Solved

"#554 Transaction Failed Spam Message not queued." and "The following organization rejected your message: ESMTP" errors

Posted on 2009-04-09
15
3,011 Views
Last Modified: 2012-05-06
  I have been working on this problem for a few days, and I almost have it figured out. When sending email a few domains will instantly bounce back a NDR with the error:"The following organization rejected your message: ESMTP"  I thought it was a blacklist problem, checked, and everything is clear.  Checked Exchange and it has the error "#554 Transaction Failed Spam Message not queued."  
   I think I have this tracked down to a mismatch between my FQDN and/or DNS so that email fails a reverse lookup by the receivers server, which then bounces it as spam.  The problem is I'm not sure what is supposed to match.

   My setup: (Which I inherited from a retired Admin  :) )
   -  Exchange 2007 is running on the DC named Domain-Server.abm1.local
   -  Under Exchange / Organizational Config / Hub Transport / Send Connectors, my FQDN is exchange.abm1.com.
   -  Under Exchange / Server Config / Hub Transport / Receive Connectors, my FQDN is exchange.abm1.com.
   -  In my DNS I have exchange.abm1.com listed under Forward Lookup Zones with a ns of domain-server.abm1.local and an A record of 172.16.1.2.
   -  Under Reverse lookup I have 172.16.1.2 pointing to domain-server.abm1.local.
   -  Ehlo command to the mail server returns the name of exchange.abm1.com

What am I missing?  
0
Comment
Question by:BEKtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24109972
Unless you are hosting your own public DNS zone on your internal DC, then you are checking in the wrong place for your reverse DNS entry.  For external email, the reverse DNS entry has to be in your public DNS zone.  If the public host name that you are using for your mail server is "exchange.abm1.com", then it looks like your server's FQDN is configured correctly. However, if your public FQDN is something else, then you will need to make sure that matches the public FQDN you have set in Exchange 2007. Then, you just have to be sure that the PTR (rDNS) record for the public IP address of this server, on your public DNS zone, is pointing to exchange.abm1.com, or whatever that public FQDN is.
0
 
LVL 6

Expert Comment

by:page1985
ID: 24110067
If your problem is DNS/Config related, any or all of the following may be true:
  1. Your forward lookup (A record) and your reverse lookup (PTR record) do not match.
  2. Your Send Connector that relays mail to the internet does not have a host name that matches your forward (A record) and/or your reverse (PTR record).
  3. You have Sender Policy Framework (SPF) defined in your DNS settings and have specified either an IP address or an MX name as an authorized mail server and your forward (A record), reverse (PTR record), or Send Connector does not use an FQDN that matches an address approved in SPF.

See the code snippet for examples of configurations.  The code snippets assume the public IP of the server is 24.15.2.1

=====Matching (OK) Records=====
mail.domain.com         A          24.15.2.1
domain.com              MX   10    mail.domain.com
domain.com              TXT        "v=spf1 ip4:24.15.2.1 mx:mail.domain.com ~all"
1.2.15.24.inaddr.arpa   PTR        mail.domain.com
 
=====Mismatching (Bad) SPF Record=====
mail.domain.com         A          24.15.2.1
domain.com              MX   10    mail.domain.com
domain.com              TXT        "v=spf1 ip4:24.15.2.6 mx:server.domain.com ~all"
1.2.15.24.inaddr.arpa   PTR        mail.domain.com
 
=====Mismatching (Bad) A Record=====
server.domain.com         A          24.15.2.1
domain.com              MX   10    server.domain.com
domain.com              TXT        "v=spf1 ip4:24.15.2.1 mx:mail.domain.com ~all"
1.2.15.24.inaddr.arpa   PTR        mail.domain.com

Open in new window

0
 

Author Comment

by:BEKtech
ID: 24110748
I checked with our ISP and they had our reverse lookup as mail.abm1.com.  I had them add exchange.abm1.com.  I have to wait for it to propagate, then I'll let you know what happens.  Thank you!
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 

Author Comment

by:BEKtech
ID: 24116120
I tried to send an email to one of the problems domains and I received the error.  I have been reading that that I may need to update / change / or create an SPF record.  I currently do not have a SPF record, but I can make one.  It is strange that this could be the problem when the record never existed.  Any ideas?  Thanks.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24116801
I think you may have a more serious problem. In checking your domain through DNSStuff's DNSReport, it identified your MX record as pointing to "mail.abm1.com" instead of "exchange.abm1.com." It also returned an open relay result for "mail.abm1.com."  Your PTR record, however, does show up as resolving to "exchange.abm1.com" So, you need to add a new host record on your public DNS zone for "exchange.abm1.com" and also change your MX record to point to that host. I'd do that first, and then you can remove the old host record for "mail.abm1.com" after you make sure everything is working properly. I would also at the same time add an SPF record, just because it's a good thing to have.
0
 

Author Comment

by:BEKtech
ID: 24117792
I may be in over my head :)   Would that indicate that the problem is with my server?  As far as I know no one has changed the MX record to cause the error.  If the record has always been set to mail.abm1.com, wouldn't the FQDN of the Exchange server have to match?

I don't want to pass this information back to my ISP and have them change everything until I double check the server names.
Thanks.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24122127
The FQDN doesn't have to match in order for you to send and receive email.  DNS doesn't care what your server is advertising as its public FQDN, it only cares that there is an MX record, a matching host record and that the IP address specified for that host record accepts incoming packets on port 25.  Antispam software, however, does care.  It will look at your MX record and check to see if there is a PTR record and a SPF record that match whatever is specified in that MX record.  SPF records can specify other things, too, but basically that's what's going on.  So, if there is a PTR record at all, most systems will accept the mail. However, if there is a PTR record that resolves to a different host name than your MX record, that could cause the behavior you are seeing.  
The fact that it's showing up as an open relay - that could be a serious problem.  I recommend first checking your email system settings to be sure that you don't have something configured that would allow relaying through your server by external systems. I would know exactly where to tell you to go for Exchange 2003, but I'm less familiar with  Exchange 2007. Here's an article that might be of some help, although it is for the older Exchange versions:
http://support.microsoft.com/kb/895853
0
 

Author Comment

by:BEKtech
ID: 24122289
The ISP has made the changes to the MX record, but I'm still having sent back.  I'll work on the open relay and see what happens.  Thank you for informative response!
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 24122633
I did check the DNS records again this morning and saw that you had had the records for exchange.abm1.com added.  That's good.  It may take awhile for those changes to permeate through to all of the domains you regularly send/receive to and from.  If you're still seeing the same behavior in 2-3 days, then you will need to check further.  However, I also noticed the following result:
mail.abm1.com claims to be non-existent host emailsecurity.abm1.com: <br /> 220 emailsecurity.abm1.com ESMTP SonicWALL (6.2.3.1219) <br />exchange.abm1.com claims to be non-existent host emailsecurity.abm1.com: <br /> 220 emailsecurity.abm1.com ESMTP SonicWALL (6.2.3.1219) <br />
So, you have a Sonicwall router that apparently is running some kind of software that sends a different header than what you have programmed on your Exchange server.  That would need to be fixed, too.
In the meantime, definitely check out the open relay situation, as that could conceivably cause you far bigger problems.
0
 

Author Comment

by:BEKtech
ID: 24131346
Can I ask where you got that report from?  Thank you for your help!
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24131680
I use a web service called www.dnsstuff.com.  The tools on that site used to be free, but now you have to pay $36.00 a year for a membership.  Well worth it, IMO, as I use the site frequently to check my and my customers' public DNS zones. You can do a free trial period, though, which might allow you to run the tools you need.  I used one of the basic tools, DNSReports, to check your domain.
0
 

Author Comment

by:BEKtech
ID: 24139853
Thank you for your help.  After many hours of checking blacklist, reconfiguring servers, changing MX records, rebuilding connectors, reissuing SSL certs, ...it was my McAfee Trusted Source Rating.  I petitioned them, they upgraded my status, and email is flowing once again.  Thank you!

Now to work on that open relay....
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24139922
Wow - that's one I've never run into before, in terms of causing email delivery problems.  Is this a voluntary service that you participate in, or is it something that could happen to anyone?
0
 

Author Comment

by:BEKtech
ID: 24140010
I have never heard of it before, and I'm doing some more research into "Web Trust-Worthiness".  I am just guessing, but I believe it is a higher-end spam service subscription that works like a blacklist.  But I could be wrong.  They are at www.trustedsource.org

FYI, here is the log that I received from one of the domains I could not send to.  Notice the TrustedSource Result line:

-54889:04132009 14:27:19:EHLO=emailsecurity.abm1.com SUBJECT=test for message 126392450
-54889:04132009 14:27:19:Performing TS Lookup <d.1_iUcN1AUbUc60-mhNeqHlZcEbl4jLQNp5ReWoONQqsaIXDgStI0AzSNv6ye.ofibrjs60xhrpietSEtlw2lzq86VnRxWg92gPJV5PfiGhzJf3LUKzmz76tNW.hPz_c7OefmrZSIasogvi5bWlVroQ4opfkk0CCtlIl7X7AXdpwsxt4IBn5eWQ.mzd7VK2vTF9Zk4MINNk7I51kA3Fxx7pCbYnQKNzuf8yWP9zA>
-54889:04132009 14:27:19:TrustedSource Result = (status=136, lookup_ip=66.17.2.58, ipscore=0, score=146, dq_status=0), time=90159.000000
-54889:04132009 14:27:19:Spam Message. Message not queued.
-54889:04132009 14:27:19:Incomplete message transmission, sending cleanup terminator to MSS.
-54889:04132009 14:27:19:Close Data File /ct/data/mss/00/12/63/92/450
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24140290
Ok, I think I get it.  It sounds somewhat like SenderBase by Ironport. This is a security site that somehow rates email senders in terms of trustworthiness.  I've run across it only because I used and contributed to Spamcop.net in the past, and they were bought out by Ironport. I have no idea exactly what metrics they use or how they gather the statistics, but it sounds like something similar.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses
Course of the Month6 days, 14 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question