E-Mail sent from Hotmail.com never arrives to server - is it forever lost in the aether?
So I just deployed a new Exchange 2007 server, and largely, things have gone smoothly. Barring having to finally upgrade internal clients to Office 2003 (we're poor), the only major issue plaguing my new server is, ironically enough, Hotmail. It seems some high profile people involved with my organization use Hotmail as their main form of e-mail, and their messages, plus several of my own from my own hotmail account, seemingly disappear into the Internet equivalent of /dev/null.
I did several test messages from my own Hotmail account, ranging from a one-line "this is a test" message to 17 paragraphs of generated Latin (from the Lorem Ipsum generator). One message was even about three, basic English sentences I wrote. Not a single one made it to my Exchange mailbox. No traces in Message Tracking, in the Queues, etc. No bounce back or rejection messages are sent to my Hotmail account. Nada, Zilch, None.
Obviously, this does not help me at all. I think it may be my spam filtering on my new server, so I've already done several things like crank the Content Filtering threshold up to its maximum value so that only the most spam of spam gets tagged and rejected. I then went a step further, and redirected all spam with an SCL of 9 to a special mailbox I'm monitoring. None so far are sent from or to Hotmail accounts.
I also tweaked some of the other values, but messages from my Hotmail account still don't arrive. So I'm really at a loss on what else to do. Without any kind of diagnostic information, I have no way of knowing where the fault is at. And Microsoft doesn't help things very much by providing an easy-to-find contact address/form for Hotmail to get their help on this (And I'd be surprised if they'd even help at all).
So my question is this: Where are my messages going, how can I find them, and how can I make my server accept Hotmail. Some reading states that Wildcard whitelisting was broken by a patch in Exchange 2007 SP1, which is just really fantastic. That rules that option out for whitelisting the entire *@hotmail domain just in case it's something like my RBL doing this. So I figure there's got to be other ways to resolve this.
I did several test messages from my own Hotmail account, ranging from a one-line "this is a test" message to 17 paragraphs of generated Latin (from the Lorem Ipsum generator). One message was even about three, basic English sentences I wrote. Not a single one made it to my Exchange mailbox. No traces in Message Tracking, in the Queues, etc. No bounce back or rejection messages are sent to my Hotmail account. Nada, Zilch, None.
Obviously, this does not help me at all. I think it may be my spam filtering on my new server, so I've already done several things like crank the Content Filtering threshold up to its maximum value so that only the most spam of spam gets tagged and rejected. I then went a step further, and redirected all spam with an SCL of 9 to a special mailbox I'm monitoring. None so far are sent from or to Hotmail accounts.
I also tweaked some of the other values, but messages from my Hotmail account still don't arrive. So I'm really at a loss on what else to do. Without any kind of diagnostic information, I have no way of knowing where the fault is at. And Microsoft doesn't help things very much by providing an easy-to-find contact address/form for Hotmail to get their help on this (And I'd be surprised if they'd even help at all).
So my question is this: Where are my messages going, how can I find them, and how can I make my server accept Hotmail. Some reading states that Wildcard whitelisting was broken by a patch in Exchange 2007 SP1, which is just really fantastic. That rules that option out for whitelisting the entire *@hotmail domain just in case it's something like my RBL doing this. So I figure there's got to be other ways to resolve this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, scratch the spam filtering out entirely. A lot of the mails I sent finally bounced.
The text of the bounce says it couldn't connect to my server, which is absurd. Google and Yahoo can connect fine. So I opened up the bounce attachment, and got this relatively unknown SMTP Error Code:
Reporting-MTA: dns;blu0-omc2-s18.blu0.hot
Received-From-MTA: dns;BLU125-W16
Arrival-Date: Fri, 11 Jul 2008 16:26:49 -0700
Final-Recipient: rfc822;jkinard@closeup.org
Action: failed
Status: 4.7.1
Diagnostic-Code: smtp;450 4.7.1 : Recipient address rejected: invalid sender domain for relay (0)
There's very little on Google for that specific error. Interestingly enough, there's one question from this site on the issue here:
https://www.experts-exchange.com/questions/21997698/SMTP-communication-problem-recipient-address-rejected-invalid-sender-domain-0.html
But I can't tell if that addresses our problem or not. DNS Stuff looks like they've gone pay-only, and I doubt I'll be able to get an authorization to buy an account there just to test DNS. Everything looks right on my end and all. I just looked at my DNS layout on my ISP (ironically enough, it's XO Communications, so I use the same nameservers, ns1.xo.com and ns2.xo.com, as in the above question).
Anyone with a DNS Stuff account able to check the domain 'closeup.org' and tell me if that's returning anything wrong/weird?
The text of the bounce says it couldn't connect to my server, which is absurd. Google and Yahoo can connect fine. So I opened up the bounce attachment, and got this relatively unknown SMTP Error Code:
Reporting-MTA: dns;blu0-omc2-s18.blu0.hot
Received-From-MTA: dns;BLU125-W16
Arrival-Date: Fri, 11 Jul 2008 16:26:49 -0700
Final-Recipient: rfc822;jkinard@closeup.org
Action: failed
Status: 4.7.1
Diagnostic-Code: smtp;450 4.7.1 : Recipient address rejected: invalid sender domain for relay (0)
There's very little on Google for that specific error. Interestingly enough, there's one question from this site on the issue here:
https://www.experts-exchange.com/questions/21997698/SMTP-communication-problem-recipient-address-rejected-invalid-sender-domain-0.html
But I can't tell if that addresses our problem or not. DNS Stuff looks like they've gone pay-only, and I doubt I'll be able to get an authorization to buy an account there just to test DNS. Everything looks right on my end and all. I just looked at my DNS layout on my ISP (ironically enough, it's XO Communications, so I use the same nameservers, ns1.xo.com and ns2.xo.com, as in the above question).
Anyone with a DNS Stuff account able to check the domain 'closeup.org' and tell me if that's returning anything wrong/weird?
Reverse DNS and SPF.....
Enable these for your Domain :-) !
Enable these for your Domain :-) !
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have SPF enabled. Built it using a SPF wizard and I came up with the following TXT record below:
v=spf1 a mx a:208.176.100.164 ~all
As for reverse DNS, that's setup too. mail.closeup.org is a CNAME for xt1.closeup.org with an A record of 208.176.100.186.
However, what I find to be interesting, is on that little site Microsoft has, their DNS system looked up a completely different IP address for my domain:
No SPF record has been found for the domain closeup.org. However, MX and/or A records currently exist for this domain.
Addresses Listed in A records
67.192.236.106
Mail Servers Listed in MX Records
mail.closeup.org
That looks VERY incorrect and gives me cause for concern that there's some DNS poisoning going on someplace.
v=spf1 a mx a:208.176.100.164 ~all
As for reverse DNS, that's setup too. mail.closeup.org is a CNAME for xt1.closeup.org with an A record of 208.176.100.186.
However, what I find to be interesting, is on that little site Microsoft has, their DNS system looked up a completely different IP address for my domain:
No SPF record has been found for the domain closeup.org. However, MX and/or A records currently exist for this domain.
Addresses Listed in A records
67.192.236.106
Mail Servers Listed in MX Records
mail.closeup.org
That looks VERY incorrect and gives me cause for concern that there's some DNS poisoning going on someplace.
ASKER
Wait a second, I think I see partially what's going on. That IP points at our webhosting company (Should've checked that!). They're external from our in-house servers (which include e-mail).
You don't think Hotmail is attempting to literally resolve closeup.org to the 67.192.236.106 address because it literally looks up that address, instead of seeking out the MX record for the domain, do you?
You don't think Hotmail is attempting to literally resolve closeup.org to the 67.192.236.106 address because it literally looks up that address, instead of seeking out the MX record for the domain, do you?
Great....so you found it :-)
ASKER
I should add that my DNS redirects the root of the domain (closeup.org, not www.closeup.org, via an A record) to the webhosting company (because my manager wanted it that way; he figures shorter URLs look better). That shouldn't interfere with MX lookups, right? I mean, Google and Yahoo get it right. Might whatever MS uses on Hotmail be doing it wrong, and assuming that IP is also the MX? I tested both dig and nslookup on a Linux machine I own, and they pull the correct info, so by all accounts, the DNS info SHOULD be correct.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I saw that URL on the other Question I mentioned. I ran my domain through it, and while some of the root nameserver info looked incorrect, my domain appeared to be fine. 50% of the queries would each be handled by XO's Nameservers.
All this started of course when I made the switch to my new mail server. Rather than recycle the old IP address, I gave it a new external address (we have a /27 block, so I got plenty to go around), and updated DNS accordingly. My firewall loved it -- all the spambots trying to hit my old mail server went away, and now, we just get a lot of misguided smartphones trying to access IMAP (port 143, I use SSL).
Still, if big name providers like Google and Yahoo have had no problems with their e-mail systems, I'd be surprised at Hotmail having issues. I already called Microsoft last week to inquire about how to get a hold of Hotmail staffers, but they didn't have any idea.
All this started of course when I made the switch to my new mail server. Rather than recycle the old IP address, I gave it a new external address (we have a /27 block, so I got plenty to go around), and updated DNS accordingly. My firewall loved it -- all the spambots trying to hit my old mail server went away, and now, we just get a lot of misguided smartphones trying to access IMAP (port 143, I use SSL).
Still, if big name providers like Google and Yahoo have had no problems with their e-mail systems, I'd be surprised at Hotmail having issues. I already called Microsoft last week to inquire about how to get a hold of Hotmail staffers, but they didn't have any idea.
ASKER
Okay, playing around more with the dnscheck tool at squishy, a request for PTR records for my root domain (closeup.org) says nothing exists. This is expected because my web hosting company owns that IP, and not me or my ISP. I'll go ahead and open a ticket to have them correct this just in case it's the cause (it'd surprise me, heh).
Any other ideas for me to try as well?
Any other ideas for me to try as well?
The solution resides with your ISP. I would suggest tell them the issue, they would be in a better position to help as they know what they have done :-)!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are happy with your IP adrss, then it looks great :-)
I think you are, hahaha, but it good to be sure than sorry !!
I think you are, hahaha, but it good to be sure than sorry !!
Hi,
Not heard from you, do you need further help :-)
Please do close the question, if resolved !
Thanks
Nitin
Well, you were pointed towards SPF during the course and it was suggested that you look at your SPF. We also verfied with you whether you are sure about your IP Address for SPF.
I am not sure what more could we do without direct access to your setup.
I am not sure what more could we do without direct access to your setup.
ASKER
Aye, I tried several different methods to look at the SPF record, but I was faced with an inability to contact competent Hotmail staff to see whether they had ideas, no way to re-create a setup that would reject messages like Hotmail (nor the time), and my organization's CEO inquiring to me directly why Hotmail wasn't working, as one of his consultants used an address there to communicate (and it's what started this all).
I'm not sure whether my SPF record was incorrect (Gmail, Yahoo Mail, my friend's work e-mail, my personal ISP's e-mail, all worked fine), whether it's the uniqueness of having an ISP-assigned /27 IP block, and pointing our root domain to be outside of this block that confuses basic DNS tools like 'dig' and most of the SPF wizards out there (which probably query DNS information in the exact same manner), or another problem entirely that is beyond my ability to recognize and troubleshoot.
Ultimately, the actual cause of the problem was never pinned down, therefore, none of the provided solutions were able to solve anything. I tried several steps, such as contacting my ISP, who were unable to assist with SPF setup (only standard DNS support is provided), and Microsoft's SPF wizard was one of the ones getting confused by the DNS setup (as far as I can tell).
I'm not sure whether my SPF record was incorrect (Gmail, Yahoo Mail, my friend's work e-mail, my personal ISP's e-mail, all worked fine), whether it's the uniqueness of having an ISP-assigned /27 IP block, and pointing our root domain to be outside of this block that confuses basic DNS tools like 'dig' and most of the SPF wizards out there (which probably query DNS information in the exact same manner), or another problem entirely that is beyond my ability to recognize and troubleshoot.
Ultimately, the actual cause of the problem was never pinned down, therefore, none of the provided solutions were able to solve anything. I tried several steps, such as contacting my ISP, who were unable to assist with SPF setup (only standard DNS support is provided), and Microsoft's SPF wizard was one of the ones getting confused by the DNS setup (as far as I can tell).
ASKER
Will update when I try this out!