550 Sender verify failed

You will also need a correctly configured PTR record to be able to send out mail reliably. That particular message is one of the more common responses when the PTR record does not match.

You can test this as follows:

nslookup server.yourdomain.com

Where server.yourdomain.com is the public name of your SMTP server. That should return a public IP address which allows you to run:

nslookup 1.2.3.4

Where 1.2.3.4 should be replaced with the public IP above. That should return the name of the server again (server.yourdomain.com).

In addition to those your Mail Server must hand out a public name with the EHLO / HELO command. This is set in the properties for the Send Connector if Exchange 2007 is sending out directly (not via a Smart Host).

If you find the lookup for the IP returns a different name, or no name, you must contact your ISP, or whoever manages the Internet connection your mail server uses. It will be there responsibility to change the PTR (Reverse Lookup) record in almost all cases.

Chris

OK... thanks. My DNS records (A,PTR, MX) seem to be ok, though my Mail server send connector was handing out a different name. I've corrected that. Thankyou
How long does it take for it all to start working again?
Or is there something else I need to do? Or something I need to ask them to do?

If it was nothing more than the Send Connector name it should work immediately.

DNS changes take longer and would have created a delay.

Chris

OK, I am still getting the same error message. I know this sounds strange, but should my firewall have port 25 open from the outside in? I figured you are supposed to have it blocked due to open relay risks.. but could that be the issue?
What port does this Sender Address Verification work on?

> I know this sounds strange, but should my firewall have port 25 open from the outside in?

Only if you're expecting to receive inbound mail on that system.

It depends exactly on which test they're performing, there are a number of them. The most intrusive is where it attempts to send an email back to the message sender, dropping the message if the sender refuses to accept inbound mail. That should use your MX record though.

The most widely used is reverse lookup, where it checks all the names used by your server match up. That is, the SMTP service name, the response to "nslookup name.domain.com" and the response to "nslookup 1.2.3.4" must all match.

It's perhaps worth checking for an SPF record on your domain. If you have one, but your server isn't included mail will be rejected. You can check that with:

nslookup -q=txt domain.com

If present it will look very vageuly like:

v=spf1 mx -all

Chris

The nslookup -q=txt domain.com comes back with a
responsible mail addr =  admin.xxxx.net.au
Where xxx is our web hoster (and incidentally the domain that we can't email)

The domain we are trying to email is our web hoster, and other email domains hosted by them. We are apparently unusual in that they host our domain records, but we have our own email server.

Have they made a mistake? And if so, what do I tell them to fix?

Can you share the mail server name / domain name?

Chris

i'd prefer not to make it public. Can I private message you? Perhaps are you on facebook or livejournal?

My e-mail address is in my profile on here, albeit slightly obscured/

Chris

email on it's way. happy to continue discussion on this site though.. so that it helps someone else.

That looks like a call back test. The remote server attempts to connect back to the system that is sending the email. If it fails to connect then the message will be rejected. The theory is that a compromised home user's system sending spam wouldn't answer an inbound port 25 request.

Do you route your email out directly or through whatever host receives the email? You must have port 25 open somewhere to receive email. If your email comes in through another host then you may have to route email out through that host.

Simon.

Smoothwall is receiving your regular inbound mail for you on that one, does Exchange send out using the same IP address and name?

Chris

possibly a different IP address and name. where would i configure that?

On your Firewall, it will be the Outbound NAT for the mail server. If it's not explicitly configured chances are it will use the main IP address of the Firewall. Do you have a lot of static IP addresses?

Chris

OK, I've renamed the smoothwall (btw thanks for spending all this time on it), and my test message got bounced back again.
are you able to check again (or tell me how to check the external SMTP)
do i need to open SMTP from outside like Mestha said? What is the risk if I do it?

Re: opening SMTP: No, because the server sending mail out is the same one as receiving. It's already open as wide as it needs to be.

If you can send a mail to an external account and take a look at the message header you're looking for the point where it switches between your system and the external system. Looks like this:

Received: from yourserver.domain.com (yourserver.domain.com [1.2.3.4])
      by smtp-in-77.mymailserver.co.uk (Postfix) with ESMTP id 2D558EFC4F0
      for <me@mydomain.co.uk>; Thu, 16 Apr 2009 14:53:53 +0100 (BST)

This is the point where it moves from your server to mine, and where it will be failing that test for whatever reason. From here, it looks absolutely fine, everything matches up.

Chris

Received: from mail.mycompany.com (mail.mycompany.com [x.x.x.x])
     by smarty16.smartyserver.com.au (8.13.1/8.12.11) with ESMTP id n3GFDM9c022211
     for <user@external.net>; Fri, 17 Apr 2009 01:13:23 +1000
Received: from mycompany01.mycompany.local ([fe20::8c30:6e5d:230f:259e])
     by mycompany01.mycompany.local ([fe30::8360:6e4d:222f:258e%14]) with
     mapi; Fri, 17 Apr 2009 01:13:21 +1000


Would the "mycompany01.mycompany.local" be an issue?

No.
The remote server doesn't see that when it generates the NDR. The only thing it sees is how the server is announcing itself during the initial connection. That .local entry is history, has nothing to do with the live email transfer.

Simon.

Nope, that just shows Exchange delivering it to your smoothwall device. The recipient is very unlikely to, and has no business checking that far back in the chain.

I'm running out of possible reasons for them to reject mail from you. The sender address is presumably valid?

I guess they wouldn't be a little more specific about the reason they reject?

Chris

the web hoster and i are not on positive speaking terms due to some stuffups they made with our MX records in the last couple of months.  he won't let me talk to his email server administrator to troubleshoot the issue and is says they're not having this issue with anyone else. *sigh*. I'm planning to take all our domain records back from them. I have no ownership of the website, so I can't control that.. but I can definitely get my MX records back.
The main issue is the other companies that he hosts... we can't email them either. With exactly the same error message.

You've been a gem. All I can do now is just push back.

Thanks for your time and effort. If I get any response from the hoster, I'll attach it here (or email you).

Hmmm I hope you manage to get it sorted out, sorry we couldn't come up with anything more concrete.

Chris