Hi,

This sounds to me like a problem in pure hosts mx config, have you contacted them?

Cheers

Liquid

A few issues regarding you domain....

- starting at the beginning, you seem to have name servers problems... at the registrar, you have you name server listed as:

ns1.windowsww.com. [38.113.1.38] [TTL=172800] [US]
ns2.windowsww.com. [38.113.1.39] [TTL=172800] [US]

but in you DNS, you have:

ns1.yourhostingaccount.com.
ns2.yourhostingaccount.com.

That can create all sorts of issues... you need to make sure the nameservers listed at the registrar are the nameservers that are actually in you DNS as NS records...

- you do have the issue with not sending the hostname in your greeting - that can be a problem and should be corrected... so you hav any SPAM or mail gateway in front of you primary email server?

- lastly, you should set up an SPF record for your domain...

Again, though, start at the beginning and get your name servers correct either by changing at the registrar, or correcting the DNS NS records... then test everything again and see what happens...

@BWaring How should those first records you mentioned look for my domain (registrar & DNS)?

Well... at the registrar (which may also be where your DNS servers are) there is two basic pieces of information - your top level domain (TLD) that you registered, and the primary, secondary, and (maybe) tertiary name servers that are going to handle name resolution for that TLD. This basic info is replicated out to specific 'root' servers that maintain copies of that info... So worst case, no caching, etc... someone needs to talk to a host at your TLD, they contact a root server, find out what your DNS servers are, then ask them for the info... the NS records that are stored on the DNS servers for your TLD should match those same ns records that were listed at the registrar....

So if, in your example, greenwayeng.com is using ns1/ns2.yourhostingaccount.com as it's DNS servers, then those two servers should also be listed at the registrar so your hosts can be found. On the other hand, if you are using ns1/ns2.windowsww.com as your DNS servers, then the NS records on those servers needs to be changed from yourhostingaccount.com to windowsww.com....

This sometimes happens when you change DNS providers or registrars and the info doesn't get correctly updated. There can be instances (rare) where odd configurations can be valid, but you would have already said "their supposed to be that way".... (you can still say that if you have some complication DNS set up)....

What is also odd, is that if I do an NSLOOKUP on your domain at the windowsww.com server, I get an 'authoritative' answer - which means they have the records for your domain and are not looking them up elsewhere.... but when I do that same lookup at yourhostingaccount.com, I get the same 'authoritative' answer... and all the records do look the same, including the NS records at BOTH pointing to yourhostingaccount.com....

Maybe those nameservers are at the same hsoting company (they do have different IP addresses), but in any event, there should be a match between registrar and DNS, so figure out which are the correct nameservers, and change them either at the registrar or on the DNS servers...

This alone, however, does not explain the issue with your mail, as you said, the  mail IS coming in - you have a capture of the SMTP - so as I asked, do you have any SPAM, or other gateway in front of the Exchange server... when I try to manuall telnet in on port 25 to your mail server (mail.greenwayeng.com), I cannot even connect, so I'm being blocked even before that server....

If you follow this link: http://www.dnsstuff.com/tools/dnsreport?domain=greenwayeng.com&format=raw&loadresults=true&token=232187ceed194630237526152a55b012 it a check on your domain from www.dnsstuff.com and you can see some of what I am saying....

Yes I do have a Watchguard firewall, I just wanted to start at the top like you said (before we delve into that can of worms LOL).

Right now I have Telnet blocked, but I can open it up so you can come in.

Try it now.

telnet mail.greenwayeng.com 25 ... timeout....

but this is good info... the WatchGuard is probably where things are getting messed up... is the WatchGuard acting as a gateway for email? Whose IP address actually is at mail.greenwayeng.com? Is that NAT to the Exchange server, or is the WatchGuard running SMTP, checking the mail (even just the header), then forwarding to Exchange? I you telnet to the internal IP address of your Exchange server on port 25, do you get the 'correct' SMTP response?

Well I messed something up myself yesterday trying to fix these issues. Apparently in my Purehost account settings I need to have mail.greenwayeng.com point to 64.181.96.242 as a subdomain as well as the MX record. When I took out the subdomain my dns report matched as you stated above, however all mail stopped flowing in and the MX got changed to 38.113.20.15 (which is my website IP). So now I am setting here waiting for that to update. So when you where using telnet it wasnt to the right IP if you tried mail.greenwayeng.com

The IP address 64.181.96.242 is my public IP address and is NAT'd by the Firebox to my exchange server. The firebox is running the SMTP proxy and Spamscreen.

If I telnet to the servers internal IP on port 25 the server answers with ready and I can do the regular commands.

Not to get off on a tangent, but having the domain name of greenwayeng.com at Purehost and our local domain and exchange server as greenwayeng.com has always caused me headaches.

I'm not sure what you mean when you say "when I took out the subdomain"... I hadn't mentioned anything about the MX record....

From what I know so far, it seems like you should have entries such as:

greenwayeng.com    A    38.113.20.15    -> most people want their TLD to go to their website, even if you don't type www.
greenwayeng.com    NS    ns1.<whatever your correct name servers are>
greenwayeng.com    NS    ns2.<whatever your correct name servers are>
greenwayeng.com    MX    10    mail.greenwayeng.com    -> send mail to 'mail.greenwayeng.com'
mail.greenwayeng.com    A    64.181.96.242    -> NAT of Exchange (on Firebox)
www.greenwayeng.com    A    38.113.20.15    -> IP address of web site

I am now able to telnet to mail.greenwayeng.com on port 25, and I do see the generic mail greeting. If you see the correct Exchange greeting when you connect internally, then I am missing some information. What version/model is the firebox?

Does this look familiar: http://www.watchguard.com/help/docs/fireware/10/en-us/content/en-us/proxies/smtp/proxy_smtp_gen_settings_f.html ? If so, look at the section under "Hide Email Server" and check "Server Replied" and "Rewrite Banner Domain", and put 'mail.greenwayeng.com' in there. Also check "Rewrite HELO Domain" and put 'mail.greenwayeng.com' in there...

From the inside I see:

220 mail.greenwayeng.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 15 Apr 2011 14:46:23 -0400

I am using an older Firebox III 1000, the menus look quite a bit different than the link. I do see the "SMTP Service Ready" as the welcome message under the SMTP Proxy. I dont see any options to change it though. I am using Policy Manager 7.5.0-B2561

I wonder why all the sudden my firebox is answering with that generic smtp greeting instead of exchange? I didn't change anything.

Ok I was able to get rid of the generic message "SMTP Service Ready" and just typed in mail.greenwayeng.com which gave me a green light on mxtoolbox.com under the "OK - Reverse DNS matches SMTP Banner" but still it is my firebox answering and not the exchange server...

OK... just tested telnet and that looks good...

"but still it is my firebox answering and not the exchange server..." - I'm not familiar with that exact model, but the firebox acts as an SMTP... somewhere do you have a configuration for "Incoming SMTP Proxy"? That's the configuration for the Firebox to intercept the SMTP message, examine it for whatever, then forward to the Exchange server... so the mail goes:

Internet->Firebox->Exchange

What version of software is running on the Firebox? The Firebox may also be doing some sort of user verification to Exchange and it may be failing...

You originally said "I can't see his email in the exchange logs but if I use wireshark on the exchange server I can see it come in"... you have WireShark running on the Exchange server and you see it come in where? on the local IP of the Exchange server? What version of Exchange is this? Is that capture from Internet->Firebox or Firebox->Exchange?

On the capture, I see "gw8.greenwayeng.com" - what is "gw8"?

Firebox software version Policy Manager 7.5.0-B2561

Wireshark was capturing anything coming into the NIC, local IP on port 25

It is Exchange 2003. The capture was after the firebox.

GW8 is the servers name.

OK so you have this: http://www.watchguard.com/help/docs/wfs/75/v75wfsconfigurationguide_standalone.pdf

Is the accountant getting the 5.1.1 on all emails sent to you, or just certain email addresses?

Do you have a full header from the NDR response he get's back?

Enable ALL logging on the Firebox in the Incoming SMTP Proxy and send a test message - then check the log file...

It seems that the problem right now is between the Firebox and Exchange. The thing is that "User unknown in virtual alias table" isn't a message from Exchange, so it may be the Firebox rejecting the mail... turn on all the logging on the Firebox, resend a test message, post the header and the log...

The accountant cant email anyone at greenwayeng.com

I dont have the full header of the bounce he is getting.

Something new developed over the weekend, now our sister office cannot email us and they are getting the same message. This is the bounce they got on their end:





Delivery has failed to these recipients or distribution lists:
 
msmith@greenwayeng.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.
 
The following organization rejected your message: mailrtr12.ntelos.net.
 
  _____  
Sent by Microsoft Exchange Server 2007





 
Diagnostic information for administrators:
 
Generating server: slsserver3.slssurveys.com
 
msmith@greenwayeng.com
mailrtr12.ntelos.net #550 5.1.1 <msmith@greenwayeng.com>: Recipient address rejected: User unknown in virtual alias table ##
 
Original message headers:
 
Received: from slsserver3.slssurveys.com ([192.168.1.8]) by
 slsserver3.slssurveys.com ([192.168.1.8]) with mapi; Mon, 18 Apr 2011
 08:17:29 -0400
From: Deanna Beron <dberon@slssurveys.com>
To: "msmith@greenwayeng.com" <msmith@greenwayeng.com>
Date: Mon, 18 Apr 2011 08:17:27 -0400
Subject: FW: BROWNSTREET
Thread-Topic: BROWNSTREET
Thread-Index: Acv7tqWkkFswID6ITM+i02f9nae1mACCIa0gAADYOwA=
Message-ID: <423935B2EE5BE14E854152D747E3A8E501356616E6C1@slsserver3.slssurveys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
        boundary="_002_423935B2EE5BE14E854152D747E3A8E501356616E6C1slsserver3s_"
MIME-Version: 1.0

Here is the smtp proxy log from the firebox: (for the accountant kilmercpa.com)

               DO_NOT_EDIT_THIS_FILE!_version_2.00      11
5019368  04/18/11  09:07:21 n allow  out  eth1:0  48        tcp     20        128       10.10.10.10      67.211.153.135   27498     25        syn (SMTP)                                                
5019398  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "TURN"                                                                                      
5019408  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "PIPELINING"                                                                                
5019418  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "DSN"                                                                                      
5019428  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "ENHANCEDSTATUSCODES"                                                                      
5019438  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "VRFY"                                                                                      
5019448  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "X-EXPS"                                                                                    
5019458  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "X-EXPS=LOGIN"                                                                              
5019468  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "X-LINK2STATE"                                                                              
5019478  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "XEXCH50"                                                                                  
5019488  04/18/11  09:07:21 y smtp-proxy[24612] [10.10.10.10:27498 67.211.153.135:25] removing ESMTP keyword "OK"                                                                                        

FYI - a lot of the words it is removing I have allowed under "Allow AUTH" in the ESMTP properties...

According to exchange logs the email is not hitting exchange.

The only thing that doesn't seem to make sense is that WireShark capture...

Still thinking that it is the Firebox.... can you turn off the SMTP Proxy to test? Then email should directly hit the Exchange server... if that works, then we know it's the Firebox... those keyword removals in the log do not seem right, as you said....

Yeah I got the sister office straightened out. I took something out of the allowed ESTMP that I should not have. Still having same issue with accountant.

I cant turn off the SMTP proxy but I can remove it, save config as another name then save it to the firebox.

I'm sure that will require a reboot of the firebox so I will have to let all my VPN users know. I'm also pretty certain the mail will come in once I remove the proxy...

That would at least confirm that it is the firebox...

Man this firebox is such a pain! Removing the SMTP proxy results in zero mail flow. I guess I'd need to make an ANY service right to the exchange server. Without the SMTP service it denies the mail in:

04/18/11 13:08  firewalld[139]:  deny in eth0 48 tcp 20 107 178.34.39.1 64.181.96.242 54700 25 syn (default)

Unfortunately, I don't have a lot of familiarity with the specifics of the Firebox...

But yes, if the SMTP proxy was accepting the mail on behalf of Exchange, then there would be no port open through to the Exchange server, so you would need to add an exception for at least port 25 (if it lets you - maybe it forces it to go through the proxy?)...

An 'ANY' exception, if it works, should obviously only be left in place for the duration of the test....

I have not removed the SMTP proxy yet, but I did get a chance to test from the accountants office. When I telnet into my server from their network and try to send mail it gives me the "mailbox name not allowed or chunk to large" error. I've googled it and seen where others have had problems with the Watchguard SMTP proxy.

Ok I turned off all ESMTP in the SMTP proxy. I was able to successfully send mail via telnet:

220 mail.greenwayeng.com

ehlo kilmercpa.com250-Requested mail action okay, completed

250-SIZE

250 8bitmime

mail from: mkilmer@kilmercpa.com250 Requested mail action okay, completed

rcpt to: smiller@greenwayeng.com250 Requested mail action okay, completed

data354 Please start mail input.

subject: greenway.250 Mail queued for delivery.

quit221 Closing connection. Good bye.

Connection to host lost.


YET when I try to send email from the accountants network to mine I still get:

The following recipient(s) could not be reached:

      smiller@greenwayeng.com on 4/15/2011 4:08 PM

            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.

            <mail.kilmercpa.com #5.1.1 smtp;550 5.1.1 <smiller@greenwayeng.com>: Recipient address rejected: User unknown in virtual alias table>

Here is the headers from the email message that came through from telnet, looks like SEM (Symantec Endpoint Protection) might have something to do with it?:

Microsoft Mail Internet Headers Version 2.0
thread-index: AcwAKDbag/o4ShDpQJSQlC056quTzw==
X-SEM-SMTP: 1
Received: from kilmercpa.com ([67.211.153.135]) by mail.greenwayeng.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 21 Apr 2011 09:30:00 -0400
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
Subject: test greenway
From: <mkilmer@kilmercpa.com>
Bcc:
Return-Path: <mkilmer@kilmercpa.com>
Message-ID: <GW8rLCCtgx8VUkRacUt0000043f@mail.greenwayeng.com>
X-OriginalArrivalTime: 21 Apr 2011 13:30:00.0527 (UTC) FILETIME=[36D125F0:01CC0028]
Date: 21 Apr 2011 09:30:00 -0400
X-SEM-FILTER-STATUS: SfCf::adBlock::4e3e5411-9a5d-4280-84da-4a6a0cd3ba92
X-SEM-COMMUNITY-SCORE: 45
X-SEM-BLOCKED: 1

Correction. Looks like it might be my Spamfighter Exchange Module...

That sounds about right - you've got more things running that we didn't know about!

These lines:

X-SEM-FILTER-STATUS: SfCf::adBlock::4e3e5411-9a5d-4280-84da-4a6a0cd3ba92
X-SEM-COMMUNITY-SCORE: 45
X-SEM-BLOCKED: 1

show it being blocked. Why does it have a score of 45? The "user does not exist" may be a fake message to throw off spammers. Now you need to check your accountants domain and make sure they are not on any lists, if your spam filter is actively denying the email. And check the logs on SEM.

Question is still active.

Not sure what you mean by that....

were you able to look at the logs to see why SEM is blocking the message? At this point, it seems like your side is actively blocking those emails, and you need to figure out why that is.... or whitelist the email addresses...

I posted that because the admins are already sending me emails about this question being inactive....

The community filter is what is blocking it I believe. That means someone in our office somewhere along the line tagged it as spam. I've white listed both his email address and his domain and that did not help. Right now I am trying to find out how to reset the community filter.

The headers I posted above was from the message I sent via telnet that DID make it through. Here is the headers of the bounce message the accountant is receiving:

Microsoft Mail Internet Headers Version 2.0

From: postmaster@kilmercpa.com

To: ckilmer@kilmercpa.com

Date: Mon, 25 Apr 2011 12:34:50 -0400

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

            boundary="9B095B5ADSN=_01CBFE8A13E8500800000479mail.kilmercpa.c"

X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000

Message-ID: <WtIIZS2TR00000034@mail.kilmercpa.com>

Subject: Delivery Status Notification (Failure)

 

--9B095B5ADSN=_01CBFE8A13E8500800000479mail.kilmercpa.c

Content-Type: text/plain; charset=unicode-1-1-utf-7

 

--9B095B5ADSN=_01CBFE8A13E8500800000479mail.kilmercpa.c

Content-Type: message/delivery-status

 

--9B095B5ADSN=_01CBFE8A13E8500800000479mail.kilmercpa.c

Content-Type: message/rfc822

 

Return-Receipt-To: "Cathie Kilmer" <ckilmer@kilmercpa.com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

            boundary="----_=_NextPart_001_01CC0366.B237F67C"

Disposition-Notification-To: "Cathie Kilmer" <ckilmer@kilmercpa.com>

Content-class: urn:content-classes:message

X-MimeOLE: Produced By Microsoft Exchange V6.5

Subject: test

Date: Mon, 25 Apr 2011 12:34:49 -0400

Message-ID: <4E6508400506FF4EBE56EE597B1E530C39557A@DC2.rmkcpa.us>

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

Thread-Topic: test

thread-index: AcwDZrJe/TfbXw60TlOfazKzc8LMnA==

From: "Cathie Kilmer" <ckilmer@kilmercpa.com>

To: <atvmxracer@gmail.com>,

            <smiller@greenwayeng.com>

 

------_=_NextPart_001_01CC0366.B237F67C

Content-Type: text/plain;

            charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

 

------_=_NextPart_001_01CC0366.B237F67C

Content-Type: text/html;

            charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

 

 

------_=_NextPart_001_01CC0366.B237F67C--

 

--9B095B5ADSN=_01CBFE8A13E8500800000479mail.kilmercpa.c--

Ok here is the latest. I have taken drastic measures and uninstalled my Spamfighter Exchange Module. I have also remove the SMTP proxy on my Watchguard Firewall. I switched to "Filtered-SMTP" which has no spam filtering or anything (I dont even know why they call it filtered). Still there is no joy between the accountant and us. I can send them mail, but they cannot email us.

I was testing while on the phone with them and they get a bounce instantly, as soon as they hit send it is there.

Here is the newest bounce from the accountant:

            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.

            <mail.sosos.com #5.1.1 smtp;550 5.1.1 <apifer@greeneng.com>: Recipient address rejected: User unknown in virtual alias table>

What is "mail.sosos.com"?

Sorry:

            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.

            <mail.kilmercpa.com #5.1.1 smtp;550 5.1.1 <apifer@greenwayeng.com>: Recipient address rejected: User unknown in virtual alias table>

I just did a test from MXTOOLBOX and got the mormal greeting now:

220 mail.greenwayeng.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 28 Apr 2011 13:03:26 -0400

Not the "220 SMTP Service Ready" or "mail.greenwayeng.com" that the firewall gives (with the smtp proxy on).

When I telnet in to mail.greenwayeng.com on port 25, I am just getting "220 mail.greenwayeng.com"...

Yes I added the SMTP-Proxy back in the firewall since removing it did not help. I saved the configuration file with just the "Filtered-SMTP" in case I need it for future testing though.

What I dont understand is why all of the sudden is my firewall answering the SMTP call when exchange used to? I never changed anything.

As far as I know, that message "Recipient address rejected: User unknown in virtual alias table" is not coming from Exchange. That is a standard 'postfix' mail program message, not an Exchange message... with the relay back down, you need to manually (telnet) test inbound from several locations (including theirs) to see if there is any difference is message received....

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.