• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1341
  • Last Modified:

550 Sender verify failed

My company can't email to a particular domain and we are getting the following error:

550-No such person at this address" 550 Sender verify failed ##

We use Exchange 2007, Forefront Server Security, SBS 2008 and Smoothwall Corporate Firewall 5.

Is there anything that I can do at my end to facilitate what seems to be "Sender Address Verification".
My MX record is correctly pointing to an A name.
If not, then what do I need to ask the other domain to do? They insist that it's my problem, so I need to be specific. We have no problems emailing other domains, and they seem to be able to email to us successfully.
BTW I have checked 122 SPAM Blacklists and we are not on them
0
fayr_mat
Asked:
fayr_mat
  • 11
  • 10
  • 2
1 Solution
 
Chris DentPowerShell DeveloperCommented:

You will also need a correctly configured PTR record to be able to send out mail reliably. That particular message is one of the more common responses when the PTR record does not match.

You can test this as follows:

nslookup server.yourdomain.com

Where server.yourdomain.com is the public name of your SMTP server. That should return a public IP address which allows you to run:

nslookup 1.2.3.4

Where 1.2.3.4 should be replaced with the public IP above. That should return the name of the server again (server.yourdomain.com).

In addition to those your Mail Server must hand out a public name with the EHLO / HELO command. This is set in the properties for the Send Connector if Exchange 2007 is sending out directly (not via a Smart Host).

If you find the lookup for the IP returns a different name, or no name, you must contact your ISP, or whoever manages the Internet connection your mail server uses. It will be there responsibility to change the PTR (Reverse Lookup) record in almost all cases.

Chris
0
 
fayr_matAuthor Commented:
OK... thanks. My DNS records (A,PTR, MX) seem to be ok, though my Mail server send connector was handing out a different name. I've corrected that. Thankyou
How long does it take for it all to start working again?
Or is there something else I need to do? Or something I need to ask them to do?
0
 
Chris DentPowerShell DeveloperCommented:

If it was nothing more than the Send Connector name it should work immediately.

DNS changes take longer and would have created a delay.

Chris
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
fayr_matAuthor Commented:
OK, I am still getting the same error message. I know this sounds strange, but should my firewall have port 25 open from the outside in? I figured you are supposed to have it blocked due to open relay risks.. but could that be the issue?
What port does this Sender Address Verification work on?
0
 
Chris DentPowerShell DeveloperCommented:

> I know this sounds strange, but should my firewall have port 25 open from the outside in?

Only if you're expecting to receive inbound mail on that system.

It depends exactly on which test they're performing, there are a number of them. The most intrusive is where it attempts to send an email back to the message sender, dropping the message if the sender refuses to accept inbound mail. That should use your MX record though.

The most widely used is reverse lookup, where it checks all the names used by your server match up. That is, the SMTP service name, the response to "nslookup name.domain.com" and the response to "nslookup 1.2.3.4" must all match.

It's perhaps worth checking for an SPF record on your domain. If you have one, but your server isn't included mail will be rejected. You can check that with:

nslookup -q=txt domain.com

If present it will look very vageuly like:

v=spf1 mx -all

Chris
0
 
fayr_matAuthor Commented:
The nslookup -q=txt domain.com comes back with a
responsible mail addr =  admin.xxxx.net.au
Where xxx is our web hoster (and incidentally the domain that we can't email)

The domain we are trying to email is our web hoster, and other email domains hosted by them. We are apparently unusual in that they host our domain records, but we have our own email server.

Have they made a mistake? And if so, what do I tell them to fix?
0
 
Chris DentPowerShell DeveloperCommented:

Can you share the mail server name / domain name?

Chris
0
 
fayr_matAuthor Commented:
i'd prefer not to make it public. Can I private message you? Perhaps are you on facebook or livejournal?
0
 
Chris DentPowerShell DeveloperCommented:

My e-mail address is in my profile on here, albeit slightly obscured/

Chris
0
 
fayr_matAuthor Commented:
email on it's way. happy to continue discussion on this site though.. so that it helps someone else.
0
 
MesthaCommented:
That looks like a call back test. The remote server attempts to connect back to the system that is sending the email. If it fails to connect then the message will be rejected. The theory is that a compromised home user's system sending spam wouldn't answer an inbound port 25 request.

Do you route your email out directly or through whatever host receives the email? You must have port 25 open somewhere to receive email. If your email comes in through another host then you may have to route email out through that host.

Simon.
0
 
Chris DentPowerShell DeveloperCommented:

Smoothwall is receiving your regular inbound mail for you on that one, does Exchange send out using the same IP address and name?

Chris
0
 
fayr_matAuthor Commented:
possibly a different IP address and name. where would i configure that?
0
 
Chris DentPowerShell DeveloperCommented:

On your Firewall, it will be the Outbound NAT for the mail server. If it's not explicitly configured chances are it will use the main IP address of the Firewall. Do you have a lot of static IP addresses?

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Don't worry about that, just looked at the header of the message you sent mail.

It looks like mail you're sending out is coming from smoothwall, Exchange seems to be using that as a SmartHost.

You may consider checking the hostname on smoothwall, making sure it hands out the "mail." name for inbound connections as well.

Chris
0
 
fayr_matAuthor Commented:
OK, I've renamed the smoothwall (btw thanks for spending all this time on it), and my test message got bounced back again.
are you able to check again (or tell me how to check the external SMTP)
do i need to open SMTP from outside like Mestha said? What is the risk if I do it?
0
 
Chris DentPowerShell DeveloperCommented:

Re: opening SMTP: No, because the server sending mail out is the same one as receiving. It's already open as wide as it needs to be.

If you can send a mail to an external account and take a look at the message header you're looking for the point where it switches between your system and the external system. Looks like this:

Received: from yourserver.domain.com (yourserver.domain.com [1.2.3.4])
      by smtp-in-77.mymailserver.co.uk (Postfix) with ESMTP id 2D558EFC4F0
      for <me@mydomain.co.uk>; Thu, 16 Apr 2009 14:53:53 +0100 (BST)

This is the point where it moves from your server to mine, and where it will be failing that test for whatever reason. From here, it looks absolutely fine, everything matches up.

Chris
0
 
fayr_matAuthor Commented:
Received: from mail.mycompany.com (mail.mycompany.com [x.x.x.x])
     by smarty16.smartyserver.com.au (8.13.1/8.12.11) with ESMTP id n3GFDM9c022211
     for <user@external.net>; Fri, 17 Apr 2009 01:13:23 +1000
Received: from mycompany01.mycompany.local ([fe20::8c30:6e5d:230f:259e])
     by mycompany01.mycompany.local ([fe30::8360:6e4d:222f:258e%14]) with
     mapi; Fri, 17 Apr 2009 01:13:21 +1000


Would the "mycompany01.mycompany.local" be an issue?
0
 
MesthaCommented:
No.
The remote server doesn't see that when it generates the NDR. The only thing it sees is how the server is announcing itself during the initial connection. That .local entry is history, has nothing to do with the live email transfer.

Simon.
0
 
Chris DentPowerShell DeveloperCommented:

Nope, that just shows Exchange delivering it to your smoothwall device. The recipient is very unlikely to, and has no business checking that far back in the chain.

I'm running out of possible reasons for them to reject mail from you. The sender address is presumably valid?

I guess they wouldn't be a little more specific about the reason they reject?

Chris
0
 
fayr_matAuthor Commented:
the web hoster and i are not on positive speaking terms due to some stuffups they made with our MX records in the last couple of months.  he won't let me talk to his email server administrator to troubleshoot the issue and is says they're not having this issue with anyone else. *sigh*. I'm planning to take all our domain records back from them. I have no ownership of the website, so I can't control that.. but I can definitely get my MX records back.
The main issue is the other companies that he hosts... we can't email them either. With exactly the same error message.

You've been a gem. All I can do now is just push back.
0
 
fayr_matAuthor Commented:
Thanks for your time and effort. If I get any response from the hoster, I'll attach it here (or email you).
0
 
Chris DentPowerShell DeveloperCommented:

Hmmm I hope you manage to get it sorted out, sorry we couldn't come up with anything more concrete.

Chris
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 10
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now