Solved

#0.0.0 smtp; 554 Denied (Mode: normal) Error with outbound mail

Posted on 2010-09-02
6
3,681 Views
Last Modified: 2012-05-10
This past week we have had several users report problems they are having sending mail to some external recipients. The e-mails to these senders are always returned with the error: "Undeliverable: Delivery failure (recipient e-mail address)" in the subject line and this in the body: "The following recipient(s) cannot be reached:

      recipients e-mail address on 9/2/2010 8:36 AM
            The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
            < dnsnameofmymodusgateserver #0.0.0 smtp; 554 Denied (Mode: normal)>"

We are using Microsoft Exchange 2003 and we have a Vircom ModusGate server in front of that to provide mail filtering.  When I pour through my OPR logs on the ModusGate server, I see the following logs of the outgoing mail transaction:

Incoming SMTP call from 192.168.0.49 (internal IP of my exchange server) at 08:36:17.
Reverse DNS Lookup for 192.168.0.49 initiated at 08:36:17.
Reverse DNS Lookup for 192.168.0.49 completed at 08:36:17.
Address 192.168.0.49 resolves to myexchangeservername.
<<< 220 mymodusgateservername modusGate ESMTP Receiver Version 5.0.916.0 Ready
>>> EHLO myexchangeservername
<<< 250-mymodusgateservername
250-SIZE 31457280
250-ETRN
250-ENHANCEDSTATUSCODES
250-X-IMS 5 -1
250-DSN
250-VRFY
250-AUTH LOGIN
250-AUTH=LOGIN
250 8BITMIME
>>> MAIL FROM:<mye-mailaddress> SIZE=15273
SPF query for mye-mailaddress from myexchangeservername initiated at 08:36:17.
SPF query for mye-mailaddress completed at 08:36:17 with the following result none (mymodusgateservername: domain of mye-mailaddress does not designate any permitted senders).
<<< 250 2.0.0 mye-mailaddress OK
>>> RCPT TO:<recipientaddress1>
<<< 250 2.0.0 recipientaddress1 OK
>>> RCPT TO:<recipientaddress2>
<<< 250 2.0.0 recipientaddress2 OK
>>> DATA
<<< 354 Ready for data
The recipient <recipientaddress1> is auto-trusted for mailbox <mye-mailaddress>.
The recipient <recipientaddress2> is auto-trusted for mailbox <mye-mailaddress>.
<<< 250 2.0.0 Message received OK [id=B0019795511@mymodusgateservername]
Message B0019795511@mymodusgateservername received at 08:36:17 from myexchangeservername (myexchangeservername

[192.168.0.49]).
Size: 15269 bytes
Return-path: mye-mailaddress
"Recipients: recipientaddress1, recipientaddress2, "
>>> QUIT
<<< 221 2.0.0 mymodusgateservername closing
Incoming SMTP call from myexchangeservername completed at 08:36:17.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG has been detected.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG is being scanned for attachments.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG has been scanned and is clean.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG is being virus scanned.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG has been scanned and is clean.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG has been scanned and whitelisted for recipient <ssymons>
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG has been scanned and whitelisted for recipient <cmiller>
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG was scanned for spam and no actions were taken.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG is being scanned for policies.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The file C:\Program Files\Vircom\modusGate\spool\invirus\B00\1979\B0019795511.MSG was scanned for policy violations and no actions were taken.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
The domain harkinsbuilders.com was not found on the SURBL server multi.surbl.org.
---- MODUSCAN log entry made at 09/02/2010 08:36:17
Message B0019795511.MSG has been moved and/or renamed to C:\Program Files\Vircom\modusGate\spool\incoming\B00\1979\B0019795511.MSG
---- MODUSCAN log entry made at 09/02/2010 08:36:17
Message B0019795511.ASY has been moved and/or renamed to C:\Program Files\Vircom\modusGate\spool\incoming\B00\1979\B0019795511.RCP
---- SMTPDS log entry made at 09/02/2010 08:36:17
Message C:\Program Files\Vircom\modusGate\spool\incoming\B00\1979\B0019795511.MSG has been moved to C:\Program Files\Vircom\modusGate\spool\holding\B00\1979\B0019795511.MSG.
---- MODUSCAN log entry made at 09/02/2010 08:36:19
SMTP client starting work on C:\PROGRAM FILES\VIRCOM\MODUSGATE\SPOOL\DOMAINS\HCGH.ORG\B0019795511.RCP
Connected to remotemailserverip:25
"Received ""220 remotemailservername ESMTP mxl_mta-6.7.0-1 [77928940.239720.00-2314]; Thu, 02 Sep 2010 06:36:21 -0600 (MDT); NO UCE, INBOUND\r\n"""
"Sending ""EHLO mymodusgateservername\r\n"""
"Received ""250-remotemailservername\r\n250-SIZE 0\r\n250-STARTTLS\r\n250-SUBMITTER\r\n250 PIPELINING\r\n"""
"Sending ""MAIL FROM:<mye-mailaddress> SIZE=15372\r\n"""
"Received ""250 Sender Ok\r\n"""
"Sending ""RCPT TO:<recipientaddress2>\r\n"""
"Received ""250 recipientaddress2 ok (RCPTMode: normal/deferred)\r\n"""
"Sending ""DATA\r\n"""
"Received ""354 Start mail input; end with <CRLF>.<CRLF>\r\n"""
"Final dot sent, read 15372 and sent 15372 bytes"
"Received ""554 Denied (Mode: normal)\r\n"""
"Sending ""QUIT\r\n"""

I am unable to tell exactly what is going on here or where else I should be looking to troubleshoot this.  Everyday it seems like another user is reporting this same issue with a different recipient so I'd like to get it figured out before the users start revolting.  I have sent e-mails to these recipients from my GMail account and they go through fine.  

I appreciate any help that can be provided.
Thanks
-Chris
0
Comment
Question by:HarkinsIT
  • 2
  • 2
  • 2
6 Comments
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you gave a lot of good information, thanks

looking at the inbound session you posted everything looks good until after the message was submitted

you won't see this if your system is on a blacklist or they are refusing connections from you
"Received ""220 remotemailservername ESMTP mxl_mta-6.7.0-1 [77928940.239720.00-2314]; Thu, 02 Sep 2010 06:36:21 -0600 (MDT); NO UCE, INBOUND\r\n"""

the recipient was valid
"Received ""250 recipientaddress2 ok (RCPTMode: normal/deferred)\r\n"""

the system is accepting your message
"Sending ""DATA\r\n"""
"Received ""354 Start mail input; end with <CRLF>.<CRLF>\r\n"""
"Final dot sent, read 15372 and sent 15372 bytes"

at this point the message must have failed some policy on the recipient's end like message size
"Received ""554 Denied (Mode: normal)\r\n"""


0
 
LVL 12

Expert Comment

by:FDiskWizard
Comment Utility
My best guess, is that the receiving end is blocking the emails in some fashion or another.
Is it multiple external domains? Maybe you or you ISP got on a blacklist?

I've dealt with one company who's ISP kept getting blacklisted because one of their customers was sneding SPAM.

Send an email to a Gmail account, and look at the headers to see if anything odd shows up.
Or better yet, email one of the domains that had an issue...
Try to get a server admin on the phone at one of the external domains... that would really expedite resolving your issues if they can confirm emails getting through or being blocked..

0
 

Author Comment

by:HarkinsIT
Comment Utility
@endital1097 - So I guess it does indeed appear to be a problem on the recipients end?  That would be nice but not sure my users would be happy with that.    :-)

@FDiskWizard - Yes, we are having this problem with a few different external domains/e-mail addresses.  I have heard that it can be tough to confirm that your e-mail address is on a blacklist or not since there are so many of them and some companies maintain their own blacklists.  That certainly makes it more difficult to troubleshoot.  

I will see if I can get in touch with an Admin at one of the "problem" companies.  Thanks for the advise....

-Chris
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 12

Accepted Solution

by:
FDiskWizard earned 250 total points
Comment Utility
Yes. Sometimes they do add to their block list; by country, etc... I've talked to a number of admins with other companies and got them straight ;-)
Just talking to one person might clue you in on WHY some are getting blocked. Have fun!
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 250 total points
Comment Utility
i just think that the one instance you provided it is a policy on the recipient's system
your log showed the message was submitted successfully before it was rejected
0
 

Author Comment

by:HarkinsIT
Comment Utility
Oddly enough, the problem seems to have cleared up on it's own.  Very odd.  Oh well, hopefully it doesn't happen again.  Thanks to you both for your assistance.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now