Exchange Server Error 4.4.7

Your problem may be related to the fact that the pittockmansion.org mail server is sending out it's name as pittockmansion.org and not mansion1.pittockmansion.org.  Here is an extract from a domain report on www.dnstuff.com:
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mansion1.pittockmansion.org claims to be host pittockmansion.org [but that host is at 216.251.43.98 (may be cached), not 63.229.140.153]
You can change this on the SMTP Virtual Server, Delivery Tab, Advanced Button.

Extract from http://support.microsoft.com/kb/284204
Numeric Code: 4.4.7

Possible Cause: The message in the queue has expired. The sending server tried to relay or deliver the message, but the action was not completed before the message expiration time occurred. This NDR may also indicate that a message header limit has been reached on a remote server or that some other protocol timeout occurred during communication with the remote server.
Troubleshooting: This code typically indicates an issue on the receiving server. Verify the validity of the recipient address, and verify that the receiving server is configured to receive messages correctly. You may have to reduce the number of recipients in the header of the message for the host that you are receiving this NDR from. If you resend the message, it is placed in the queue again. If the receiving server is on line, the message is delivered.
 

That seems logical.  Under that setting it is "pittockmansion.org".  But when I run the stupid email config wizard it is set to mansion1.pittmansion.org but if I change that to pittockmansion.org the intranet goes down.

J

What i meant was the "web cert" is set to mansion1.PMS.local.

Set it manually.  It should be mansion1.pittockmansion.org.  This macthes your MX record and Reverse DNS setting and it is essential that all 3 of these are matching.
The cert can say what it likes - it si not used for email transmission, although a certificate ending in .local wil mean you have other issues you need to address, such as Activesync not being able to work or RPC over HTTPs.

Got it.  Made the change.  Ill update when I know more.

Please also resolve your issue with Backscatter - where you are sending out NDR messages to spammers:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a63.229.140.153
Make sure you enable Recipient Filtering on your server too, otherwise you won't get off the blacklist:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html 

Today there are more delayed messages.

XXXXXXXXX@usbakery.com on 9/20/2010 12:14 PM

            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.

            <mansion1.pittockmansion.org #4.4.7>

Recipient Filtering is on also.  What is the server doing to get on that black list?

Backscatter reports:


This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs near 06.09.2010 19:34 CEST +/-1 minute.

You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
19.04.2009 02:34 CEST      listed      
18.09.2009 08:25 CEST      expired      
11.02.2010 02:56 CET      listed      
11.03.2010 03:25 CET      expired      
11.07.2010 18:11 CEST      listed      

A total of 12 Impacts were detected during this listing. Last was 06.09.2010 19:34 CEST +/- 1 minute.
Earliest date this IP can expire is 04.10.2010 19:34 CEST.


huh?

The good news is that your last listing date / time was on the 6th September - 2 weeks ago.
If you have Recipient Filtering enabled, then you should come off the blacklist on the 4th October automatically.  Until this time, you may have problems sending out mail.
When did you enable Recipient Filtering on your server?

It has always been enabled.  Why would we be listed?  I find no errors in the logs as it suggests to have me look.

Well - the usual reason for being listed is that a spammer is sending emails to your server claiming to come from an email address that they have made up.  When your server receives the message and can't deliver it because the address is not valid, your server rejects it and sends a Non Delivery Report back to the email address it came from, which was made up.  Some of the made up addresses are genuine addresses that are set as traps to catch spam (they have never been advertised) and when an email hits the trap - the IP Address gets flagged as a spammer.
Do you have any Anti-Spam software on your server?

No Anti-Spam software.  We have never sent emails out from fake email addresses and such.  Would an Anti-Spam software have prevented this?  Why?

I am not saying that you have sent out fake emails, only that your server received fake emails and that you didn't have Recipient Filtering enabled (or it was enabled and not working), and then your server sent out NDR messages to Spam Traps.
Anti-Spam software would most probably have helped you and I would recommend you install something on your server.
A very good and exceptionally priced piece of software (which I use personally) is Vamsoft ORF - www.vamsoft.com
You can trial it for 30-days to see how it works for you.  If you decide to trial it and need help setting it up - I am more than happy to help you.

Thanks I will try that.  I am concerned that we will not be taken off that list as we have been on there since July.  What else is there to check?

With Recipient Filtering enabled and something like Vamsoft ORF installed, you should not suffer the same problem.
Don't forget it has been 2 weeks since you were last listed.
If you like - drop me an email to alan @ it-eye.co.uk and I will see what Vamsoft ORF makes of your server / IP Address etc and this may highlight something else amiss.

OK, I installed Vamsoft.  I'll see how it goes.

Don't forget - if you need any help with Vamsoft - feel free to ask.
It is eliminating 93% of mail happily for a customer I visited today and no complaints : )

Will do!  How long should I wait to see if it resolves the delay issue?  The 2 weeks left on the blacklisting?

Ideally - yes.  If you want to drop me an email to the address above, I can see what my Vamsoft makes of your IP / Server / Environment configuration and see if there is abything obvious that I can see that is not already covered above.

Just sent you an email.

I received this response:


<alan@it-eye.co.uk>:
87.194.160.198 does not like recipient.
Remote host said: 550 5.2.1 Mailbox unavailable. Your IP address 67.18.21.3 is blacklisted using UCEPROTECT-1. Details: IP 67.18.21.3 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=67.18.21.3.
Giving up on 87.194.160.198.

Okay - you are listed on 3 blacklists:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a67.18.21.3
SORBS report:
Address: 67.18.21.3 Record Created: Fri Feb 26 15:49:49 2010 GMT Record Updated: Fri Aug 27 11:09:36 2010 GMT Additional Information: [ Updated via: Report 'o Matic ] Received: from gateway05.websitewelcome.com (gateway05.websitewelcome.com [67.18.21.3]) by banshee.isux.com (Postfix) with SMTP id 7462B108A00 for <[email]>; Fri, 27 Aug 2010 11:12:04 +0000 (UTC) Currently active and flagged to be published in DNS If you wish to request a delisting please do so through the Support System. Eligible for self delisting as only one spam occurance is recorded
UCEPROTECT report:
IP-InformationYour IP 67.18.21.3 is part of
AS
21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
and the Networks 67.18.0.0/15

Reverse DNS (PTR) exists and claimes to be: gateway05.websitewelcome.com

Forward DNS for gateway05.websitewelcome.com is: 69.56.148.14

WARNING: Forward-DNS does NOT match Reverse-DNS.
DNS is INCONSISTENT.
Please request your Admin or Provider to fix this.

Reverse DNS Report:
Reverse DNS for 67.18.21.3Location: United States [City: Dallas, Texas]

Preparation:
The reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 67.18.21.3 is found by looking up the PTR record for
3.21.18.67.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking e.root-servers.net for 3.21.18.67.in-addr.arpa PTR record:  
       e.root-servers.net says to go to y.arin.net. (zone: 67.in-addr.arpa.)
Asking y.arin.net. for 3.21.18.67.in-addr.arpa PTR record:  
       y.arin.net [192.42.93.32] says to go to NS1.THEPLANET.COM. (zone: 18.67.in-addr.arpa.)
Asking NS1.THEPLANET.COM. for 3.21.18.67.in-addr.arpa PTR record:  Reports gateway05.websitewelcome.com. [from 207.218.247.135]

Answer:
67.18.21.3 PTR record: gateway05.websitewelcome.com. [TTL 86400s] [A=67.18.21.3, 67.18.22.93, 67.18.39.14, 67.18.44.15, 67.18.52.6, 67.18.55.14, 67.18.59.3, 67.18.103.7, 67.18.124.3, 67.18.125.8, 67.18.144.2, 69.56.148.14, 69.56.195.29, 69.93.35.13, 69.93.154.37, 69.93.164.10, 69.93.179.12, 69.93.243.11, 64.5.38.5, 64.5.50.2, 64.5.52.8, 67.18.1.3, 67.18.10.9, 67.18.14.14, 67.18.15.4, 67.18.16.77]
Are you sending mail out via a Smart Host (3rd party)?

Is this from the email I sent you?  I sent that from josh@acmesupport.com not the pittockmansion.org

Yes - from the email you sent me - based on the last post you made.
Can you please try to send to me from your pittockmansion.org server - then I can see what the problem from your server might be.
Thanks
Alan

Ok, ill send a message from myname@mydomain.org

Thanks - looking out for it.
Alan

Don't see anything yet - please let me know when it is on the way.
Alan

here is what happened.


From: Administrator
Sent: Thursday, September 23, 2010 3:50 PM
To: Bill Norris
Subject: Delivery Status Notification (Delay)

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.

       alan+AEA-it-eye.co.uk

Weird!  I saw your email hit my anti-spam software and then nothing arrived in my inbox.
So - your server may be stopping the flow of email before the flow is complete.
What Service Pack is Exchange currently on and have you installed KB950757? :
http://support.microsoft.com/kb/950757/ 

Version 6.5 (Build 7226.6 SP1)

So should I upgrade to SP2?

Good I will. Can you tell me, do I use the normal exchange server sp2 upgrade or is there a special one?

Sorry - I missed the email notification.
Yes - just download and install the usual SP2 download from:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&displaylang=en 

Downloaded the SP2, installed and it it fixed!!!!  Thank you so much!!!

Excellent - great news.
Thanks for the points
Alan