• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1785
  • Last Modified:

#550 4.4.7 QUEUE.Expired; message expired ## for a particular domain.

We have Exchange 2007 on Windows 2003. All roles installed on 1 machine.

Some of our e-mails to specific domains are remaining in the queue for long time and then getting expired. I can telnet to the affected domain and I can send a test message. I confirmed with the recipient and he is receiving my message (sent through telnet).

Exchange is configured with a single send connector. Logging level is set to Verbose but no logs generated specific to the affected domain.

Even those e-mails are not hitting the firewall. As if they are not leaving the exchange server.

I tried using external DNS servers on send connector but no luck.

I followed the steps described in the similar posts on Expert-Exchange but no benefit.

Any ideas what else could cause the problem??
0
imranrft
Asked:
imranrft
  • 20
  • 15
  • 3
1 Solution
 
VBDotNetCoderCommented:
There may be a incompatibility between your server and the target server.
For example : the first command must be EHLO instead of HELO
Can you ask to the target site, what mail server (with version number) they're using?

Also if the target server has an anti-spam software installed, it might have been blocking certain users (not you or the account you used while sending test message via telnet). Can you check that?
0
 
imranrftAuthor Commented:
First command was EHLO.

The target server is Exchange 2007. They are using Mcafee AntiSpam. I'll check with them about the version.

None of our users (including my account) are able to send e-mail to them. I was able to telnet and sent a message to their server from our server.


0
 
VBDotNetCoderCommented:
Is it possible that their AntiSpam software is blocked your domain? Can you ask this question to their system administrator?

Which MAIL FROM:  address did you use while you were sending the telnet message to the target domain?
was it your email address that has been rejected by the target domain?

In addition... Do you have anti-spam precautions taken on your DNS Server and Exchange server (like SPF record(s), reverse DNS record(s)...). Anti Spam software might have been blocking messages from you if these precautions are not implemented...

If the target domain is keeping the logs of the mail traffic, it may help you (if there is any rejection, any blocking, they'll know and tell you, checking the logs).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Alan HardistyCo-OwnerCommented:
What is your Reverse DNS setup as?
Is your Reverse DNS set properly (have you asked your ISP to setup Reverse DNS on your Fixed IP Address)?
Does your Send Connector FQDN (Fully Qualified Domain Name) match your Reverse DNS setting?
Does your FQDN on your send connector resolve in DNS to the IP Address that you are sending from?
All of these have to match and resolve to each other or you will have problems sending.
If you want to post your domain name (which I can obscure for you), I can check your settings and offer specific advice to try to resolve your problem, although one or more of the above suggestions is the usual culprit.
0
 
imranrftAuthor Commented:
During telnet session, in MAIL FROM address, I used the same domain e-mail account which is not able to send e-mail to the target domain.

Our Reverse DNS is setup properly. (I believe so, you can check).

Send connector FQDN is matching reverse DNS.

For your information, our domain is: mydomain.ae
If you can check and suggest something, it will be much appreciated.


Thanks guys.
0
 
Alan HardistyCo-OwnerCommented:
Do you send out mail via our Barracuda, or just receive it?
If you send via it, that will be your problem as people will see you sending as barracuda.yourdomain.ae, not mail.yourdomain.ae.
0
 
imranrftAuthor Commented:
We recently implemented Barracuda and currently it is for inbound e-mails only. But our plan is to use it also for outbound later once we solve these QUEUE issues.

Did you find it sending through Barracuda?
0
 
imranrftAuthor Commented:
I can turn off Barracuda to try.
0
 
Alan HardistyCo-OwnerCommented:
I did not find it sending via the Barracuda - only thinking that if you are then that would be an easy solution.
What is your sending IP address? (I will obscure it too).
0
 
Alan HardistyCo-OwnerCommented:
Okay - well that checks out in terms of Reverse DNS!
But - please visit www.mxtoolbox.com/blacklists.aspx and pop your sending IP Address in there.  You are listed on UCEPROTECT Level 2 and 3, whcih means your ISP likes spammers and does very little to prevent them.
Essentially, you are probably being blocked because of your ISP and the fact that they have lots of spammers using their IP addresses, not because your IP address s blocked, but because you are surrounded by spammy IP Addresses from your ISP.
Either moan to your ISP, switch ISP or setup a new Send Connector for the domains you have trouble with, add the domains to the address space of the connector and add your ISP's mail server as a SmartHost, that way, most mail will be sent via DNS and the problems domains will be sent via your ISP.
0
 
imranrftAuthor Commented:
OK. I'll check with my ISP tomorrow and let you know the results.

Any other possible reason for our issue?


Thanks for your help.
0
 
Alan HardistyCo-OwnerCommented:
As you are telnetting happily, it could be an auto-signature thats causing it if you have a standard one or a company-wide one.
Try sending a simple "Test" message with Test as the Subject and Body and nothing else.  Does that message get delivered?
Can't think of anything else.
0
 
imranrftAuthor Commented:
I just tried it but didn't went through.

Can you please check the target domain? It is: marsh.com


Thanks.
0
 
Alan HardistyCo-OwnerCommented:
Checking....
When you telent, what are you telnetting to?  A Fully Qualified Domain Name or an IP Address?
0
 
Alan HardistyCo-OwnerCommented:
Oh joy - they are using a cluster:
Your 8 MX records are:

10 mx11.marsh.com. [TTL=10800] IP=205.156.137.71 [TTL=10800] [US]
10 mx12.marsh.com. [TTL=10800] IP=205.156.137.72 [TTL=10800] [US]
10 mx13.marsh.com. [TTL=10800] IP=205.156.137.73 [TTL=10800] [US]
10 mx50.marsh.com. [TTL=10800] IP=168.168.42.23 [TTL=10800] [US]
10 mx51.marsh.com. [TTL=10800] IP=168.168.42.24 [TTL=10800] [US]
10 mx52.marsh.com. [TTL=10800] IP=168.168.42.40 [TTL=10800] [US]
10 mx53.marsh.com. [TTL=10800] IP=168.168.42.41 [TTL=10800] [US]
10 mx10.marsh.com. [TTL=10800] IP=205.156.137.70 [TTL=10800] [US]
You could be hitting one or more servers that is not configured properly.
0
 
imranrftAuthor Commented:
I did telnet to the FQDN: mx10.marsh.com
0
 
Alan HardistyCo-OwnerCommented:
Can you try each one in turn please.  See if one doesn't like you.
Thanks.
0
 
Alan HardistyCo-OwnerCommented:
If you create a new Send Connector and add mx10.marsh.com as the smarthost and marsh.com as the Address space and send a test message, does that go?
0
 
imranrftAuthor Commented:
OK.

Sent message successfully to each server using telnet.
0
 
Alan HardistyCo-OwnerCommented:
Do you use autosignatures or add a company-wide disclaimer to your outbound emails?
Do you want to send me a test message so that I can see what in general you are sending? If you do - I am reachable at alan @ it-eye.co.uk (minus the spaces).
0
 
imranrftAuthor Commented:
OK. Sent a test message to you.
0
 
Alan HardistyCo-OwnerCommented:
Thanks - duly received.
No disclaimer attached!
Is this the only domain you are having problems with?
0
 
imranrftAuthor Commented:
I created a new send connector "Marsh.com" and sent an e-mail again. The message is not there in the Queue. (Might be delivered!!!)

I found in Event Viewer:

"Send connector Marsh.com has initiated a new session to 205.156.137.70:25."

But how come it established a session without setting up smart host authentication?

Anyhow, I can't verify with the recipient at this time whether he received or no.


0
 
Alan HardistyCo-OwnerCommented:
My Anti-Spam software did flag up the following:
SPF policy of domain "yourdomain.ae": The requested A/MX record was not found for "exserver.yourdomain.ae"
Does exserver.yourdomain.ae exist and is it sending out mail from your domain?
If not - you might want to remove it from your SPF record.
0
 
imranrftAuthor Commented:
There are few other domains:

"sscomp.ae"
"magotteaux.com"
"haskoning.ae"
"laingorouke.ae"
0
 
Alan HardistyCo-OwnerCommented:
You won't need authentication enabled on te send connector as the domain / server has to receive anonymous emails.  You are only helping Exchange to point the mail to the right place.
Do you have any IP Addresses listed in your hosts file for marsh.com?
c:\windows\system32\drivers\etc hosts and lmhosts.sam
0
 
Alan HardistyCo-OwnerCommented:
You may have to setup specific Send Connectors for those domains or setup one using your ISP as the Smarthost and those domains in the Address Space.  This is not unusual.
I don't see any problems at your end - it could just be them not liking you for some reason or a possible DNS issue at your end, although this is unlikely.
0
 
imranrftAuthor Commented:
Oh I see. The SPF record should be "mail.mydomain.ae" instead of "exserver.mydomain.ae".

I have to check with ISP regarding.

Any issues if we remove SPF record? Or better to correct it?

0
 
imranrftAuthor Commented:
I added mx10.marsh.com with its IP to the HOSTS file just to rule out any DNS issue.

This entry is still there in HOSTS.
0
 
Alan HardistyCo-OwnerCommented:
Your SPF is currently as follows:
v=spf1 mx mx:yourdomain.ae ip4:83.xxx.xxx.109 mx:exserver.yourdomain.ae ~all
The wrong SPF can cause you problems - not having one is better than having the wrong one.
I also modified your last post to hide your domain name ; )
0
 
Alan HardistyCo-OwnerCommented:
When did you add the Hosts file entry?
If mx10.marsh.com is down - you are effectively stopping the server from sending to any other mail server.  I would remove the record from the hosts file and leave DNS to resolve it.
Do you have any other IP's in the hosts file or is it empty?
0
 
Alan HardistyCo-OwnerCommented:
Also - SPF is a DNS record change - not necessarily something you have to call your ISP about unless they manage your domains DNS records.
0
 
Alan HardistyCo-OwnerCommented:
Just eating.
0
 
imranrftAuthor Commented:
OK. I removed the entry from HOSTS. No other entry there.

Our ISP manage our public domains DNS record.

Thank you so much Alan.

I'll check with the recipients tomorrow to verify the messages and let you know.

Regards,
0
 
Alan HardistyCo-OwnerCommented:
No problems - I will be zapping a virus tomorrow that has gotten it's teeth into a PC, but will be inches from my email on my laptop.
0
 
VBDotNetCoderCommented:
Why did you suffer so much? :)

VBDotNetCoder:

"In addition... Do you have anti-spam precautions taken on your DNS Server and Exchange server (like SPF record(s), reverse DNS record(s)...). Anti Spam software might have been blocking messages from you if these precautions are not implemented..."
0
 
imranrftAuthor Commented:
Issue resolved by creating new send connectors.

Alan! Thank you so much for your help.
0
 
Alan HardistyCo-OwnerCommented:
You are welcome - glad the issue is resolved and thanks for the points.

Alan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 20
  • 15
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now