We help IT Professionals succeed at work.

Outgoing email not working with exchange 2003

Medium Priority
Last Modified: 2013-11-30
I have an exchange server with exchange 2003 running on server 2000.  This has been up and running for about 4 years.  For the last 2 days all out going email has stopped working.  The workstations are receiving the following messages:The following recipient(s) could not be reached:

  xNTxOxY.xAMxS@HxxUxxLY.COM on 1/25/2008 10:44 AM
  Could not deliver the message in the time limit specified. Please retry or contact your administrator.
  <xejxxxsexx01.axexxx.local #4.4.7>
(some characters omitted of course)

Now some of the things I have checked are:
1.  SMTP service is running.
2.  If I nslookup godaddy.com  with set type=mx I get "smtp.secureserver.net" (good so far)
3.  If I telnet smtp.secureserver.net on port 25 I get 220 (good up until here also)
4.  I made sure ports 25 / 110 were not blocked on the router.
5.  The server is setup as and then an external dns server (opendns.com)
6.  Checked spamhaus.org for blacklisting everything is clean

This has me really stumped and I cant seem to figure it out, this all of a sudden quit working.  Am I missing something???
Watch Question

Top Expert 2008

Your server has a dud SMTP greeting for starters;

Drop your domain in here and tell is what it throws back at you -> http://www.dnsreport.com


Everything is clear except for a few warnings (nothing major)
Top Expert 2008

OK, can you actually show them to me?  Cause I know there is a major one in there (I can see it in the question)

One other thing to check, as I recently had it happen to me: My ISP was having a problem with open mail relays on some of their client's networks, so they just started filtering TCP port 25.... without telling anybody. Very annoying for a so-called business internet connection.

Easy enough to confirm, just try and telnet to a SMTP server on the public internet on port 25.



What are the odds of port 25 being blocked only one way?  When I telnet to smtp.secureserver.net (godaddy) I get a response of 220.  If it was blocked one way would I still get this response?  If this seems to be working then I am back a square one with the original problem.


Here is a telnet session.  It seems like everything is fine with port 25.  What do you guys think???

220 OMTA10.westchester.pa.mail.comcast.net comcast ESMTP server ready
250 OMTA10.westchester.pa.mail.comcast.net hello [7*.8*.13.2*6], pleased to meet
MAIL FROM:joeblow@aol.com
250 2.1.0 <joeblow@aol.com> sender ok
250 2.1.5 <leroy@MY DOMAIN NAME HERE.com> recipient ok
DATA test test test
500 5.5.4 DATA invalid params
500 5.5.1 command unrecognized
DATA test.
500 5.5.4 DATA invalid params
354 enter mail, end with "." on a line by itself
test test test
250 2.0.0 hqQn1Y0094sdzLe3W00000 mail accepted for delivery
I had forgotten to put the data first with the enter that is why the info directly above seems a little out of line.

It seems to me like I do not have a port 25 (smtp) problem would you guys agree with that?  If agreed what else can I look for on the exchange server end?


 Post Comment / Solution  


Ok, I have narrowed it down, it is not an isp, dns, mx problem.  It has to be in my exchange server.  Everything looks fine on the surface.  The smtp server is setup to resolve through DNS.  DNS is setup with opendns's dns addresses.  Is there anything I am overlooking?  
Top Expert 2008

There is something that you are obviously overlooking - I already know what it is, it was identified in the DNSReport.com report that you are still refusing to show me.

Were I spiteful (I am, but I am tired at the moment) I would not just tell you.

It is your SMTP Greeting - you need to change it for it to be accurate - do so like this; http://www.block.net.au/help/smtp-greeting


Kieran, I apologize, After looking at your credentials I am grateful to have you helping me.  My only concern is having the domain name and records posted on a forum thay anyone can google 5 years down the road.  If it was simple to PM on this forum you would have had it as soon as you asked.  Maybe it is me just being a little paranoid???


PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

ns37.worldnic.com. [] [TTL=172800] [CA]
ns38.worldnic.com. [] [TTL=172800] [CA]
[These were obtained from f.gtld-servers.net]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).  
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.  
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.  
PASS No CNAMEs for domain OK. There are no CNAMEs for MYDOMAINHERE.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions [For security reasons, this test is limited to members]
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=7200] is:

Primary nameserver: NS37.WORLDNIC.COM.
Hostmaster E-mail address: namehost.WORLDNIC.COM.
Serial #: 0
Refresh: 10800
Retry: 3600
Expire: 604800
Default TTL: 3600
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 0. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNSreport only checks the NS records listed at the parent servers (not any stealth servers).
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: NS37.WORLDNIC.COM.. That server is listed at the parent servers, which is correct.
PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: namehost@WORLDNIC.COM. (techie note: we have changed the initial '.' to an '@' for display purposes).  
WARN SOA Serial Number WARNING: Your SOA serial number is: 0. That is OK, but the recommended format (per RFC1912 2.2) is YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd change on 02 May 2006, you would use 2006050203. This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 10800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 3600 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:

10 mail.MYDOMAINHERE.com. [TTL=7200] IP=7*.8*.1*.22* [TTL=7200] [US]
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are: mail.MYDOMAINHERE.com. [TTL=3600]
Mail PASS Connect to mail servers OK: I was able to connect to all of your mailservers.
PASS Mail server host name in greeting OK: All of your mailservers have their host name in the greeting:

mail.MYDOMAINHERE.com:<br />    220 mail.MYDOMAINHERE.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 27 Jan 2008 06:19:43 -0500 <br />
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
PASS Acceptance of postmaster address OK: All of your mailservers accept mail to postmaster@MYDOMAINHERE.com (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
PASS Acceptance of abuse address OK: All of your mailservers accept mail to abuse@MYDOMAINHERE.com.
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mail.MYDOMAINHERE.com's postmaster@[7*.8*.1*.22*] response:<br /> >>> RCPT TO:<postmaster@[7*.8*.1*.22*]><br /> <<< 550 5.7.1 Unable to relay for postmaster@[7*.8*.1*.22*] <br />  
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

mail.MYDOMAINHERE.com OK: 550 5.7.1 Unable to relay for Not.abuse.see.www.DNSreport.com.from.IP. <br />
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  
 INFO WWW Record Your www.MYDOMAINHERE.com A record is:

www.MYDOMAINHERE.com. A 20*.17*.15*.19 [TTL=7200] [CA]
PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
PASS CNAME Lookup OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.MYDOMAINHERE.com, which is good.
INFO Domain A Lookup Your MYDOMAINHERE.com A record is:

MYDOMAINHERE.com. A 20*.17*.15*.19 [TTL=7200]
Top Expert 2008

It isn't called paranoia if everyone really is out to get you, then it is called common sense.

Post your domain here in the thread, and I will remove it when the question is closed.
Top Expert 2008

I can see now that the smtp-greeting must be fixed...

See in your question how the NDR is coming from xxx.xxx.local?  That is what made me point you in that direction.


Yes, I sure do.  I changed it like your demonstration but it is still not allowing outgoing mail.  I am getting the delay message then the undeliverable message so it is like it is sitting in qeue waiting.
Top Expert 2008
What is the error in the queue?  Select the queue item and then at the bottom there should be something like "remote host terminated connection"

As the domain has nothing wrong with it, I have removed it - any interested parties involved in this thread should post requesting it.


Let me ask you, what exactly are the messages in queue?  There are over 2000 and I do not recognize any of the domains.  Are they incoming, outgoing or both?

To answer your question the ones with a check say "no additional information available"
The ones with a blue arrow pointing to the right (I think, I am TS in to that box and the graphics are low) say "unable to bind to the destination server in dns"

If these are outgoing messages waiting to be delivered there is a problem because these domain names are not company related.


Thank you very much for your help, you pointed me in the right direction on what to look for and I have got it up and running.  Thanks again!!!
Top Expert 2008

So what was it?  DNS problem?


Yes, it was a DNS problem.  I looked at the DNS addresses over and over and then decided to ping them.  There was no response, comcast must have killed them overnight.  I overlooked it because it was working with those addresses for years without any problems.

Thanks again for your help.
Top Expert 2008

Do you have these addresses manually set in Exchange?  If so, remove them.  Exchange will use the Windows DNS settings, which will make it easier to isolate a problem (as your users will complain that websites don't work)

Explore More ContentExplore courses, solutions, and other research materials related to this topic.