We help IT Professionals succeed at work.

NDR from Exchange

Steven Carnahan
Steven Carnahan asked
First a description of our email flow:

We have Outlook (2003 on desktop or 2007 on TS)
email server is Exchange 2003 w/Trend Micro ScanMail
From Exchange it goes to an ISA server 2006 w/Trend Micro IMSS
It then goes to a Barracuda that is set for incoming so it doesn't do any checking on outgoing.

Now the issue

We have an attorney that we email with several times a day. Most email goes through both ways without a problem. However every once in awhile an email being sent TO the attorney goes into the Exchange Internet Queue and sits there retrying until it times out and returns an NDR.

I can track all messages through the entire system except the ones that sit in the Exchange queue. They never seem to leave the Exchange server.

The NDR is:

Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            <our.domain.LOCAL #4.4.7>

  The message in the application event log is:

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      Connection Manager
Event ID:      4006
Date:            6/10/2010
Time:            7:43:57 AM
User:            N/A
Computer:      <our exchange server>
Message delivery to the host 'x.x.x.x' failed while delivering to the remote domain  '[x.x.x.x]' for the following reason: The connection was dropped by the remote host.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: d3 02 04 c0               Ó..À    

The IP address is the ISA server. All other email is going through. There appears to be no consistancy to the emails that are blocked. Some have attachments and some don't. None of them are very big. The one today was on 166K.

Watch Question

some receiving mail servers do a reverse lookup.Check if your DNS had your email server setup as one ip and the firewall as another ip (and the firewall is the one ip the reverse lookups were looking at). If so then just change  firewall ip to the same ip as the email server and forwarded the port to internal email server ip.

Hope this helps
From the NDR, check that that address is actually in the MX record list for the remote domain.  I have seen an issue where outbound mail randomly fails to certain domains and have found that the Exchange server is attempting to deliver to the ip address of the domain root DNS record.  Typically that address is a webserver.
Steven CarnahanAssistant Vice President\Network Manager


Thank you for the comments. I have checked our MX record and it appears to be correct. Since it is never getting from the Exchange to the ISA I am guessing that the problem exists inside my network.

Some more information that may be relevant.

I checked all the logs on the Exchange server, the ISA and the Barracuda after the failed email yesterday.
1. The email entered the queue of the Exchange server
2. The Trend ScanMail on the Exchange server does not show any email blocked or quarantined
3. No record of the email arriving at the ISA server (I even checked the Trend IMSS and there is no record of it there.
4. No record of the email on the Barracuda
5. The sender stipped the attachment (this one had a scanned document in .pdf format) and resent the email and I could follow it's entire path through the Barracuda and the recipient did receive it.
6. The entire size, including attachment, of the email was only 166K so it was not stopped for being to big.
7. I am not blocking any .pdf's from going through at the Exchange, ISA or Barracuda.
8. The NDR is saying it timed out waiting for the ISA which is on a different subnet than the Exchange server  (Exchange = 10.2.3.x / ISA = 10.2.201.x)
9. Everything has to go through a Tipping Point in and out of the 10.2.3.x subnet.

I will look at the Tipping Point log today to see if maybe it is the culprit. I had forgot that little piece until describing this scenario.
Steven CarnahanAssistant Vice President\Network Manager


While neither response was the correct one they did turn on a light bulb in my head and I appreciate the comments. I have another email location that may benefit from the answers given here. It turns out the Tipping Point was the culprit. There was filter for .pdf files containing the JBIG2 format that was enabled. Tipping Point recommends disableing it which I did and the email is able to get through now with the attachment.

Again, thank you for your assistance and I will split the points between you.