Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2842
  • Last Modified:

Email Rejected - Firewall Error - Exchange 2010 - Issue with Generating Server Name

I've got serveral users who receive email rejections on outbound email to external domains with the general error 500 "Firewall Error"

The problem I believe lies within the "Generating Server" being my internal local domain instead of our public domain.

Below is the actual email rejection error:
dc1prppa2.ga.adp.com gave this error:
Firewall Error 

A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:

Generating server: Atlas.sos.local

[usernamehidden]@adp.com
dc1prppa2.ga.adp.com #500 Firewall Error ##

Original message headers:

Received: from Atlas.sos.local ([fe80::c04a:579f:6c19:1bec]) by
 Atlas.sos.local ([fe80::c04a:579f:6c19:1bec%11]) with mapi; Thu, 14 Apr 2011
 11:07:35 -0400

Open in new window


My servername is Atlas and internal domain is sos.local thus the atlas.sos.local as the generating server....  since that can't be found via reverse dns it's failing SPAM protection on target clients I'm sure.

My problem is, I'm unable to determine where the heck the local servername and domain is being generated from.

The following is my configuration info:
Exchange 2010 SP1
Server 2008 R2
Send Connector Type Internet, FQDN mail.sosrad.com, address space is *, using (DNS) MX records to route mail, source server is sos.local/configuration/sites/default-first-site-name (which I suspect is configured incorrectely)

testexchangeconnectivity.com outbound smtp passes properly, so the MX records for sosrad.com are configured properly and complete reverse DNS just fine.
0
Brian_Huff
Asked:
Brian_Huff
  • 7
  • 5
  • 3
  • +2
1 Solution
 
askurat1Commented:
Do you use a cisco router or firewall?
0
 
steinmtoCommented:
askurat1 are you thinking about smtp fixup?
I have seen that cause a lot of email issues.
0
 
askurat1Commented:
If you mean ip inspect feature than yes. This needs to be disabled or removed.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Robert Sutton JrSenior Network ManagerCommented:
Was going to ask the same about fixup. But also, its seems to be a mapping issue between your DC and FWall. Check your setting on both to ensure proper traffic flow and types. Let us know.
0
 
Robert Sutton JrSenior Network ManagerCommented:
In short, check the FW and or Interface settings for hostname: "dc1prppa2.ga.adp.com"    and ensure that the configs and settings are correct.
0
 
Brian_HuffAuthor Commented:
Yes, we use an old PIX 503 on this server, about to move to a new ASA 5510.

I'm not the expert in that area, so it might take me a bit to find the settings you're refering to.

However, I was under the impression that the error message was being generated on the target domain adp.com not ours?
0
 
Robert Sutton JrSenior Network ManagerCommented:
Im sorry... I misread your log. I Thought that was your device.
0
 
steinmtoCommented:
Disable SMTP fixup on cisco.

http://www.eudora.com/techsupport/kb/2539hq.html 
0
 
Brian_HuffAuthor Commented:
I've disabled smtp fixup, however, the error is being generated at the remote domain (the domain we are trying to send to) not ours I'm pretty sure.
0
 
kdgoodknechtCommented:
From what I'm reading, the receiving server is reporting the
dc1prppa2.ga.adp.com #500 Firewall Error ##
Is this your server?
It is up to your Exchange server to generate the error reported to it.
The DSN code format is all wrong for what Exchange reports.
Exchange reports its DSNs in this format:
 #< #5.2.3> #SMTP#
Exchange can only generate DSNs as reported to it.

On a side note, you need to contact your ISP and get a proper PTR  created for your mail server IP and verify that when it connects out, that it connects out on the correct IP address. Some SMTP servers use MX records only to authenticate whether it is Authorized to send mail from your domain. Most SMTP servers now support SPF authorization, so you should probably get you an SPF created to. My policy when setting up a mail server is to make sure all MX and PTR names match and that SPF records be created for the domain.

0
 
Brian_HuffAuthor Commented:
dc1prppa2.ga.adp.com  is not my piece of equipment, no.

Our MX and PTR records are setup properly for mail.sosrad.com, however, the generating server is showing up as atlas.sos.local which is my internal domain and thus cannot be verified via DNS.

My problem is that I cannot find where that generating server address is which is atlas.sos.local instead of the proper mail.sosrad.com
0
 
kdgoodknechtCommented:
The generating server name is taken from the FQDN of your Send connector, if you have not put a name in the "Specify the FQDN this connector will in response to HELO or EHLO" field, it will use the Server's internal FQDN.
0
 
Brian_HuffAuthor Commented:
Check my original post

The following is my configuration info:
Exchange 2010 SP1
Server 2008 R2
Send Connector Type Internet, FQDN mail.sosrad.com, address space is *, using (DNS) MX records to route mail, source server is sos.local/configuration/sites/default-first-site-name (which I suspect is configured incorrectely)

0
 
kdgoodknechtCommented:
Your PTR does not match the A record,
QUESTION SECTION:
220.14.172.24.in-addr.arpa.         IN      PTR    

ANSWER SECTION:
220.14.172.24.in-addr.arpa. 3600    IN      PTR     rrcs-24-172-14-220.midsouth.biz.rr.com.

It is very possible that the other server could be rejecting connections from your server with this PTR, I've seen it happen. Send an Email to reverserequest@twccs.com and have them create the correct PTR, it usually only takes a day or two. I've known TW have it done by the next day.

Check all your receive connectors, you should have at least two, possibly three. If there are other Exchange Servers in your organization, one receive connector should have the local Computer FQDN, and should be restricted to internal IPs on your network, that's the bottom pane on the Network tab, and should have Exchange Server Authentication enabled on the Authentication tab with Anonymous, Exchange Users, Exchange Servers, and Legacy Exchange servers, on Permission Groups tab, this connector is not so important if you only have one Exchange Server.
You also need a Receive Connector for incoming email, allowing connection from 0.0.0.0-255.255.255.255, TLS enabled on the Authentication tab, and Anonymous Users on the Permission Groups.
You should have one connector for Client Access, on port 587, with TLS, Basic, and Integrated Windows Authentication enabled, with Exchange Users on the Permission Groups.
0
 
kdgoodknechtCommented:
BTW, if your not using IPv6, you should probably disable it completely, in the registry at:

HKLM\System\CCS\Services\TCPIP6\Parameters
Add DWORD (32bit)
DisabledComponents
value: ffffffff
0
 
Brian_HuffAuthor Commented:
Thanks, that points me in the correct direction....

I didn't think I needed to setup PTR with TWC since they are not the register of our domain
0
 
kdgoodknechtCommented:
TWC owns the Authority for the reverse lookups on any IP address you obtain from them, and they are responsible for all the PTR records.
0
 
Brian_HuffAuthor Commented:
Gotcha.

the email address reverserequest@twccs.com  bounces back as an invalid address.  I've sent the request up to our business fiber account rep and he's taking care of it.  I'll be working through your other suggestions this morning and will report back all results shortly.

Thanks
0
 
Brian_HuffAuthor Commented:
TWC is working on the request and I've made a few changes to bring the receive connectors more in line with your suggestions...   Will accept and award points as soon as TWC completes PTR update and I can test.

Thanks much
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now