Relaying denied. IP name possibly forged.(xx.xx.xx.xx)> for some users when sending emails.



A couple of users are having problems sending e-mail to recipients she sends to every day. The error is:

User@otherdomain.com on 11/26/2005 1:11 PM. You do not have permission to send to this recipient. For assistance, contact your system administrator. ... Relaying denied. IP name possibly forged.(xx.xx.xx.xx)>.

http://searchexchange.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid43_gci1155538,00.html

According to this post and with it could be related to:

It sounds like the recipient's SMTP server is doing a reverse lookup on your domain and failing. You should double-check your public DNS record to make sure that the server's PTR (pointer) record has the servername mapped to the server's correct IP address.

This is our current Exchange setup:

1.) We run an active-passive cluster of Exchange 2003

2.) The MX records are being hosted in Postini (Google)

3.) We are running a load balancing solution for redundancy between 2 ISP providers. So A and PTR records for mail.domain.com have an entry for each the providers in the public DNS.

For example:

ISP1

mail.domain.com - 1.1.1.1

1.1.1.1 - mail.domain.com

ISP2

mail.domain.com - 2.2.2.2

2.2.2.2 - mail.domain.com

We are now using provider one so if any emails are being send they headers of the email show the 1.1.1.1 for mail.domain.com

However if I run a DNS query for A/PTR resolution for mail.domain.com the 2.2.2.2 IP is the one that resolves.

So email is being send like 1.1.1.1 external DNS resolution to mail.domain.com replies on 2.2.2.2

Like I said a couple of users are getting this type of message:

User@otherdomain.com on 11/26/2005 1:11 PM. You do not have permission to send to this recipient. For assistance, contact your system administrator. ... Relaying denied. IP name possibly forged.(xx.xx.xx.xx)>.

Could this setup be the problem since we are sending at 1.1.1.1 but the world resolves mail.domain.com at 2.2.2.2?

Also the FQDN for the cluster is mail.domain.local does the entry need to be changed to mail.domain.com. If we have to change it why should be make the change?

Thank you.
llaravaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick HobbsRETIREDCommented:
Definitely.  That is the definition of relaying.  Receiving on one address and forwarding on another address.  Either get the sites you are having problems with to allow it or change your configuration.
0
Raheem05Commented:
What is your mailserver announcing itself as? mail.domain.local?

Make sure its announcing itself as domain.com i.e the domain of your emails so whatever is after @

You can verify this by going to:

Exchange System Manager - Server - Protocols - SMTP - Right click on Default SMTP Virtual Server and go to Properties. Choose the last tab Delivery and Advanced What is the FQDN set as?

0
Alan HardistyCo-OwnerCommented:
If you read the section in my article posted in your other question (http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Problems-sending-mail-to-one-or-more-external-domains.html) that states:
"If you do send out mail from a different IP address to the advertised MX record IP Address, please check that the Reverse DNS entry for this IP Address is also configured properly and that it resolves correctly to the same IP address (we use www.dnsstuff.com to check this - but you will need a subscription!).  As an example, if you send mail out via IP 123.123.123.123 and the Reverse DNS entry setup on this IP address by your ISP is mail.yourcompany.com, mail.yourcompany.com should also resolve in DNS back to the same 123.123.123.123 IP Address."
Your configuration does not follow this setup as your rDNS pointer points to mail.yourdomain.com and mail.yourdomain.com resolves back to a different IP Address.
If you don't change this, or setup your DNS properly, you will continue to have problems.
So, either:
  1. Change your rDNS pointer on your sending IP address to something currently setup in DNS that points back to your sending IP address
  2. Add a DNS A record for your sending IP Address, add a CNAME record that points to your A record that you just setup and then change your sending IP rDNS record to match the CNAME you just created
  3. Change your MX records to point mail directly to your server using mail.yourdomain.com as the MX record and install some good anti-spam software such as Vamsoft ORF (www.vamsoft.com) for $239 per server to cope with the spam you will get.
One of the above options should solve your problem - you just need to pick the best / easiest option for your company.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

llaravaAuthor Commented:
It was changed to be mail.domain.com However what do you think about the PTR/DNS resolution of mail.domain.com? Is that a problem? If it is could you please explain or point me out to an article that explains  why?

Thanks.
0
Alan HardistyCo-OwnerCommented:
Your question is answered by my comments above.
0
Raheem05Commented:
Sorry did not realise Expert AlanHardisty was already assisting his answer is correct your DNS records must match as per his post.

Goodluck
0
Alan HardistyCo-OwnerCommented:
: )
0
llaravaAuthor Commented:
alanhardisty,

Thanks for such a detailed anwser. When you were answering my question I was replying to what Raheem05 posted. Your reply is what I was looking for.
   
0
llaravaAuthor Commented:
alanhardisty,

I will not be able to work on this today but I have a couple of question that I would to anwser before I go ahead and close the question.

 
0
Alan HardistyCo-OwnerCommented:
Ah - sorry - feel free to ask away.
Alan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.