SBS2003 POP and SMTP won't work after MX and DNS changes
I got a customer with system i didn't install that had a lot of problems including listing in RBLs, performance problems, connectors problems and more.
I already solved most of the problems and my current (and hopefully the last one) is the usage of POP and SMTP accounts using this server.
In the office I don't have any problems sending and receiving as all clients are using outlook connected to the exchange.
Problem is with the external users using POP and SMTP.
checking with nslookup form the server, client in the office or external client I get the same results:
Non-authoritative answer:
sybilgroup.com
primary name server = ns1.dnsexit.com
responsible mail addr = admin.netdorm.com
serial = 2000060701
refresh = 14400 (4 hours)
retry = 2400 (40 mins)
expire = 604800 (7 days)
default TTL = 1200 (20 mins)
sybilgroup.com nameserver = ns3.dnsexit.com
sybilgroup.com nameserver = ns4.dnsexit.com
sybilgroup.com nameserver = ns1.dnsexit.com
sybilgroup.com nameserver = ns2.dnsexit.com
sybilgroup.com MX preference = 5, mail exchanger = mail.sybilgroup.com
sybilgroup.com MX preference = 5, mail exchanger = sybilgroup.com
sybilgroup.com internet address = 62.90.151.119
I configured an outlook account with POP and SMTP = sybilgroup.com.
SMTP requires authentication is check.
POP3 is working and external users can get emails but not send.
when performing test send i get popup for username and password.
what I'm missing? something in the exchange settings? or maybe the DNS settings?
Thanks.
I already solved most of the problems and my current (and hopefully the last one) is the usage of POP and SMTP accounts using this server.
In the office I don't have any problems sending and receiving as all clients are using outlook connected to the exchange.
Problem is with the external users using POP and SMTP.
checking with nslookup form the server, client in the office or external client I get the same results:
Non-authoritative answer:
sybilgroup.com
primary name server = ns1.dnsexit.com
responsible mail addr = admin.netdorm.com
serial = 2000060701
refresh = 14400 (4 hours)
retry = 2400 (40 mins)
expire = 604800 (7 days)
default TTL = 1200 (20 mins)
sybilgroup.com nameserver = ns3.dnsexit.com
sybilgroup.com nameserver = ns4.dnsexit.com
sybilgroup.com nameserver = ns1.dnsexit.com
sybilgroup.com nameserver = ns2.dnsexit.com
sybilgroup.com MX preference = 5, mail exchanger = mail.sybilgroup.com
sybilgroup.com MX preference = 5, mail exchanger = sybilgroup.com
sybilgroup.com internet address = 62.90.151.119
I configured an outlook account with POP and SMTP = sybilgroup.com.
SMTP requires authentication is check.
POP3 is working and external users can get emails but not send.
when performing test send i get popup for username and password.
what I'm missing? something in the exchange settings? or maybe the DNS settings?
Thanks.
It is not DNS settings problem. (You canb check that using telnet to server using port 25 - SMTP and 110 - POP3.
Do you have SMTP virtual server properly configured. (Accept mail from LAN and authentificated users)
Do you really need to use SMTP and POP3 for outside users? Why don't you use RCP over HTTP?
Do you have SMTP virtual server properly configured. (Accept mail from LAN and authentificated users)
Do you really need to use SMTP and POP3 for outside users? Why don't you use RCP over HTTP?
You can also use www.mxtoolbox.com web site to check if SMTP is configured fine.
for your usernames, try domain\username
also, outbound port 25 might be blocked by the internet provider the external person is connected to. att/sbc/yahoo (whatever their name is this week) routinely block this port and force people to use the ISP smtp server.
you can get around this by configuring your exchange smtp to also listen on an additional port, such as 2525, then tell the client mail programs to use outbound port 2525
(and forward 2525 in your firewall too)
you can get around this by configuring your exchange smtp to also listen on an additional port, such as 2525, then tell the client mail programs to use outbound port 2525
(and forward 2525 in your firewall too)
your smtp server is answering up as:
220 server2003.sybil-h.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 12 Apr 2010 20:02:36 +0300
you might want to change your outbound settings to reflect mail.sybilgroup.com, so it is a valid HELO domain, else you might be rejected by certain receiving servers (no valid helo domain)
220 server2003.sybil-h.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 12 Apr 2010 20:02:36 +0300
you might want to change your outbound settings to reflect mail.sybilgroup.com, so it is a valid HELO domain, else you might be rejected by certain receiving servers (no valid helo domain)
ASKER
--------------------------
this is the results from mxtoolbox:
May be an open relay.
0 seconds - Good on Connection time
1.014 seconds - Good on Transaction time
OK - 62.90.151.119 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 sybilgroup.com Hello [192.168.1.10] [359 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
250 2.1.5 test@example.com [187 ms]
QUIT
221 2.0.0 sybilgroup.com Service closing transmission channel [203 ms]
--------------------------
using DOMAIN\USERNAME didn't solve the problem
--------------------------
changed FQDN in SMTP advanced delivery to : sybilgroup.com
--------------------------
firewall is not blocking the ports
--------------------------
more from mxtoolbox. Can it be a ptr record problem?
Auth=N Type=PTR IP Address=62.90.151.119 Domain Name=62-90-151-119.barak.n
Problem still not solved.
this is the results from mxtoolbox:
May be an open relay.
0 seconds - Good on Connection time
1.014 seconds - Good on Transaction time
OK - 62.90.151.119 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 sybilgroup.com Hello [192.168.1.10] [359 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
250 2.1.5 test@example.com [187 ms]
QUIT
221 2.0.0 sybilgroup.com Service closing transmission channel [203 ms]
--------------------------
using DOMAIN\USERNAME didn't solve the problem
--------------------------
changed FQDN in SMTP advanced delivery to : sybilgroup.com
--------------------------
firewall is not blocking the ports
--------------------------
more from mxtoolbox. Can it be a ptr record problem?
Auth=N Type=PTR IP Address=62.90.151.119 Domain Name=62-90-151-119.barak.n
Problem still not solved.
There is a difference between not blocking the ports and not forwarding the requests. Your public MX record and IP addresses are different than your internal ones. Your router or firewall need to know where to send that type of request when it is from external sources.
ASKER
result for telnet sybilgroup.com 25 :
220 sybilgroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 12 Apr 2010 20:53:16 +0300
I guess that if the port was blocked i could not get this result?!
220 sybilgroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 12 Apr 2010 20:53:16 +0300
I guess that if the port was blocked i could not get this result?!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And as many ISPs are bloking port 25, why don't you try to configure RPC over http?
Instructions:
http://www.msexchange.org/tutorials/outlookrpchttp.html
Instructions:
http://www.msexchange.org/tutorials/outlookrpchttp.html
ASKER
- Set to only one MX. mail.sybilgroup.com
- Changed FQDN in smtp to mail.sybilgroup.com
- There is no SMTP connector
- External users are using their notebooks and sometimes thay are coming to the office, so I can't set their POP/SMTP to the internal server name. BTW, I don't have a problem with setting the FQDN in other places.
- Only the ISP can change the PTR. I'll call them tomorrow morning. Domains Dep. is working only during working hrs :-(
- Changed FQDN in smtp to mail.sybilgroup.com
- There is no SMTP connector
- External users are using their notebooks and sometimes thay are coming to the office, so I can't set their POP/SMTP to the internal server name. BTW, I don't have a problem with setting the FQDN in other places.
- Only the ISP can change the PTR. I'll call them tomorrow morning. Domains Dep. is working only during working hrs :-(
your dns resolves fine, which is why we can telnet to it and get the smtp server, so:
1. it resolves fine
2. the ports are not blocked
also, i was just able to send a test message into your server (see code snippet), so you don't have a flow problem
the only other problem you could have at this point is the internet provider that your external machines are using. that isp has to be blocking port 25.
to TEST this, have one of your external machines do:
start > run > telnet mail.sybilgroup.com 25
see if they get the 220 line. if so, that's not the problem. if it errors out/closes, that is the problem.
to get around this:
exchange system manager > ... > your server > protocols > smtp
right-click the smtp virtual server, properties
advanced (button on general tab)
add...
all unassigned, tcp port 2525, ok
ok
- then go NAT your firewall/router such that port tcp 2525 flows to the exchange server (same place 25 already goes)
- then set up your outside machines to SEND out port 2525 (this is under account settings, advanced)
if they're in the building or in the outside world, port 2525 will still work
1. it resolves fine
2. the ports are not blocked
also, i was just able to send a test message into your server (see code snippet), so you don't have a flow problem
the only other problem you could have at this point is the internet provider that your external machines are using. that isp has to be blocking port 25.
to TEST this, have one of your external machines do:
start > run > telnet mail.sybilgroup.com 25
see if they get the 220 line. if so, that's not the problem. if it errors out/closes, that is the problem.
to get around this:
exchange system manager > ... > your server > protocols > smtp
right-click the smtp virtual server, properties
advanced (button on general tab)
add...
all unassigned, tcp port 2525, ok
ok
- then go NAT your firewall/router such that port tcp 2525 flows to the exchange server (same place 25 already goes)
- then set up your outside machines to SEND out port 2525 (this is under account settings, advanced)
if they're in the building or in the outside world, port 2525 will still work
220 mail.sybilgroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 rea
dy at Mon, 12 Apr 2010 22:08:36 +0300
helo whatever.com
250 mail.sybilgroup.com Hello [192.168.1.10]
mail from: joe@whatever.com
250 2.1.0 joe@whatever.com....Sender OK
rcpt to: administrator@sybilgroup.com
250 2.1.5 administrator@sybilgroup.com
data
354 Start mail input; end with <CRLF>.<CRLF>
subject: testing
testing from the experts-exchange thread
bryon44035v3
thanks
.
250 2.6.0 <SERVER2003WtIIZS2TR0000007a@mail.sybilgroup.com> Queued mail for delivery
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
here's how to fix your open relay - until this is done, any spammer can use YOUR server to send their spam (they are actively doing this right now)
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
And, to make matters worse, you just identified yourself publically as such by being on this forum. Fix this ASAP, as bryon44035v3 suggested.
- External users are using their notebooks and sometimes thay are coming to the office, so I can't set their POP/SMTP to the internal server name. BTW, I don't have a problem with setting the FQDN in other places.
If you configure one client in internal LAN using server internal name for test purposes, you will be able to narrow your search to cause of the problem to the server - if sending still does not work, or network (port forwarding, ISP bloking port25,...) - if it is working.
If your PTR record is incorrect, only some mail servers will reject your mails. SMTP sending is not affected.
I would not change SMTP port on your SMTP virtual server, as you will not be reachable by other mail servers. (Look at warning - http://support.microsoft.com/kb/274842). (Anyway It would be enough to redirect port on router from 2525 to 25, without changing anything on server - but don't do it.)
Another (temporary) workaround could be using dial-up VPN.
If you configure one client in internal LAN using server internal name for test purposes, you will be able to narrow your search to cause of the problem to the server - if sending still does not work, or network (port forwarding, ISP bloking port25,...) - if it is working.
If your PTR record is incorrect, only some mail servers will reject your mails. SMTP sending is not affected.
I would not change SMTP port on your SMTP virtual server, as you will not be reachable by other mail servers. (Look at warning - http://support.microsoft.com/kb/274842). (Anyway It would be enough to redirect port on router from 2525 to 25, without changing anything on server - but don't do it.)
Another (temporary) workaround could be using dial-up VPN.
@davorin: i suggested he ADD port 2525 to his smtp virtual server, not replace the existing one.
thus, his server would listen on both 25 AND 2525
thus, his server would listen on both 25 AND 2525
bryon44035v3: Sorry, I was not careful enough. Obviously, today is not my day.. ;)
ASKER
Hi All,
- SMTP Relay is now accepting only local IP subnet and authenticated users
- SMTP and POP3 is working if testing from WITH IN the organization.
when testing from external connection:
1. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked, mail is stuck in the outbox.
2. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is NOT checked, i get the message:
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
- SMTP Relay is now accepting only local IP subnet and authenticated users
- SMTP and POP3 is working if testing from WITH IN the organization.
when testing from external connection:
1. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked, mail is stuck in the outbox.
2. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is NOT checked, i get the message:
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
ASKER
Sorry. checked again and:
1. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked, I get a window for
username password.
2. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is NOT checked, i get the message:
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
1. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked, I get a window for
username password.
2. if SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is NOT checked, i get the message:
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
that's kind of ok...
leave it set up like #1 you said in your last comment
fill in the username/password in people's outlooks. that's normal, because the spammers wont know your usernames and passwords (we hope)
in your comment #2 above, that's fine because spammers always fake the helo/ehlo domain
leave it set up like #1 you said in your last comment
fill in the username/password in people's outlooks. that's normal, because the spammers wont know your usernames and passwords (we hope)
in your comment #2 above, that's fine because spammers always fake the helo/ehlo domain
ASKER
1. PTR record is now set to mail.sybilgroup.com
2. SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked
Problem is still the popup window for username and password.
2. SMTP and POP3 configured to mail.sybilgroup.com and SMTP authentication is checked
Problem is still the popup window for username and password.
Is it just prompting over and over without letting you in, or is it prompting once and then allowing the connection?
ASKER
prompting over and over without letting me in
Hi,
What fqdn entry do you have in Protocols-> default virtual SMTP server-> Properties->Delivery->Adva
What fqdn entry do you have in Protocols-> default virtual SMTP server-> Properties->Delivery->Adva
ASKER
yes
ASKER
any ideas why this sbs2003 is not accepting smtp requests?
maybe something with dns?
maybe something with dns?
try to enable smtp logging and check logs at the time you are trying to send messages from outside.
maybe you can try to enter username in form username@domain.local (whatever it is)
maybe you can try to enter username in form username@domain.local (whatever it is)
ASKER
username@domain.local didn't work.
The results of the log:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-04-13 18:55:19
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs-version cs-host cs(User-Agent) cs(Referer)
2010-04-13 18:55:19 205.188.190.2 OutboundConnectionResponse
2010-04-13 18:55:19 205.188.190.2 OutboundConnectionResponse
2010-04-13 19:03:02 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-13 19:03:12 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 10312 SMTP - - -
2010-04-13 19:03:43 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
The results of the log:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-04-13 18:55:19
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs-version cs-host cs(User-Agent) cs(Referer)
2010-04-13 18:55:19 205.188.190.2 OutboundConnectionResponse
2010-04-13 18:55:19 205.188.190.2 OutboundConnectionResponse
2010-04-13 19:03:02 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-13 19:03:12 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 10312 SMTP - - -
2010-04-13 19:03:43 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
Are you using some sort of antispam filter or appliance? Have you checked its configuration?
In log you have error about sending mail to aol. Cause RTR:SC - look at link in log.
In log you have error about sending mail to aol. Cause RTR:SC - look at link in log.
ASKER
check the antispam (Bitdefender for Exchange). problem not there.
I've disabled it when tried to send email. same problem.
I've disabled it when tried to send email. same problem.
ASKER
I've created a new account called test.
with SMTP authentication checked or unchecked email is sent out and I get auto-response of :
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
in the log:
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 MAIL - +FROM:+<test@sybilgroup.co
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 109 SMTP - - -
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 MAIL - +FROM:+<test@sybilgroup.co
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 218 SMTP - - -
with SMTP authentication checked or unchecked email is sent out and I get auto-response of :
554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid
in the log:
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 MAIL - +FROM:+<test@sybilgroup.co
2010-04-14 06:29:25 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 109 SMTP - - -
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 EHLO - +ORENRPC 250 0 SMTP - - -
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 MAIL - +FROM:+<test@sybilgroup.co
2010-04-14 06:30:21 192.168.1.10 ORENRPC SMTPSVC1 SERVER2003 192.168.1.1 0 QUIT - ORENRPC 240 218 SMTP - - -
I'm running slowly out of ideas.
QUIT result mode 240 means - Success with other or undefined network or routing status.
Other "strange" thing is repeating cs-username OPENRPC (client username) - what it is?
What it is at 192.168.1.1? Is it there configured/installed some sort of mail filtering?
QUIT result mode 240 means - Success with other or undefined network or routing status.
Other "strange" thing is repeating cs-username OPENRPC (client username) - what it is?
What it is at 192.168.1.1? Is it there configured/installed some sort of mail filtering?
something you changed to prevent being an open relay is causing this.
you probably set something like 'helo domain verification'. that's usually ok, but if someone on comcast internet tries to send mail to your server claiming to be someone@yahoo.com, the helo domain won't match... so you might want to remove that setting.
while still making sure you're not an open relay
you probably set something like 'helo domain verification'. that's usually ok, but if someone on comcast internet tries to send mail to your server claiming to be someone@yahoo.com, the helo domain won't match... so you might want to remove that setting.
while still making sure you're not an open relay
ASKER
Problem solved :-)
Ok........it took some time but, with your help and our digging and understanding the configuration of this server showed us the way to "salvation".
The problems:
1. this domain was recognized as a spammer and listed in rbl's.
2. problem with mx and ptr records.
3. problems with dns records.
4. exchange pop3 connector was not configured properly. if fact it was not in use.
5. instead adding second domain to the exchange recipient policies, it was added as a contact for the same user in active directory. I have no idea why it was configured that way
6. duplicates and triplets of x400 protocol for most of the account configured for users NOT with the same account name.
7. Wrong zones configuration at the ISP.
8. Wrong configuration settings on fortigate filtering.
Ok........it took some time but, with your help and our digging and understanding the configuration of this server showed us the way to "salvation".
The problems:
1. this domain was recognized as a spammer and listed in rbl's.
2. problem with mx and ptr records.
3. problems with dns records.
4. exchange pop3 connector was not configured properly. if fact it was not in use.
5. instead adding second domain to the exchange recipient policies, it was added as a contact for the same user in active directory. I have no idea why it was configured that way
6. duplicates and triplets of x400 protocol for most of the account configured for users NOT with the same account name.
7. Wrong zones configuration at the ISP.
8. Wrong configuration settings on fortigate filtering.
Justin