[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Exchange SMTP 5.5.0 "Not permitted to relay" - possible issues with MX record resolution

Posted on 2009-04-11
Medium Priority
Last Modified: 2013-11-30
We have a member of our staff who is attempting to send e-mail to a partner organization (domain barringtongroup.org) and is periodically receiving SMTP 5.5.0 bounce messages which indicate that our Exchange server is unable to relay.  After a great deal of waiting for the intermittent problem to happen again with SMTP logging enabled, it has and it comes to light that the failed relay attempts are connecting to the wrong SMTP server.

It goes like this:  the partner organization uses a web and email services company called Roar Solutions.  The actual mail servers for the domain barringtongroup.org are listed in their MX records to be:

mx1.emailsrvr.com and

which appear to be part of a mail service provided by Rackspace.  In every instance where we have successfully delivered mail to the barringtongroup.org domain, it's been to one of those hosts.  However, the recently logged failure showed an SMTP session (and subsequent relay rejection) with the host  This machine is tin.niatech.ca, which is the primary nameserver listed in the SOA for barringtongroup.org.

It also happens to be, in addition to a nameserver:

a) the web server for barringtongroup.org
b) an SMTP server

which gels with the relay rejection when we try to deliver to the barringtongroup.org domain.

Anyway, three nameservers are listed in the SOA record for barringtongroup.org:


However, tiger.roarsolutions.com is not listed in the NS records at the parent server, and while the MX records for barringtongroup.org are present on the tiger NS, there are no A records for the aforementioned mx1 and mx2 hosts.

Now, I know that when an MX record can't be resolved for a domain successfully, Exchange will fall back on the A record for the domain.  And, no surprise, the A record for barringtongroup.org is for

Therefore, my thinking goes like this:

Successful instances:

1) DNS resolves using tin.niatech.ca, graphite.niatech.ca, or another server with the appropriate MX and A records
2) SMTP connection is made to mx1 or mx2 and the mail goes through

Failed instances:

1) DNS resolves using tiger.roarsolutions.com, which has the MX records but no A records for the MX hosts.  This NS is authoritative, so MX lookup ultimately fails.
2) Exchange falls back to the A record for barringtongroup.org,
3) tells us to buzz off, given that we're trying to relay.

This is what I have put together from the evidence available to me and my (middling) knowledge of DNS.  What I'm really looking for is a confirmation or denial of my suspicions from someone more knowledgeable about DNS than me, as the technical staff at Roar Solutions have flatly asserted that the problem is on our end and I can't agree with that assessment.  I'm really looking to prove my case to them, more than anything else.

Anyone? :-)
Question by:siskinds
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Accepted Solution

Akhater earned 2000 total points
ID: 24122487
well first let me tell you Bravo, i've rarely seen questions put up like this on ee so respects

I have followed your logic and it sounds good to me with one difference

I have used http://network-tools.com/nslook/Default.asp to do the test and it looks like only tin.niatech.ca shows the A records for mx1 and mx2 (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=tin.niatech.ca&class=1&port=53&timeout=5000&advanced=true&go.x=0&go.y=0)

whereas graphite.niatech.ca (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=graphite.niatech.ca&class=1&port=53&timeout=5000&advanced=true&go.x=12&go.y=9) and tiger.roarsolutions.com (http://network-tools.com/nslook/Default.asp?domain=barringtongroup.org&type=15&server=tiger.roarsolutions.com&class=1&port=53&timeout=5000&advanced=true&go.x=26&go.y=15) fail to do so

I have also noticed that the MX records are pointing to a completely other DNS domain emailsrvr.com. another search on mx1.emailsrvr.com on these same server also shows that tin.niatech.ca can resolve them but graphite.niatech.ca and  tiger.roarsolutions.com doesn't

Author Comment

ID: 24124103

Thanks very much.  You're right, graphite doesn't have the A records either.  Thank you for catching that; I thought it did but I've been looking at too many DNS records recently. ;-)

Here's a quick question to do with the resolution: when the A query is done on tiger or graphite, no direct result is obtained but the A records for the global TLD servers are returned in the ADDITIONAL section of the answer.  If we query one of them for mx1 or mx2, we get the parent nameservers for emailsrvr.com, and then querying one of those parents finally gives an A record for mx1 or 2.

Now, recursive queries are disabled on tin, graphite, and tiger.  Judging from what is happening, it seems that our Exchange server is not making iterative queries back "up" the chain to get the A records; I can understand this, as those queries would add up to a fair bit of latency under certain circumstances.  Am I correct then in guessing that Exchange's default behaviour is to not perform iterative queries and just fall back on the A record as I discussed in my original post?

Do resolvers ever go back "upstream" to parent nameservers based on the records returned in the ADDITIONAL section of a response?

Anyway, that question may be a bit too broad at the end. :-)  I'm just trying to put the final shells in the proverbial arsenal.  Thanks very much again for your help, Akhater, whenever I close this question you've earned your share of the points.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question