Link to home
Create AccountLog in
Avatar of nateam
nateam

asked on

Exchange Server 2007 (Primary Target IP address Responded with "421.4.4.2

I am having a problem with my exchange server not sending mail to certain domains "GMAIL, Microsoft"  It will however send to Yahoo and or Hotmail.  I get the error 451.4.4.0 Primary Target IP address responded with "421.4.4.2 Connection Dropped"  When I try to telnet to gmail or Microsoft it connects briefly and then disconnects.  I also notice mail will send when I reboot the server.  I have been on the phone with Microsoft for 5 hours and they state its a firewall issue.  This doesn't make since as some email passes through and some doesn't.  DNS appears to be working as it should.  In the SMTP logs it shows connecting to host and then drops connection immediately.  Any help with this would be appreciated.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

You may have configuration issues.

Your SEND Connector FQDN needs to resolve back in DNS to the IP Address the you are sending mail from and must also have a Reverse DNS record on your Fixed IP Address (something only your ISP can do), which should also resolve back in DNS to your Fixed IP Address and usually should match the FQDN of your SEND connector.

If they don't match - you may well get rejected.

If you want to send me a test message to alan @ it-eye.co.uk - I will be able to tell you if your house is in order.

Please also check on www.mxtoolbox.com/blacklists.aspx and check you are not blacklisted anywhere.
Hi,

Is this running on a Windows 2008 server? If so, the issue may lie with the IPv6 protocol and DNS resolution. Sounds crazy but there is a bug (MS acknowledged) w/ Exchange 2007 on Win2008 that causes this error. MS has yet to address / fix the problem. Disabling the IPv6 protocol won't fix it.

Quick test:

Add the following to your hosts file on the server:

gmail-smtp-in.l.google.com      74.125.67.27

Try sending an e-mail to a gmail account. If it goes through, you know that you have the issue.

There are basically 2 workarounds:

1 - Create entry for the failed domains in hosts file on the Exchange 2007 server. In command prompt, run 'nslookup -type=MX domain' (example: nslookup -type=MX gmail.com) and make note of the resolved name / ip address. Then add that to the hosts file on the server (c:\Windows\system32\drivers\etc\hosts). Easy fix if you only have a few domains with the issue.

2 - Create a SMTP connector on a Windows 2003 server via the IIS Admin and point the Exchange server to that as the smarthost. Set the SMTP connector to allow relays only from the Exchange 2007 server. Setup the smarthost on the Exchange 2007 server in Exchange Management Console - Organization Configuration - Send Connectors. Double-click the default connector for your domain and then choose the Networks tab. Choose 'Route mail through the following smarthosts' and add the IP address of the Windows 2003 box. Best solution if you are having the issue with lots of domains.

HTH,

-W

Avatar of nateam
nateam

ASKER

changing the Host file did not resolve the issue with GMAIL.  I am able to find that telnet now works this morning but mail still wont pass through unless I setup a Smart host to another SMTP outside of the network.  If Mail is passing to a Public IP outside of the firewall then this cant be a firewall issue, right?  If you have any other ideas please let me know.  I will try them ASAP :)  If I find anything I will post.

Your thoughts are very much appreciated!!
Any feedback to my comments?
You are correct. Passing the mail to the outside smarthost proves that the traffic is passing the firewall. If you're IP is blacklisted somewhere that could explain it but I would expect the telnet session would fail if that were the case.

I mistyped the resolved IP for the gmail.com mx record. It should be 74.125.93.27. There are also 4 other records:

alt1.gmail-smtp-in.l.google.com
alt2.gmail-smtp-in.l.google.com
alt3.gmail-smtp-in.l.google.com
alt4.gmail-smtp-in.l.google.com

Do an nslookup from your Exchange server:

nslookup -type=MX gmail.com

The 1st should be gmail-smtp-in.l.google.com. Ping that address from the server to confirm the correct IP. Make that the IP in the hosts file and re-try sending a test message.

HTH,

-W


Avatar of nateam

ASKER

Alan,

DNS "from my viewpoint" seems to be setup correctly.  I have confirmed with my ISP that the RDNS is setup correctly.  I was unable to send you a test message using the DNS send connector.  However it did send once I changed over to a Smart Host.  

Wparrott when I ping gmail "without modified hostfile" i resolve IP 74.125.65.27.  I can successfully look up the MX record with gmail and they are just as you stated.  I did modify the host file but was still unable to send a test message using GMAIL.

As of now I am running a packet sniffer to possible rule out any connection issues.  I will report my findings.  I appreciate everyone's help with this.
If you tried to send me a test message directly and it failed, then you won't be configured correctly as my Anti-Spam software is very strict.

When did you try to send me a message directly?
Avatar of nateam

ASKER

Alan the message went out successfully but it may have been caught by your Spam filter.  

As of today We are still having this problem however it is not as bad.  It takes about 30 minutes for gmail messages to leave the queue.  There are still a few domains that I get the 451.4.4.0 error message on but not near as bad as last week.  We haven't really changed anything.  

This is one of the most frustrating Exchange / Network issues I have ever seen.  Nothing is consistent with this issue.  
Do you know the rough date / time it was sent?  I don't see anything hitting my Spam Logs, so Forefront may have stopped it before it made it part-way through my systems, which suggests a possible IP Address Blacklist or config issues.
Avatar of nateam

ASKER

I will send another now
Thanks.  If you get an NDR - please post it (I can hide any tell-tale signs like IP Addresses / domain names etc).
Okay - got that one.
Avatar of nateam

ASKER

It took a few minutes for it to clear the Queue. It also gave the same error code.  GMAIL has similar behavior.  There are a few messages that have been queued for hours with the same error.
You seem to use Postini on your outbound mail.

What is the FQDN on your SEND connector?  Does it end .local?
Avatar of nateam

ASKER

No we use DNS.
SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Nothing even getting remotely close to me yet.
Did you restart your Transport Services Service?
Avatar of nateam

ASKER

I have not. I will do that now.  
No problems - please try to send another test message once you have done that.   Still not seen the last test message get even vaguely close.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Oh boy - you have got to love users!

Well done on sorting this one and thanks for the points.

That's the weirdest mail-flow solution I have seen for a long time : )
Avatar of nateam

ASKER

FQDN was indeed wrong and has been corrected. Issue relied in Network (Rouge Network Device attached with DHCP turned on) Removed Rouge Wireless Router email now flows normally.