4.4.1 AND 4.4.2 SMTP Send Errors

I am having a big problem with not being able to send email to some domains outside my network.  Some email goes but most does not.  This is a new install of Exchange 2007 SP1 on a Win 2003 virtual machine.  I have setup a RDNS/PTR record with my ISP as well as setting up the appropriate records for the domain using http://www.zoneedit.com for my managed external DNS.  According to http://www.mxtoolbox.com everything is setup properly.  The contents of my SMTP Send log are:
2010-08-24T17:14:47.339Z,SMTP,08CD1116152857BE,0,,,*,,attempting to connect
2010-08-24T17:14:47.495Z,SMTP,08CD1116152857BE,2,,,<,"220 Server10.rmisecurity.net Microsoft ESMTP MAIL Service ready at Tue, 24 Aug 2010 11:14:47 -0600",
2010-08-24T17:14:47.495Z,SMTP,08CD1116152857BE,3,,,>,EHLO tbc-exch.thouttbrosinc.com,
2010-08-24T17:14:47.573Z,SMTP,08CD1116152857BE,4,,,<,250-Server10.rmisecurity.net Hello [],
2010-08-24T17:14:47.573Z,SMTP,08CD1116152857BE,11,,,<,250-AUTH NTLM,
2010-08-24T17:14:47.573Z,SMTP,08CD1116152857BE,12,,,<,250-X-EXPS GSSAPI NTLM,
2010-08-24T17:14:47.573Z,SMTP,08CD1116152857BE,18,,,<,250 XSHADOW,
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,20,,,<,220 2.0.0 SMTP server ready,
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,21,,,*,,Sending certificate
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,22,,,*,CN=tbc-exch.thouttbrosinc.com,Certificate subject
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,23,,,*,CN=tbc-exch.thouttbrosinc.com,Certificate issuer name
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,24,,,*,C03DB4E2349C5CB34AD5CF50FA72DC45,Certificate serial number
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,25,,,*,D3A4AD300E5A09E532CEB9936781ED74CEA4368A,Certificate thumbprint
2010-08-24T17:14:47.651Z,SMTP,08CD1116152857BE,26,,,*,tbc-exch.thouttbrosinc.com;email.thouttbrosinc.com;autodiscover.thouttbrosinc.com;thouttbrosinc.com,Certificate alternate names
I don't see anything there to indicate a reason for the error.  I ran a dcdiag /test:dns /v /dns.txt and the results are:
TEST: Records registration (RReg)
                  Network Adapter

                  [00000017] Microsoft Virtual Network Switch Adapter:

                     Missing A record at DNS server
               Warning: Record Registrations not found in some network adapters

               TBC-DC-1                     PASS PASS PASS PASS PASS WARN n/a  
         ......................... thouttbrosinc.com passed test DNS
Again, I don't see anything that would indicate a major issue.  

If anybody has any ideas I would greatly appreciate them.  I have been working on this for days now and people are starting to get a bit agitated.  If more info is needed to help just let me know.  Thanks.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Dave_LaSalleConnect With a Mentor Commented:
Could you turn TLS off for a brief test?
Jamie GillespieSenior IT ConsultantCommented:
When did you set things up?

Some record changes can take up to 24 hours to append
jb1023Author Commented:
It has been about 10 days or so.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jamie GillespieSenior IT ConsultantCommented:
Have you tried using a smarthost?
2010-08-4T17:14:47.573Z,SMTP,08CD1116152857BE,4,,,<,250-Server10.rmisecurity.net Hello [],

who is in this conversation?
Jamie GillespieSenior IT ConsultantCommented:
I think this is your ISP?
Jamie GillespieSenior IT ConsultantCommented:
Authors ISP sorry
jb1023Author Commented:
No.  I had this all working on a previous server till it died and my backups were of the db only, not the settings.  I suppose I could try that for a bit to see if it would work but ultimately I want to figure out why I am having this problem.  My host name is the same, tbc-exch.thouttbrosinc.com and my IP is the same, and thus I am lost.  I will contact Comcast to see what they say about me using them as a smarthost in the meantime though.
jb1023Author Commented:
225 is the wan port on my firewall.  Not sure why that would be inserting itself there.  I have one-to-one NAT setup adn 227 is assigned to the Exchange services.
Is the same ip as the old server or a new one?  If new you may need to adjust your firewall address transforms for the new IP  (that would be for outbound connections from your exchange server to show as .227)
Jamie GillespieSenior IT ConsultantCommented:
Comcast may be preventing you from sending
jb1023Author Commented:
.95 was assigned to the old and now to the new server.  Same with .227 for the external, it was both the old and the new.

I called Comcast and "they said" they were not blocking any traffic.  Of course when setting up the RDNS it also too 4 calls over 2 days before they spelled my URL correctly.
Jamie GillespieSenior IT ConsultantCommented:
Really strange,

Are you getting any bouncebacks, or is it just delay messages?
jb1023Author Commented:
We get a delay message after 4 hrs and then a queue expired notice after 2 days (#550 4.4.7 QUEUE.Expired; message expired ##).

I just can't figure out why my server would be responding with the IP of my WAN port rather than its own NAT assigned IP.
Jamie GillespieSenior IT ConsultantCommented:
Try just using DNS instead of Smarthost to troubleshoot
I think your emails are getting blocked by servers that enforce "HELO Restrictions"
That happens when there is no A, PTR, MX or FQDN record for the IP of a host that is connecting to it.
I could not find any records (obviously) for the wan port of your firewall

Was there some MAC address assoc. with the old server in your firewall config?
Jamie GillespieSenior IT ConsultantCommented:
Take out the smarthost to test and chase up the people that sort your records out
jb1023Author Commented:
I think I have my A, PTR, MX and FQDN all setup correctly.  When I run the tools at mxtoolbox.com everything comes back with the correct info.  I just checked my public DNS settings on zoneedit as well as verify that godaddy had the correct DNS servers listed and that is all correct.  I also added an SPF record to zoneedit, just because I've seen that pop up in a few threads but did not expect much as I've never had to have one before.

I definitely did not have any sort of MAC address associations in my firewall.
Jamie GillespieSenior IT ConsultantCommented:
Have you tried removing the smarthost?

When you do it you will need to restart SMTP
jb1023Author Commented:
I don't have a smarthost.  Not sure what you mean by "chase up the people that sort your records out".  If you are talking about DNS settings, Comcast hosts our RDNS but for all other DNS records I have an account with Zoneedit and manage that myself.
jb1023Author Commented:
Thanks Jamie and Dave, I appreciate both of you taking the time to help.  I'll be back in 90 minutes as I have to leave the office but will continue this when I get back.  Thanks again.
Jamie GillespieSenior IT ConsultantCommented:
Not to worry, will be interesting to find out what the issue is
Yes your records are correct for your smtp server but if responding smtp servers or MTAs are checking info on your WAN IP (because that is what is in the helo responce) what will they see... not much.

Also mxtoolbox diagnostics will only prove that they can send you mail, not the other way around.
I think at this point that your firewall see something different about your new server for some reason... port, mac, i don't know.  Was your old server multi-homed?
jb1023Author Commented:
I'm not seeing anything in the firewall but obviously it is there somewhere so I will keep looking.  The only references to the .225 IP I can find is in reference to the WAN address.  

The Exchange server is actually running on a virtual OS with only a single virtual adapter but it is hosted on a multi-homed server, if that matters.
jb1023Author Commented:
So after making the change in the firewall, as per dpk_wal, this is what I get when I try to send an email.  Obviously they still don't go but I don't see the wrong IP anymore but now I don't see any IP at all.
2010-08-25T01:33:35.190Z,SMTP,08CD111615286874,2,,,<,"220 p02c12m074.mxlogic.net ESMTP mxl_mta-6.7.0-1 [74310940.4702780.00-2003]; Tue, 24 Aug 2010 19:33:35 -0600 (MDT); NO UCE, INBOUND",
2010-08-25T01:33:35.190Z,SMTP,08CD111615286874,3,,,>,EHLO tbc-exch.thouttbrosinc.com,
2010-08-25T01:33:35.237Z,SMTP,08CD111615286874,5,,,<,250-SIZE 0,
2010-08-25T01:33:35.237Z,SMTP,08CD111615286874,8,,,<,250 PIPELINING,
2010-08-25T01:33:35.237Z,SMTP,08CD111615286874,9,,,*,5323,sending message
2010-08-25T01:33:35.237Z,SMTP,08CD111615286874,10,,,>,MAIL FROM:<janice@thouttbrosinc.com> SIZE=48161,
2010-08-25T01:33:35.237Z,SMTP,08CD111615286874,11,,,>,RCPT TO:<dlawrenc@ball.com>,
2010-08-25T01:33:35.268Z,SMTP,08CD111615286874,12,,,<,250 Sender Ok,
I don't see a post from dpk_wal, what was changed?  What FW are you using if you care to say?
jb1023Author Commented:
SonicWall 2040 Enhanced OS.  

Actually the post in my thread was from bryon44035v3 who referenced an earlier thread by dpk_wal, sorry for the confusion on that.

jb1023Author Commented:
Here is a recent log entry form the SMTP Send Log:
2010-08-25T15:08:20.134Z,SMTP,08CD1116152874A6,0,,,*,,attempting to connect
2010-08-25T15:08:20.275Z,SMTP,08CD1116152874A6,2,,,<,"220 VA3EHSMHS022.bigfish.com Microsoft ESMTP MAIL Service ready at Wed, 25 Aug 2010 15:08:20 +0000",
2010-08-25T15:08:20.275Z,SMTP,08CD1116152874A6,3,,,>,EHLO tbc-exch.thouttbrosinc.com,
2010-08-25T15:08:20.337Z,SMTP,08CD1116152874A6,4,,,<,250-VA3EHSMHS022.bigfish.com Hello [],
2010-08-25T15:08:20.337Z,SMTP,08CD1116152874A6,5,,,<,250-SIZE 157286400,
2010-08-25T15:08:20.337Z,SMTP,08CD1116152874A6,12,,,<,250 CHUNKING,
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,14,,,<,220 2.0.0 SMTP server ready,
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,15,,,*,,Sending certificate
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,16,,,*,CN=tbc-exch.thouttbrosinc.com,Certificate subject
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,17,,,*,CN=tbc-exch.thouttbrosinc.com,Certificate issuer name
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,18,,,*,C03DB4E2349C5CB34AD5CF50FA72DC45,Certificate serial number
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,19,,,*,D3A4AD300E5A09E532CEB9936781ED74CEA4368A,Certificate thumbprint
2010-08-25T15:08:20.400Z,SMTP,08CD1116152874A6,20,,,*,tbc-exch.thouttbrosinc.com;email.thouttbrosinc.com;autodiscover.thouttbrosinc.com;thouttbrosinc.com,Certificate alternate names

As you can see the correct IP is now being issued and yet the email is still not flowing.  One thing I noticed is that the certificate gets issued, an acknowledgment of sorts and then nothing.  Could there be something with my certificate that is causing a problem?  Sorry, I'm grasping at this point.
pls check your postmaster mailbox
jb1023Author Commented:
I just setup a postmaster mailbox this morning but so far there is nothing in it.

In addition to the firewall not being setup right I also discovered that I was using the wrong SSL cert.  Both are now fixed and yet the problem continues.  Here is a section of the queue after fixing the SSL.  It says it is sending but the message just sits in the queue.

2010-08-26T00:43:30.069Z,SMTP,08CD111615288A8F,0,,,*,,attempting to connect
2010-08-26T00:43:30.194Z,SMTP,08CD111615288A8F,2,,,<,"220 bay0-mc1-f8.Bay0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Wed, 25 Aug 2010 17:43:30 -0700 ",
2010-08-26T00:43:30.194Z,SMTP,08CD111615288A8F,3,,,>,EHLO tbc-exch.thouttbrosinc.com,
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,4,,,<,250-bay0-mc1-f8.Bay0.hotmail.com ( Hello [],
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,5,,,<,250-SIZE 29696000,
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,10,,,<,250-AUTH LOGIN,
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,12,,,<,250 OK,
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,13,,,*,6391,sending message
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,14,,,>,MAIL FROM:<jeff@thouttbrosinc.com> SIZE=2190,
2010-08-26T00:43:30.256Z,SMTP,08CD111615288A8F,15,,,>,RCPT TO:<jbulick@hotmail.com>,
2010-08-26T00:43:30.319Z,SMTP,08CD111615288A8F,16,,,<,250 jeff@thouttbrosinc.com....Sender OK,
Hmm, no bounce... something picked it up from yesterday.
Re-sent check now.
jb1023Author Commented:
I was just able to obtain a receive log from one of the domains that we are not able to send email to.  I am including the pertinant part of each log so things can be matched up in the hopes that somebody might see something.  The one thing I do see is a time out on the receive log.  Could all of my emails really be timing out?  I have the default values on my exchange server for timeouts so perhaps I need to bump them up some?

2010-08-26T13:23:28.963Z,SMTP,08CD111615288D13,0,,,*,,attempting to connect
2010-08-26T13:23:29.103Z,SMTP,08CD111615288D13,2,,,<,"220 Server10.rmisecurity.net Microsoft ESMTP MAIL Service ready at Thu, 26 Aug 2010 07:23:28 -0600",
2010-08-26T13:23:29.103Z,SMTP,08CD111615288D13,3,,,>,EHLO tbc-exch.thouttbrosinc.com,
2010-08-26T13:23:29.181Z,SMTP,08CD111615288D13,4,,,<,250-Server10.rmisecurity.net Hello [],
2010-08-26T13:23:29.181Z,SMTP,08CD111615288D13,11,,,<,250-AUTH NTLM,
2010-08-26T13:23:29.181Z,SMTP,08CD111615288D13,12,,,<,250-X-EXPS GSSAPI NTLM,
2010-08-26T13:23:29.181Z,SMTP,08CD111615288D13,18,,,<,250 XSHADOW,
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,20,,,<,220 2.0.0 SMTP server ready,
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,21,,,*,,Sending certificate
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,22,,,*,"CN=thouttbrosinc.com, OU=Domain Control Validated, O=thouttbrosinc.com",Certificate subject
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,23,,,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,24,,,*,27A0B080E94416,Certificate serial number
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,25,,,*,2DCAFCB00B11199E58BCBBFAEFC4760A27080D87,Certificate thumbprint
2010-08-26T13:23:29.244Z,SMTP,08CD111615288D13,26,,,*,thouttbrosinc.com;www.thouttbrosinc.com;tbc-exch.thouttbrosinc.com;autodiscover.thouttbrosinc.com;email.thouttbrosinc.com,Certificate alternate names


2010-08-26T00:04:14.442Z,SERVER10\Default SERVER10,08CD124BDD55BB66,27,,,-,,Local
2010-08-26T00:04:14.590Z,SERVER10\Default SERVER10,08CD124BDD55BB71,0,,,+,,
2010-08-26T00:04:14.590Z,SERVER10\Default SERVER10,08CD124BDD55BB71,1,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2010-08-26T00:04:14.591Z,SERVER10\Default SERVER10,08CD124BDD55BB71,2,,,>,"220 Server10.rmisecurity.net Microsoft ESMTP MAIL Service ready at Wed, 25 Aug 2010 18:04:14 -0600",
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,3,,,<,EHLO tbc-exch.thouttbrosinc.com,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,4,,,>,250-Server10.rmisecurity.net Hello [],
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,5,,,>,250-SIZE,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,6,,,>,250-PIPELINING,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,7,,,>,250-DSN,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,8,,,>,250-ENHANCEDSTATUSCODES,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,9,,,>,250-STARTTLS,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,10,,,>,250-X-ANONYMOUSTLS,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,11,,,>,250-AUTH NTLM,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,12,,,>,250-X-EXPS GSSAPI NTLM,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,13,,,>,250-8BITMIME,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,14,,,>,250-BINARYMIME,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,15,,,>,250-CHUNKING,
2010-08-26T00:04:14.661Z,SERVER10\Default SERVER10,08CD124BDD55BB71,16,,,>,250-XEXCH50,
2010-08-26T00:04:14.662Z,SERVER10\Default SERVER10,08CD124BDD55BB71,17,,,>,250-XRDST,
2010-08-26T00:04:14.662Z,SERVER10\Default SERVER10,08CD124BDD55BB71,18,,,>,250 XSHADOW,
2010-08-26T00:04:14.741Z,SERVER10\Default SERVER10,08CD124BDD55BB71,19,,,<,MAIL FROM:<jeff@thouttbrosinc.com> SIZE=3510,
2010-08-26T00:04:14.741Z,SERVER10\Default SERVER10,08CD124BDD55BB71,20,,,*,08CD124BDD55BB71;2010-08-26T00:04:14.590Z;1,receiving message
2010-08-26T00:04:14.741Z,SERVER10\Default SERVER10,08CD124BDD55BB71,21,,,>,250 2.1.0 Sender OK,
2010-08-26T00:09:15.615Z,SERVER10\Default SERVER10,08CD124BDD55BB71,22,,,>,451 4.7.0 Timeout waiting for client input,
2010-08-26T00:09:15.615Z,SERVER10\Default SERVER10,08CD124BDD55BB71,23,,,-,,Local
jb1023Author Commented:
msg replied to but still in queue.
Similar here

Aug 26 10:01:26 mta postfix/smtpd[7192]: connect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:06:26 mta postfix/smtpd[7192]: SSL_accept error from tbc-exch.thouttbrosinc.com[]: -1
Aug 26 10:06:26 mta postfix/smtpd[7192]: lost connection after STARTTLS from tbc-exch.thouttbrosinc.com[]
Aug 26 10:06:26 mta postfix/smtpd[7192]: disconnect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:06:26 mta postfix/smtpd[7192]: connect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:11:26 mta postfix/anvil[7194]: statistics: max connection rate 1/60s for (smtp: at Aug 26 10:01:26
Aug 26 10:11:26 mta postfix/anvil[7194]: statistics: max connection count 1 for (smtp: at Aug 26 10:01:26
Aug 26 10:11:26 mta postfix/anvil[7194]: statistics: max cache size 2 at Aug 26 10:01:34
Aug 26 10:11:27 mta postfix/smtpd[7192]: timeout after MAIL from tbc-exch.thouttbrosinc.com[]
Aug 26 10:11:27 mta postfix/smtpd[7192]: disconnect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:12:27 mta postfix/smtpd[7192]: connect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:17:27 mta postfix/smtpd[7192]: SSL_accept error from tbc-exch.thouttbrosinc.com[]: -1
Aug 26 10:17:27 mta postfix/smtpd[7192]: lost connection after STARTTLS from tbc-exch.thouttbrosinc.com[]
Aug 26 10:17:27 mta postfix/smtpd[7192]: disconnect from tbc-exch.thouttbrosinc.com[]
Aug 26 10:17:27 mta postfix/smtpd[7192]: connect from tbc-exch.thouttbrosinc.com[]
Looks like it still 'may' be cert issue
Does anything here help: http://technet.microsoft.com/en-us/library/bb510129(EXCHG.80).aspx
jb1023Author Commented:
Unfortunately I don't see anything there that is the issue.  I have removed all my certs from the server, requested a new CSR from Exchange, re-keyed my cert in Godaddy and then went through the install, enable process in Exchange.  I compared the lookups as per that document and I don't see any differences in the fqdn.  I sent a new test email to hotmail and the msg is still in queue and the SMTP send log entry looks the same as before.
jb1023Author Commented:
Not sure if this matters or if perhaps they are two different functions but I am  able to log into owa and FF and IE say the cert is valid.  Again, could be different so don't know if that matters or not.
jb1023Author Commented:
Ok, so I turned it off on the send connector but not on the receive connectors and guess what...I got my test email.  I guess my next question would be why and what are the risks?
jb1023Author Commented:
Looks like TLS is now set properly.  Thank you so much Dave, I really appreciate it.
jb1023Author Commented:
Looks like TLS is now set properly.  Thank you so much Dave, I really appreciate it.
jb1023Author Commented:
Dave is supposed to be getting 100 pts for one of his answers and 400 for another, not sure why the Alert says 0 pts.
Jamie GillespieSenior IT ConsultantCommented:
Glad that's been sorted, well done Dave!
All Courses

From novice to tech pro — start learning today.