[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1624
  • Last Modified:

Exchange 2003 Relay errors

Running Exchange 2003 on Windows 2003; single instance of Exchange (does OWA, mailboxes, ActiveSync, etc).  

When sending emails, we are getting
"smtp;553 5.3.0: relaying is NOT allowed here"
"#5.5.0 smtp;550 Invalid address"
"#5.5.0 smtp;550 #5.1.0 Address rejected"
from known good email addresses.  

I saw a post to turn OFF anonymous access to SMTP, but then we won't recieve email.  We have 1 SMTP Virtual Server with a name of our FQDN of the mail server.

Under Authentication on the SMTP Virtual Server I have enabled "Anonymous Access" and "Integrated Windows Authentication".  Under Relay "Only the list below" which is empty , UNCHECKED is "Allow all computers which successfully authenticate to relay...."  and under Users is empty.  

In front of my Exchange server I have a firewall and a Trend Micro IGSA filtering SPAM and scanning for Viruses.  I'm not an Exchange expert, looking for a way to get us able to send email again.  

I ran a rest at www.test-smtp.com against my mail server at got this:

>>> RSET
<<< 250 2.0.0 OK
>>> MAIL FROM: <test@spam.com>
<<< 250 2.0.0 Resetting
>>> RCPT TO: <test@spam.com>
<<< 250 2.1.0 test@spam.com....Sender OK
0
supprteng
Asked:
supprteng
  • 11
  • 11
  • +1
1 Solution
 
Alan HardistyCommented:
Please run through the contents of my FAQ about problems sending mail to other domains which might show up some configurational issues your end:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=2

Don't turn off anonymous authentication as you correctly day, you won't receive any mail.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Create a test account and run smtp email tests in Microsoft test site.

https://www.testexchangeconnectivity.com It will flag any issues.
0
 
supprtengAuthor Commented:
Under www.testexchangeconnectivty.com -
Outbound SMTP Test all green.
Inbound SMTP Test I get all green:
Testing the MX mail.ehclifebuilders.org for open relay by trying to relay to user Admin@TestExchangeConnectivity.com
  Open Relay test passed. This mx is not an open relay
   Additional Details
  The open relay test message delivery failed (a good thing).
The exception detail is:
Exception Details:
Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay for Admin@TestExchangeConnectivity.com
Type: System.Net.Mail.SmtpFailedRecipientException
Stack Trace:
at System.Net.Mail.SmtpTransport.SendMail(MailAddress sender, MailAddressCollection recipients, String deliveryNotify, SmtpFailedRecipientException& exception)
at System.Net.Mail.SmtpClient.Send(MailMessage message)
at Microsoft.Exchange.Tools.ExRca.Tests.SmtpOpenRelayTest.PerformTestReally()
 
 
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Alan HardistyCommented:
That's all good news.

Have you looked at my FAQ yet?
0
 
supprtengAuthor Commented:
Results of the FAQ tests....

Reverse DNS on public IP address is the correct FQDN of the mail server.
We get a Red Circle stating "may be an open relay"
Reverse DNS matches SMTP Banner
   Unable to relay for test@example.com
Negative for hits on blacklists
IP Reputation is Neutral for Email and Web
v=spf1 a mx a:internalservername.externaldomainname a: FQDN ~all
0
 
Alan HardistyCommented:
The "May be an open relay" is not encouraging ;-(
Can you test on this site please for Open Relay:
http://www.checkor.com/ 
0
 
supprtengAuthor Commented:
ran the tests on checkor against my mail server IP, all came back unable to relay.
0
 
Alan HardistyCommented:
Good - that's a relief.
Please can you describe your outbound mail-flow route e.g., Exchange, Firewall, Smart-Host / DNS Routed Mail.
Also, please can you download and run the Exchange 2003 Best Practices Analyzer tool and see what that brings up:
http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en 
0
 
supprtengAuthor Commented:
Working on the Analyzer...
Email flow:

Internet - Internet Router - Firewall - Trend IGSA Spam/AV filter - Exchange
0
 
Alan HardistyCommented:
That all seems quite normal.

I take it that the Trend IGSA is a hardware device?

Has this been updated lately?

Have you rebooted it recently?

Are there any firmware / software updates for it?
0
 
supprtengAuthor Commented:
IGSA is a hardware pass-through appliance.  It does not do any NAT.  I look at the email headers from my domain and they show the correct FQDN and public IP.

Just the generic updates for SPAM/AV definitions.  

I'm turning off outbound SMTP scanning for fun.  I can reboot it this weekend.  

It has the latest and greated firmware/software.

One oddity to add to the mix.  I can email my gmail account, no problem.  I sent from my work account to gmail an email with an embedded picture and weblinks.  It got denied (error below).  I resent the email, no bounce back error.    
<mail.mydomainname.org #5.5.0 smtp;550 relaying denied for <*******@gmail.com>>
0
 
Alan HardistyCommented:
Do you want to send a test email to me at alan @ it-eye.co.uk?

Would be good to see if anything arrives.
0
 
supprtengAuthor Commented:
@Alan - 2 emails sent.  1 with just plain ol' text.  1 with the image in the body that bombed with Gmail but then upon being resent was accepted by GMail.  Another example of similar activity was an email sent out with a PPT attachment that had the same experience with Gmail.  I know the problem is not limited to Gmail, as it went to other email accounts outside of gmail....assuming gmail isn't hosting or filtering their email.
0
 
Alan HardistyCommented:
Both emails received happily.
0
 
supprtengAuthor Commented:
I changed my Exchange logging and was able to obtain this:

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            1/11/2010
Time:            1:50:52 PM
User:            N/A
Computer:      MAILSERVER
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #127. The remote host "206.190.54.127", responded to the SMTP command "rcpt" with "550 relaying denied for <s********y@hotmail.com>  ". The full command sent was "RCPT TO:<s********y@hotmail.com>  ".  This will probably cause the connection to fail.

This was a real email, was an email reply to the hotmail account, the email was sent to 4 people.

I logged into my home PC (thank you logmein) and tried to send a relay email via telnet, it was denied.

Ideas?
0
 
supprtengAuthor Commented:
SMTP Log:

I used www.dnstoolbox to confirm we are not a relay.  It was not able to relay a message.  I verified my FQDN matches my reverse DNS entry.

2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 220+mta1028.mail.re4.yahoo.com+ESMTP+YSmtp+service+ready 0 0 56 0 203 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 EHLO - mail.mydomain.org 0 0 4 0 203 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250-mta1028.mail.re4.yahoo.com 0 0 30 0 297 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250-8BITMIME 0 0 12 0 468 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 MAIL - FROM:<J*******y@mydomain.org>+SIZE=15964 0 0 4 0 468 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250+sender+<j*******y@mydomain.org>+ok 0 0 45 0 562 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RCPT - TO:<s********y@hotmail.com> 0 0 4 0 562 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 550+relaying+denied+for+<s********y@hotmail.com> 0 0 48 0 640 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RSET - - 0 0 4 0 640 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250+reset+ok 0 0 12 0 734 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER- 25 QUIT - - 0 0 4 0 812 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVERR- 25 - - 221+mta1028.mail.re4.yahoo.com 0 0 30 0 890 SMTP - - - -
0
 
Alan HardistyCommented:
You seem to be trying to send mail to HOTMAIL.COM via YAHOO.COM mail servers.
Have you got a specific connector setup to send mail direct to YAHOO.COM with HOTMAIL.COM in the address space?
If I try the same - connecting to YAHOO.COM mail servers and try to email someone at HOTMAIL.COM, I get the same.
Your configuration on your connectors is probably to blame.  Please check them and make sure you don't have anything described above.  The same applies to any other domains you are trying to send directly via another server other than the specific one that handles mail for that domain.
0
 
supprtengAuthor Commented:
I have 2 connectors under Routing Groups\A150 Mail\Connectors

Calendar Connector and Internet Mail SMTP Connector
On the Internet SMTP Connector, my settings are:
  -General Tab:  Use DNS to route to each address Space and local bridgehead is MAILSERVER and mail.mydomain.org
  -Content Restrictions Tab:  All selected excluding Allowed Sizes
  -Delivery Reports Tab: Connection time: Always run
  -Advanced Tab:  Do not send ETRM/TURN is only selected
  -Address Space Tab: SMTP  *  1, Entire Organization
  -Connected Routing Groups:   empty
   -Delivery Restrictions tab: emails all accepted.
0
 
Alan HardistyCommented:
Okay - that looks correct!
What do you get if you do the following:
Start> Run> {type} CMD {press enter}
{type} nslookup {press enter}
{type} set q=mx {press enter}
{type} hotmail.com {press enter}
0
 
supprtengAuthor Commented:
> set q=mx
> hotmail.com
Server:  dc.domain.local
Address:  10.1.1.25

hotmail.com     MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx3.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx1.hotmail.com
mx2.hotmail.com internet address = 65.55.92.152
mx2.hotmail.com internet address = 65.55.37.88
mx2.hotmail.com internet address = 65.55.37.120
mx2.hotmail.com internet address = 65.55.37.72
mx2.hotmail.com internet address = 65.55.37.104
mx2.hotmail.com internet address = 65.55.92.136
mx2.hotmail.com internet address = 65.55.92.168
mx2.hotmail.com internet address = 65.55.92.184
mx2.hotmail.com internet address = 65.54.188.94
mx2.hotmail.com internet address = 65.54.188.110
mx2.hotmail.com internet address = 65.54.188.126
mx2.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.55.37.120
mx3.hotmail.com internet address = 65.55.92.152
mx3.hotmail.com internet address = 65.55.37.88
mx3.hotmail.com internet address = 65.55.92.136
mx3.hotmail.com internet address = 65.55.92.184
mx3.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.54.188.94
mx3.hotmail.com internet address = 65.54.188.110
mx3.hotmail.com internet address = 65.54.188.126
mx3.hotmail.com internet address = 65.55.92.168
mx3.hotmail.com internet address = 65.55.37.72
mx3.hotmail.com internet address = 65.55.37.104
>
0
 
Alan HardistyCommented:
Hmmmm.  That's what you should get!!!!
Can you please delete your SMTP connector and then re-create it using the same settings, then try sending a reply to a hotmail.co.uk email and check your SMTP logs again.
Just in case - http://www.msexchange.org/tutorials/Configuring-SMTP-Connector.html
0
 
supprtengAuthor Commented:
Recreated the SMTP connector....everything appears normal again.  Same settings, same everything.  Can't explain it but that seems to have done the trick.
0
 
Alan HardistyCommented:
Hi Supprteng,
Glad you are sorted and all is well - any particular reason for the Grade B?
0
 
quomodoCommented:
Grade changed to A.

Please see here for grading guidelines - http://www.experts-exchange.com/help.jsp?hi=403

quomodo
Community Support Moderator
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 11
  • 11
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now