?
Solved

Can't Solve Relay Access Denied Issues

Posted on 2008-11-16
6
Medium Priority
?
2,064 Views
Last Modified: 2013-12-18
I'm sorry to beat this issue any further, but i have had no luck on all my searches for a solution. I have a 2003 Server with Exchange 2003. I have various clients who are using RPC over HTTP and it has been very successful. In fact, 95% of the emails go through properly. At least every day however, one of my clients forwards me a message with an NDR. Sometimes it's the same, sometimes it is different. Here's what we might receive:

#5.5.0 smtp;553 sorry, mail to that recipient is not accepted (#5.7.1)>
smtp;554: Relay access denied
#5.7.1 smtp;550 5.7.1 Unable to relay for ...
;553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)>
5.5.0 smtp;550 No such user - psmtp
18591 is currently not permitted to

Now, i've tried many of the things that are suggested out there, with turning off/on SMTP Auth, i've verified that the reverse DNS is to my correct server address. I have a Barracuda firewall scanning incoming email, which i have removed and still get the messages. I've even gotten messages bounced back saying "no such user" when we are sure that there is a user at the destination address.

I get a 'relay access denied' when i, myself send a message to a particular domain. If i re-send the email two seconds later, the reciipient gets it.

I'm sorry to be so vague in my descriptions, but i' can't seem for the life of me to solve this problem once and for all! Any advice would be appreciated.
0
Comment
Question by:gloafman
6 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 22972517
Yes, I got this too sometimes, what really improved its reliability was to use a better DNS server for the lookups. It appears some DNS servers fail to give the right MX record, or were set to use another server where a SMTP receiver was not present.

I still get them occasionally when sending to flaking domains, but at least now I can point the customer to their email server or provider.

I also used the detailed SMTP logs to deduce this, really helps...
0
 
LVL 13

Expert Comment

by:Xyptilon2
ID: 22977861
Relay access denied, means a server will not send the message because it is configured not to do so. Either because the sender is unknown or the IP from where the email is coming is unknown.

First, looking at the latter, a server might employ SMTP authentication (with, or without SSL or TLS) or POP BEFORE SMTP authentication to tell the server that the connecting IP address (client machine) is allowed to send email and the server will relay in this case. (I hope your machine is not an open relay so you should be employing one of these 2 methods).

Second, not all NDR are legitimate, some are spam, however I'm guessing we can rule that out as a possibility for now and we are dealing with a real issue.

Setting up a PTR record with whoever manages your IP address/range is a good idea to minimize spam, since receiving mailservers or anti-spam appliances (like Barracudas) might do a reverse DNS check to see if it matches the hostname in the email header.. if not, it may be tagged as spam.. However...though it may be tagged, it is unlikely to generate the above mentioned error messages. It will more likely generate a 451 or 452 message (if any at all).

In a case like this, it would be very useful if you have access to the mailserver logs, particularly from the smtpd daemon/service or better yet, if you can record the SMTP conversation between the servers. Either with a "recordio" like utility or a TCP sniffer in verbose mode to troubleshoot the issue.

If that is not an option, open a telnet window on port 25 to your mailserver and manually inject a message. Sometimes you get a more meaningful error message there: Just search Google for "telnet test smtp" and many hits will come up.

Lastly, the above error, really is a relaying issue, sometimes this happens because of DomainKeys or SPF violations. Is your mailserver using this? To what behaivour is it set? tag only or does it do more? If there is an anti-spam appliance in between (like the Barracuda), what do these logs say? Probably they would say "allowed", but they can still be blocked for technical reasons or SPF violations.  For example if Domain A sends to you through the Barracuda then it will be blocked since the Barracuda is not in the SPF record of Domain A. and will not arrive at B, though this should generate another message (and not one of the above).


0
 
LVL 1

Expert Comment

by:mikeshaver
ID: 22979781
Is the server GC?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:gloafman
ID: 25123566
Apologies on all the late replies...The problem was that my domain manager had an SSL arranged and pointing to the domain 'mail.theserver.com', whereas my server's actual name (net BIOS and all) was exchange.theserver.com. The ssl was mismatched and I am positive that this mismatch affected the reverse look up. Most recipients did not care if their servers didn't do reverse lookups, but for the odd percent that did, it was a huge pain.

While i could have probably re-generated an SSL, and reconfigured the domain settings to match that of my server, i was in no way going to change the 'server' name of a running exchange box. I created a new domain, new SSL and ensured that it all matched, then migrated all of my users to a new server. Yes, definately 'overkill', but it worked and never got a 571 again.

Phew.

Thanks to all those that contributed.
0
 
LVL 1

Expert Comment

by:mikeshaver
ID: 25124914
So you're GC?
0
 

Accepted Solution

by:
gloafman earned 0 total points
ID: 25178853
Apologies on all the late replies...The problem was that my domain manager had an SSL arranged and pointing to the domain 'mail.theserver.com', whereas my server's actual name (net BIOS and all) was exchange.theserver.com. The ssl was mismatched and I am positive that this mismatch affected the reverse look up. Most recipients did not care if their servers didn't do reverse lookups, but for the odd percent that did, it was a huge pain.

While i could have probably re-generated an SSL, and reconfigured the domain settings to match that of my server, i was in no way going to change the 'server' name of a running exchange box. I created a new domain, new SSL and ensured that it all matched, then migrated all of my users to a new server. Yes, definately 'overkill', but it worked and never got a 571 again.

Phew.

Thanks to all those that contributed.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question