Solved

"#554 Transaction Failed Spam Message not queued." and "The following organization rejected your message: ESMTP" errors

Posted on 2009-04-09
15
2,997 Views
Last Modified: 2012-05-06
  I have been working on this problem for a few days, and I almost have it figured out. When sending email a few domains will instantly bounce back a NDR with the error:"The following organization rejected your message: ESMTP"  I thought it was a blacklist problem, checked, and everything is clear.  Checked Exchange and it has the error "#554 Transaction Failed Spam Message not queued."  
   I think I have this tracked down to a mismatch between my FQDN and/or DNS so that email fails a reverse lookup by the receivers server, which then bounces it as spam.  The problem is I'm not sure what is supposed to match.

   My setup: (Which I inherited from a retired Admin  :) )
   -  Exchange 2007 is running on the DC named Domain-Server.abm1.local
   -  Under Exchange / Organizational Config / Hub Transport / Send Connectors, my FQDN is exchange.abm1.com.
   -  Under Exchange / Server Config / Hub Transport / Receive Connectors, my FQDN is exchange.abm1.com.
   -  In my DNS I have exchange.abm1.com listed under Forward Lookup Zones with a ns of domain-server.abm1.local and an A record of 172.16.1.2.
   -  Under Reverse lookup I have 172.16.1.2 pointing to domain-server.abm1.local.
   -  Ehlo command to the mail server returns the name of exchange.abm1.com

What am I missing?  
0
Comment
Question by:BEKtech
  • 7
  • 7
15 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24109972
Unless you are hosting your own public DNS zone on your internal DC, then you are checking in the wrong place for your reverse DNS entry.  For external email, the reverse DNS entry has to be in your public DNS zone.  If the public host name that you are using for your mail server is "exchange.abm1.com", then it looks like your server's FQDN is configured correctly. However, if your public FQDN is something else, then you will need to make sure that matches the public FQDN you have set in Exchange 2007. Then, you just have to be sure that the PTR (rDNS) record for the public IP address of this server, on your public DNS zone, is pointing to exchange.abm1.com, or whatever that public FQDN is.
0
 
LVL 6

Expert Comment

by:page1985
ID: 24110067
If your problem is DNS/Config related, any or all of the following may be true:
  1. Your forward lookup (A record) and your reverse lookup (PTR record) do not match.
  2. Your Send Connector that relays mail to the internet does not have a host name that matches your forward (A record) and/or your reverse (PTR record).
  3. You have Sender Policy Framework (SPF) defined in your DNS settings and have specified either an IP address or an MX name as an authorized mail server and your forward (A record), reverse (PTR record), or Send Connector does not use an FQDN that matches an address approved in SPF.

See the code snippet for examples of configurations.  The code snippets assume the public IP of the server is 24.15.2.1

=====Matching (OK) Records=====

mail.domain.com         A          24.15.2.1

domain.com              MX   10    mail.domain.com

domain.com              TXT        "v=spf1 ip4:24.15.2.1 mx:mail.domain.com ~all"

1.2.15.24.inaddr.arpa   PTR        mail.domain.com
 

=====Mismatching (Bad) SPF Record=====

mail.domain.com         A          24.15.2.1

domain.com              MX   10    mail.domain.com

domain.com              TXT        "v=spf1 ip4:24.15.2.6 mx:server.domain.com ~all"

1.2.15.24.inaddr.arpa   PTR        mail.domain.com
 

=====Mismatching (Bad) A Record=====

server.domain.com         A          24.15.2.1

domain.com              MX   10    server.domain.com

domain.com              TXT        "v=spf1 ip4:24.15.2.1 mx:mail.domain.com ~all"

1.2.15.24.inaddr.arpa   PTR        mail.domain.com

Open in new window

0
 

Author Comment

by:BEKtech
ID: 24110748
I checked with our ISP and they had our reverse lookup as mail.abm1.com.  I had them add exchange.abm1.com.  I have to wait for it to propagate, then I'll let you know what happens.  Thank you!
0
 

Author Comment

by:BEKtech
ID: 24116120
I tried to send an email to one of the problems domains and I received the error.  I have been reading that that I may need to update / change / or create an SPF record.  I currently do not have a SPF record, but I can make one.  It is strange that this could be the problem when the record never existed.  Any ideas?  Thanks.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24116801
I think you may have a more serious problem. In checking your domain through DNSStuff's DNSReport, it identified your MX record as pointing to "mail.abm1.com" instead of "exchange.abm1.com." It also returned an open relay result for "mail.abm1.com."  Your PTR record, however, does show up as resolving to "exchange.abm1.com" So, you need to add a new host record on your public DNS zone for "exchange.abm1.com" and also change your MX record to point to that host. I'd do that first, and then you can remove the old host record for "mail.abm1.com" after you make sure everything is working properly. I would also at the same time add an SPF record, just because it's a good thing to have.
0
 

Author Comment

by:BEKtech
ID: 24117792
I may be in over my head :)   Would that indicate that the problem is with my server?  As far as I know no one has changed the MX record to cause the error.  If the record has always been set to mail.abm1.com, wouldn't the FQDN of the Exchange server have to match?

I don't want to pass this information back to my ISP and have them change everything until I double check the server names.
Thanks.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24122127
The FQDN doesn't have to match in order for you to send and receive email.  DNS doesn't care what your server is advertising as its public FQDN, it only cares that there is an MX record, a matching host record and that the IP address specified for that host record accepts incoming packets on port 25.  Antispam software, however, does care.  It will look at your MX record and check to see if there is a PTR record and a SPF record that match whatever is specified in that MX record.  SPF records can specify other things, too, but basically that's what's going on.  So, if there is a PTR record at all, most systems will accept the mail. However, if there is a PTR record that resolves to a different host name than your MX record, that could cause the behavior you are seeing.  
The fact that it's showing up as an open relay - that could be a serious problem.  I recommend first checking your email system settings to be sure that you don't have something configured that would allow relaying through your server by external systems. I would know exactly where to tell you to go for Exchange 2003, but I'm less familiar with  Exchange 2007. Here's an article that might be of some help, although it is for the older Exchange versions:
http://support.microsoft.com/kb/895853
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:BEKtech
ID: 24122289
The ISP has made the changes to the MX record, but I'm still having sent back.  I'll work on the open relay and see what happens.  Thank you for informative response!
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 24122633
I did check the DNS records again this morning and saw that you had had the records for exchange.abm1.com added.  That's good.  It may take awhile for those changes to permeate through to all of the domains you regularly send/receive to and from.  If you're still seeing the same behavior in 2-3 days, then you will need to check further.  However, I also noticed the following result:
mail.abm1.com claims to be non-existent host emailsecurity.abm1.com: <br /> 220 emailsecurity.abm1.com ESMTP SonicWALL (6.2.3.1219) <br />exchange.abm1.com claims to be non-existent host emailsecurity.abm1.com: <br /> 220 emailsecurity.abm1.com ESMTP SonicWALL (6.2.3.1219) <br />
So, you have a Sonicwall router that apparently is running some kind of software that sends a different header than what you have programmed on your Exchange server.  That would need to be fixed, too.
In the meantime, definitely check out the open relay situation, as that could conceivably cause you far bigger problems.
0
 

Author Comment

by:BEKtech
ID: 24131346
Can I ask where you got that report from?  Thank you for your help!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24131680
I use a web service called www.dnsstuff.com.  The tools on that site used to be free, but now you have to pay $36.00 a year for a membership.  Well worth it, IMO, as I use the site frequently to check my and my customers' public DNS zones. You can do a free trial period, though, which might allow you to run the tools you need.  I used one of the basic tools, DNSReports, to check your domain.
0
 

Author Comment

by:BEKtech
ID: 24139853
Thank you for your help.  After many hours of checking blacklist, reconfiguring servers, changing MX records, rebuilding connectors, reissuing SSL certs, ...it was my McAfee Trusted Source Rating.  I petitioned them, they upgraded my status, and email is flowing once again.  Thank you!

Now to work on that open relay....
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24139922
Wow - that's one I've never run into before, in terms of causing email delivery problems.  Is this a voluntary service that you participate in, or is it something that could happen to anyone?
0
 

Author Comment

by:BEKtech
ID: 24140010
I have never heard of it before, and I'm doing some more research into "Web Trust-Worthiness".  I am just guessing, but I believe it is a higher-end spam service subscription that works like a blacklist.  But I could be wrong.  They are at www.trustedsource.org

FYI, here is the log that I received from one of the domains I could not send to.  Notice the TrustedSource Result line:

-54889:04132009 14:27:19:EHLO=emailsecurity.abm1.com SUBJECT=test for message 126392450
-54889:04132009 14:27:19:Performing TS Lookup <d.1_iUcN1AUbUc60-mhNeqHlZcEbl4jLQNp5ReWoONQqsaIXDgStI0AzSNv6ye.ofibrjs60xhrpietSEtlw2lzq86VnRxWg92gPJV5PfiGhzJf3LUKzmz76tNW.hPz_c7OefmrZSIasogvi5bWlVroQ4opfkk0CCtlIl7X7AXdpwsxt4IBn5eWQ.mzd7VK2vTF9Zk4MINNk7I51kA3Fxx7pCbYnQKNzuf8yWP9zA>
-54889:04132009 14:27:19:TrustedSource Result = (status=136, lookup_ip=66.17.2.58, ipscore=0, score=146, dq_status=0), time=90159.000000
-54889:04132009 14:27:19:Spam Message. Message not queued.
-54889:04132009 14:27:19:Incomplete message transmission, sending cleanup terminator to MSS.
-54889:04132009 14:27:19:Close Data File /ct/data/mss/00/12/63/92/450
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24140290
Ok, I think I get it.  It sounds somewhat like SenderBase by Ironport. This is a security site that somehow rates email senders in terms of trustworthiness.  I've run across it only because I used and contributed to Spamcop.net in the past, and they were bought out by Ironport. I have no idea exactly what metrics they use or how they gather the statistics, but it sounds like something similar.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now