their logs are saying? Maybe the issue is there and they can shed more light on the situation.
0
 
tej071Author Commented:
We have not but there is a trouble ticket in to check just that.  It makes no sense because everyone else out here can email those same domains.  Thanks for the help.
0
 
Stacy SpearCommented:
Can you send logs to a SIPR address? Not supposed to do so here, but not sure how else to get them since they can't be sent here.
0
 
tej071Author Commented:
Can't send the log.  I think I am going to drop this one and allow the trouble ticket to run its course.  I'm doing them a favor by helping them and to be honest I'm not sure I can fix it plus I have my own things to work on.  Thank you for the help.
Tom
0
 
tej071Author Commented:
***UPDATE***
We have found in the past that units that are external to our firewall who use TACLANES (encryption / tunneling) have their MTU sizes set at a lower size because of all the overhead cause problems with our firewalls trying to pass that ACK that says we must lower our size as well.  For some reason the firewall does not allow that ACK to go back and we continue trying to send to them at a larger size but they are unable to handle the packets and they drop.  The work around for me two years ago was to lower the Maximum Segment Size on our POP and screening routers to a lower number which allowed us to effectively communicate with these units behind TACLANES.  Well wouldn't you know the unit experiencing the problems not being able to email to certain domains had not done this fix.  We had them do this last night and all mail is flowing again.  

Thank you for all the help.

Admins please close this question.
0
 
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now