asked on

Exchange 2010 Requested #550 Requested action not taken: mailbox unavailable ##

We have our own Exchange Server (2010) installed on an Windows Small Business Server (2011).
This server used to be in our office, and everything worked fine. The server has been moved a few months ago to our datacenter and now we are having some problems.

When sending e-mail to a few domains we receive the error "Requested #550 Requested action not taken: mailbox unavailable ##".

It is not when sending to all domains, only a few that seem to be blocking our e-mails.

What can I do to troubleshoot this problem? I have sent an e-mail to verifier-feedback@port25.com, this came back with the following results:

==========================================================
Summary of Results
==========================================================
SPF check: fail
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: fail
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname: mail.ourhostname.nl
Source IP: 82.94.167.182
mail-from: test@ourhostname.nl

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: fail (not permitted)
ID(s) verified: smtp.mailfrom=test@ourhostname.nl
DNS record(s):
ourhostname.nl. SPF (no records)
ourhostname.nl. 86400 IN TXT "v=spf1 a mx -all"
ourhostname.nl. 86400 IN A 82.94.xxx.x
ourhostname.nl. 86400 IN MX 10 mail.ourhostname.nl.
ourhostname.nl. 86400 IN MX 20 bsmtp.leaseweb.com.
mail.ourhostname.nl. 86400 IN A 82.94.xxx.x
bsmtp.leaseweb.com. 3600 IN A 85.17.150.54

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=test@ourhostname.nl DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified:

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions. If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: fail (not permitted)
ID(s) verified: header.From=test@ourhostname.nl DNS record(s):
ourhostname.nl. SPF (no records)
ourhostname.nl. 86400 IN TXT "v=spf1 a mx -all"
ourhostname.nl. 86400 IN A 82.94.xxx.xxx
ourhostname.nl. 86400 IN MX 10 mail.ourhostname.nl.
ourhostname.nl. 86400 IN MX 20 bsmtp.leaseweb.com.
mail.ourhostname.nl. 86400 IN A 82.94.xxx.xxx
bsmtp.leaseweb.com. 3600 IN A 85.17.150.54

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)

Result: ham (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message

It seems like I have to set an SPF record, but we already have this record;
ourhostname.nl. 86400 IN TXT "v=spf1 a mx -all"

Any help is very much appreciated!

ASKER CERTIFIED SOLUTION

Papertrip

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ingriT

ASKER

Thank you very much for your reponse!

If I have two IP's that may send the e-mail, should the record be like this then?

"v=spf1 ip4:82.94.167.182 ip4:82.94.205.9 -all"

Open in new window

bsmtp.leaseweb.com doesn't send our mail, we use this to retrieve our mail when our own mailserver was unavailable for some reason.

Papertrip

Woops I usually put a 2 IP example, but yes you are correct!

ingriT

ASKER

Oké, and I'm sorry for all the n00b questions, but why don't I need the mx and the a parameter anymore?

Papertrip

Woops I didn't see the "a" mechanism at first (wasn't awake long), but it is also extraneous. The "a" mechanism says that whatever your sending server's hostname resolves to is a valid sender, and the "mx" mechanism says that all MX records for the sending domain are valid senders. In the end all these end up doing is requiring additional DNS lookups for each mechanism that is not an IP. Most senders can get away with having a simple SPF record (like you have with 2 ip4 mechanisms), and that is the simplest and best approach.

If for example you could control the SPF record of your domain, but not the A or MX records for it, then you would use the "a" and "mx" mechanisms since the IP's could change for those A records (out of your control) without you knowing it and therefore making your record invalid.

http://www.ietf.org/rfc/rfc4408.txt

5.3. "a"

This mechanism matches if <ip> is one of the <target-name>'s IP
addresses.

A = "a" [ ":" domain-spec ] [ dual-cidr-length ]

An address lookup is done on the <target-name>. The <ip> is compared
to the returned address(es). If any address matches, the mechanism
matches.

5.4. "mx"

This mechanism matches if <ip> is one of the MX hosts for a domain
name.

MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]

check_host() first performs an MX lookup on the <target-name>. Then
it performs an address lookup on each MX name returned. The <ip> is
compared to each returned IP address. To prevent Denial of Service
(DoS) attacks, more than 10 MX names MUST NOT be looked up during the
evaluation of an "mx" mechanism (see Section 10). If any address
matches, the mechanism matches.

ingriT

ASKER

Thanks!