supprteng
asked on
Exchange 2003 Relay errors
Running Exchange 2003 on Windows 2003; single instance of Exchange (does OWA, mailboxes, ActiveSync, etc).
When sending emails, we are getting
"smtp;553 5.3.0: relaying is NOT allowed here"
"#5.5.0 smtp;550 Invalid address"
"#5.5.0 smtp;550 #5.1.0 Address rejected"
from known good email addresses.
I saw a post to turn OFF anonymous access to SMTP, but then we won't recieve email. We have 1 SMTP Virtual Server with a name of our FQDN of the mail server.
Under Authentication on the SMTP Virtual Server I have enabled "Anonymous Access" and "Integrated Windows Authentication". Under Relay "Only the list below" which is empty , UNCHECKED is "Allow all computers which successfully authenticate to relay...." and under Users is empty.
In front of my Exchange server I have a firewall and a Trend Micro IGSA filtering SPAM and scanning for Viruses. I'm not an Exchange expert, looking for a way to get us able to send email again.
I ran a rest at www.test-smtp.com against my mail server at got this:
>>> RSET
<<< 250 2.0.0 OK
>>> MAIL FROM: <test@spam.com>
<<< 250 2.0.0 Resetting
>>> RCPT TO: <test@spam.com>
<<< 250 2.1.0 test@spam.com....Sender OK
When sending emails, we are getting
"smtp;553 5.3.0: relaying is NOT allowed here"
"#5.5.0 smtp;550 Invalid address"
"#5.5.0 smtp;550 #5.1.0 Address rejected"
from known good email addresses.
I saw a post to turn OFF anonymous access to SMTP, but then we won't recieve email. We have 1 SMTP Virtual Server with a name of our FQDN of the mail server.
Under Authentication on the SMTP Virtual Server I have enabled "Anonymous Access" and "Integrated Windows Authentication". Under Relay "Only the list below" which is empty , UNCHECKED is "Allow all computers which successfully authenticate to relay...." and under Users is empty.
In front of my Exchange server I have a firewall and a Trend Micro IGSA filtering SPAM and scanning for Viruses. I'm not an Exchange expert, looking for a way to get us able to send email again.
I ran a rest at www.test-smtp.com against my mail server at got this:
>>> RSET
<<< 250 2.0.0 OK
>>> MAIL FROM: <test@spam.com>
<<< 250 2.0.0 Resetting
>>> RCPT TO: <test@spam.com>
<<< 250 2.1.0 test@spam.com....Sender OK
Create a test account and run smtp email tests in Microsoft test site.
https://www.testexchangeconnectivity.com It will flag any issues.
https://www.testexchangeconnectivity.com It will flag any issues.
ASKER
Under www.testexchangeconnectivty.com -
Outbound SMTP Test all green.
Inbound SMTP Test I get all green:
Testing the MX mail.ehclifebuilders.org for open relay by trying to relay to user Admin@TestExchangeConnecti vity.com
Open Relay test passed. This mx is not an open relay
Additional Details
The open relay test message delivery failed (a good thing).
The exception detail is:
Exception Details:
Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay for Admin@TestExchangeConnecti vity.com
Type: System.Net.Mail.SmtpFailed RecipientE xception
Stack Trace:
at System.Net.Mail.SmtpTransp ort.SendMa il(MailAdd ress sender, MailAddressCollection recipients, String deliveryNotify, SmtpFailedRecipientExcepti on& exception)
at System.Net.Mail.SmtpClient .Send(Mail Message message)
at Microsoft.Exchange.Tools.E xRca.Tests .SmtpOpenR elayTest.P erformTest Really()
Outbound SMTP Test all green.
Inbound SMTP Test I get all green:
Testing the MX mail.ehclifebuilders.org for open relay by trying to relay to user Admin@TestExchangeConnecti
Open Relay test passed. This mx is not an open relay
Additional Details
The open relay test message delivery failed (a good thing).
The exception detail is:
Exception Details:
Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay for Admin@TestExchangeConnecti
Type: System.Net.Mail.SmtpFailed
Stack Trace:
at System.Net.Mail.SmtpTransp
at System.Net.Mail.SmtpClient
at Microsoft.Exchange.Tools.E
That's all good news.
Have you looked at my FAQ yet?
Have you looked at my FAQ yet?
ASKER
Results of the FAQ tests....
Reverse DNS on public IP address is the correct FQDN of the mail server.
We get a Red Circle stating "may be an open relay"
Reverse DNS matches SMTP Banner
Unable to relay for test@example.com
Negative for hits on blacklists
IP Reputation is Neutral for Email and Web
v=spf1 a mx a:internalservername.exter naldomainn ame a: FQDN ~all
Reverse DNS on public IP address is the correct FQDN of the mail server.
We get a Red Circle stating "may be an open relay"
Reverse DNS matches SMTP Banner
Unable to relay for test@example.com
Negative for hits on blacklists
IP Reputation is Neutral for Email and Web
v=spf1 a mx a:internalservername.exter
The "May be an open relay" is not encouraging ;-(
Can you test on this site please for Open Relay:
http://www.checkor.com/
Can you test on this site please for Open Relay:
http://www.checkor.com/
ASKER
ran the tests on checkor against my mail server IP, all came back unable to relay.
Good - that's a relief.
Please can you describe your outbound mail-flow route e.g., Exchange, Firewall, Smart-Host / DNS Routed Mail.
Also, please can you download and run the Exchange 2003 Best Practices Analyzer tool and see what that brings up:
http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en
Please can you describe your outbound mail-flow route e.g., Exchange, Firewall, Smart-Host / DNS Routed Mail.
Also, please can you download and run the Exchange 2003 Best Practices Analyzer tool and see what that brings up:
http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en
ASKER
Working on the Analyzer...
Email flow:
Internet - Internet Router - Firewall - Trend IGSA Spam/AV filter - Exchange
Email flow:
Internet - Internet Router - Firewall - Trend IGSA Spam/AV filter - Exchange
That all seems quite normal.
I take it that the Trend IGSA is a hardware device?
Has this been updated lately?
Have you rebooted it recently?
Are there any firmware / software updates for it?
I take it that the Trend IGSA is a hardware device?
Has this been updated lately?
Have you rebooted it recently?
Are there any firmware / software updates for it?
ASKER
IGSA is a hardware pass-through appliance. It does not do any NAT. I look at the email headers from my domain and they show the correct FQDN and public IP.
Just the generic updates for SPAM/AV definitions.
I'm turning off outbound SMTP scanning for fun. I can reboot it this weekend.
It has the latest and greated firmware/software.
One oddity to add to the mix. I can email my gmail account, no problem. I sent from my work account to gmail an email with an embedded picture and weblinks. It got denied (error below). I resent the email, no bounce back error.
<mail.mydomainname.org #5.5.0 smtp;550 relaying denied for <*******@gmail.com>>
Just the generic updates for SPAM/AV definitions.
I'm turning off outbound SMTP scanning for fun. I can reboot it this weekend.
It has the latest and greated firmware/software.
One oddity to add to the mix. I can email my gmail account, no problem. I sent from my work account to gmail an email with an embedded picture and weblinks. It got denied (error below). I resent the email, no bounce back error.
<mail.mydomainname.org #5.5.0 smtp;550 relaying denied for <*******@gmail.com>>
Do you want to send a test email to me at alan @ it-eye.co.uk?
Would be good to see if anything arrives.
Would be good to see if anything arrives.
ASKER
@Alan - 2 emails sent. 1 with just plain ol' text. 1 with the image in the body that bombed with Gmail but then upon being resent was accepted by GMail. Another example of similar activity was an email sent out with a PPT attachment that had the same experience with Gmail. I know the problem is not limited to Gmail, as it went to other email accounts outside of gmail....assuming gmail isn't hosting or filtering their email.
Both emails received happily.
ASKER
I changed my Exchange logging and was able to obtain this:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7004
Date: 1/11/2010
Time: 1:50:52 PM
User: N/A
Computer: MAILSERVER
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #127. The remote host "206.190.54.127", responded to the SMTP command "rcpt" with "550 relaying denied for <s********y@hotmail.com> ". The full command sent was "RCPT TO:<s********y@hotmail.com > ". This will probably cause the connection to fail.
This was a real email, was an email reply to the hotmail account, the email was sent to 4 people.
I logged into my home PC (thank you logmein) and tried to send a relay email via telnet, it was denied.
Ideas?
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7004
Date: 1/11/2010
Time: 1:50:52 PM
User: N/A
Computer: MAILSERVER
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #127. The remote host "206.190.54.127", responded to the SMTP command "rcpt" with "550 relaying denied for <s********y@hotmail.com> ". The full command sent was "RCPT TO:<s********y@hotmail.com
This was a real email, was an email reply to the hotmail account, the email was sent to 4 people.
I logged into my home PC (thank you logmein) and tried to send a relay email via telnet, it was denied.
Ideas?
ASKER
SMTP Log:
I used www.dnstoolbox to confirm we are not a relay. It was not able to relay a message. I verified my FQDN matches my reverse DNS entry.
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 220+mta1028.mail.re4.yahoo .com+ESMTP +YSmtp+ser vice+ready 0 0 56 0 203 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 EHLO - mail.mydomain.org 0 0 4 0 203 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250-mta1028.mail.re4.yahoo .com 0 0 30 0 297 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250-8BITMIME 0 0 12 0 468 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 MAIL - FROM:<J*******y@mydomain.o rg>+SIZE=1 5964 0 0 4 0 468 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250+sender+<j*******y@mydo main.org>+ ok 0 0 45 0 562 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RCPT - TO:<s********y@hotmail.com > 0 0 4 0 562 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 550+relaying+denied+for+<s ********y@ hotmail.co m> 0 0 48 0 640 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RSET - - 0 0 4 0 640 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVER - 25 - - 250+reset+ok 0 0 12 0 734 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER- 25 QUIT - - 0 0 4 0 812 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse SMTPSVC1 MAILSERVERR- 25 - - 221+mta1028.mail.re4.yahoo .com 0 0 30 0 890 SMTP - - - -
I used www.dnstoolbox to confirm we are not a relay. It was not able to relay a message. I verified my FQDN matches my reverse DNS entry.
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 EHLO - mail.mydomain.org 0 0 4 0 203 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 MAIL - FROM:<J*******y@mydomain.o
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RCPT - TO:<s********y@hotmail.com
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER - 25 RSET - - 0 0 4 0 640 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionCommand SMTPSVC1 MAILSERVER- 25 QUIT - - 0 0 4 0 812 SMTP - - - -
2010-01-11 21:50:51 206.190.54.127 OutboundConnectionResponse
You seem to be trying to send mail to HOTMAIL.COM via YAHOO.COM mail servers.
Have you got a specific connector setup to send mail direct to YAHOO.COM with HOTMAIL.COM in the address space?
If I try the same - connecting to YAHOO.COM mail servers and try to email someone at HOTMAIL.COM, I get the same.
Your configuration on your connectors is probably to blame. Please check them and make sure you don't have anything described above. The same applies to any other domains you are trying to send directly via another server other than the specific one that handles mail for that domain.
Have you got a specific connector setup to send mail direct to YAHOO.COM with HOTMAIL.COM in the address space?
If I try the same - connecting to YAHOO.COM mail servers and try to email someone at HOTMAIL.COM, I get the same.
Your configuration on your connectors is probably to blame. Please check them and make sure you don't have anything described above. The same applies to any other domains you are trying to send directly via another server other than the specific one that handles mail for that domain.
ASKER
I have 2 connectors under Routing Groups\A150 Mail\Connectors
Calendar Connector and Internet Mail SMTP Connector
On the Internet SMTP Connector, my settings are:
-General Tab: Use DNS to route to each address Space and local bridgehead is MAILSERVER and mail.mydomain.org
-Content Restrictions Tab: All selected excluding Allowed Sizes
-Delivery Reports Tab: Connection time: Always run
-Advanced Tab: Do not send ETRM/TURN is only selected
-Address Space Tab: SMTP * 1, Entire Organization
-Connected Routing Groups: empty
-Delivery Restrictions tab: emails all accepted.
Calendar Connector and Internet Mail SMTP Connector
On the Internet SMTP Connector, my settings are:
-General Tab: Use DNS to route to each address Space and local bridgehead is MAILSERVER and mail.mydomain.org
-Content Restrictions Tab: All selected excluding Allowed Sizes
-Delivery Reports Tab: Connection time: Always run
-Advanced Tab: Do not send ETRM/TURN is only selected
-Address Space Tab: SMTP * 1, Entire Organization
-Connected Routing Groups: empty
-Delivery Restrictions tab: emails all accepted.
Okay - that looks correct!
What do you get if you do the following:
Start> Run> {type} CMD {press enter}
{type} nslookup {press enter}
{type} set q=mx {press enter}
{type} hotmail.com {press enter}
What do you get if you do the following:
Start> Run> {type} CMD {press enter}
{type} nslookup {press enter}
{type} set q=mx {press enter}
{type} hotmail.com {press enter}
ASKER
> set q=mx
> hotmail.com
Server: dc.domain.local
Address: 10.1.1.25
hotmail.com MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx3.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx1.hotmail.com
mx2.hotmail.com internet address = 65.55.92.152
mx2.hotmail.com internet address = 65.55.37.88
mx2.hotmail.com internet address = 65.55.37.120
mx2.hotmail.com internet address = 65.55.37.72
mx2.hotmail.com internet address = 65.55.37.104
mx2.hotmail.com internet address = 65.55.92.136
mx2.hotmail.com internet address = 65.55.92.168
mx2.hotmail.com internet address = 65.55.92.184
mx2.hotmail.com internet address = 65.54.188.94
mx2.hotmail.com internet address = 65.54.188.110
mx2.hotmail.com internet address = 65.54.188.126
mx2.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.55.37.120
mx3.hotmail.com internet address = 65.55.92.152
mx3.hotmail.com internet address = 65.55.37.88
mx3.hotmail.com internet address = 65.55.92.136
mx3.hotmail.com internet address = 65.55.92.184
mx3.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.54.188.94
mx3.hotmail.com internet address = 65.54.188.110
mx3.hotmail.com internet address = 65.54.188.126
mx3.hotmail.com internet address = 65.55.92.168
mx3.hotmail.com internet address = 65.55.37.72
mx3.hotmail.com internet address = 65.55.37.104
>
> hotmail.com
Server: dc.domain.local
Address: 10.1.1.25
hotmail.com MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx3.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com MX preference = 5, mail exchanger = mx1.hotmail.com
mx2.hotmail.com internet address = 65.55.92.152
mx2.hotmail.com internet address = 65.55.37.88
mx2.hotmail.com internet address = 65.55.37.120
mx2.hotmail.com internet address = 65.55.37.72
mx2.hotmail.com internet address = 65.55.37.104
mx2.hotmail.com internet address = 65.55.92.136
mx2.hotmail.com internet address = 65.55.92.168
mx2.hotmail.com internet address = 65.55.92.184
mx2.hotmail.com internet address = 65.54.188.94
mx2.hotmail.com internet address = 65.54.188.110
mx2.hotmail.com internet address = 65.54.188.126
mx2.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.55.37.120
mx3.hotmail.com internet address = 65.55.92.152
mx3.hotmail.com internet address = 65.55.37.88
mx3.hotmail.com internet address = 65.55.92.136
mx3.hotmail.com internet address = 65.55.92.184
mx3.hotmail.com internet address = 65.54.188.72
mx3.hotmail.com internet address = 65.54.188.94
mx3.hotmail.com internet address = 65.54.188.110
mx3.hotmail.com internet address = 65.54.188.126
mx3.hotmail.com internet address = 65.55.92.168
mx3.hotmail.com internet address = 65.55.37.72
mx3.hotmail.com internet address = 65.55.37.104
>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Recreated the SMTP connector....everything appears normal again. Same settings, same everything. Can't explain it but that seems to have done the trick.
Hi Supprteng,
Glad you are sorted and all is well - any particular reason for the Grade B?
Glad you are sorted and all is well - any particular reason for the Grade B?
Grade changed to A.
Please see here for grading guidelines - https://www.experts-exchange.com/help.jsp?hi=403
quomodo
Community Support Moderator
Please see here for grading guidelines - https://www.experts-exchange.com/help.jsp?hi=403
quomodo
Community Support Moderator
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=2
Don't turn off anonymous authentication as you correctly day, you won't receive any mail.