Solved

Relay access denied when sending? #5.5.0 smtp;554

Posted on 2009-07-01
6
1,063 Views
Last Modified: 2012-05-07
I've run into a strange issue where we are getting a "relay access denied" NDR generated by our Exchange server while trying to send to someone outside of the domain.  The error can be easily recreated in Telnet.

The facts:
 - Exchange 2003
 - Windows Server 2003
 - Mail is hosted within domain.  Using Outlook XP - 2007
 - Authentication is required to send, however, authentication is handled through AD
 - Telnetting port 25 creates the same error message.
 - USER@YYY.com = My address -- XXX@XXX.COM = Recipient's address

I'm thinking this has something to do with the recipient's email server since they're the only domain that we cannot send to.

Here's what's happened:

 - One of my users complained about NDR when sending to XXX@XXX.COM

 - Telnetted into port 25 of my email server -- mail from: USER@YYY.COM - Sender OK (this is our sender in our domain)

 - RCPT TO: XXX@XXX.COM - 550 5.7.1 Unable to relay for XXX@XXX.COM

 - NDR text shows different error code: "There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator. <mail.XYZ.com #5.5.0 smtp;554 <XXX@XXX.com>: Relay access denied>"

 - NDR is generated by my mail server.

Expert help needed:

 - Is this our issue or theirs?
 - If it's our issue, what steps can I take to resolve it?  We have authentication needed to send mail, but authentication should be happening through AD since we're all connected to the domain.  Plus, if I'm not mistaken, we're trying to relay for OUR user, NOT their user...which is weird to me.

If I had to take a guess:

 - MX record for XXX.COM (recipient's domain) shows that they have an external hosting firm.  
 - My guess, they've recently changed mail hosting firms and the rest of the world hasn't caught up yet.  The error in relaying is the old hosting firm saying "we don't handle this user"
 - I could be wrong...it wouldn't be the first time.

Thank you all for your future suggestions and input.
0
Comment
Question by:liscr
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:RickEpnet
ID: 24756487
Are the Coldfusion and the Exchange server on the same network?

In the Exchange server go into the system manager and expand ot you server then expand protocols expand SMTP and click on Default SMTP virtual server right click and then click on properties then click on the access tab. Click on the relay button. I assume you have it set to  "Only the list below" if so then add the IP address of the Coldfusion server into that list.

See if that helps.

Regarding above: With out true domain names it is had to tell where the problem lies.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 24756495
Sorry I was in the wrong category.

Still Regarding above: With out true domain names it is had to tell where the problem lies.

It would help to know the domain namse.
0
 

Author Comment

by:liscr
ID: 24756841
The sending domain is liscr.com
The recipient domain is merlinco.com
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 14

Accepted Solution

by:
RickEpnet earned 500 total points
ID: 24756937
Do you use any RBL's?

merlinco.com is listed on backscatterer.org.

Their low MX records are in0.armourplate.net, in1.armourplate.net and in2.armourplate.net
in0.armourplate.net.      A      IN      28800      195.167.168.83
0
 

Author Comment

by:liscr
ID: 24757356
I believe our firewall uses Spamhaus, and we have ninja spam filter by Sunbelt software on our exchange server.  I'm not sure if Exchange itself subscribes to any lists or if that's possible, I've been maintaining an already set up network.

I just went to DNSStuff and did a "send email" test to them and they got the same response, relay access denied.  I could call the client tomorrow and let them know that their email server is messed up...but at this point, I like trying to figure out what's wrong with it.

Thank you for your help, I'm convinced it's their issue.  Backscatter.org, I believe blacklists improperly configured email servers that don't handle NDR's properly (if I remember correctly what "backscatter" is in the IT world)  I think that's why we can't send to them.

Thanks for your help, solution accepted!
0
 

Author Closing Comment

by:liscr
ID: 31598858
Thank you for your prompt help!!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now