Email are not delivred

Hi Friends,

I have a exchange server 2k7, which is responsible for 2 domains ...xyz.com & abc.com

some user of abc.com domain complaining that there clients are getting NDRs...& emails are not delivered to us......

when I have check my acb.com domain in MXtoolbox it gives me the output attached here with

Kindly advice where is the issue in my domain...

some prompt & curable advice would be highly appreciated....

thanks in advance...
MX-Lookup-Tool---Check-your-DNS-.htm
dxbdxb2009Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Zephyr ICTConnect With a Mentor Cloud ArchitectCommented:
Hi...

I think we need to recap the entire conversation here ... Can you remind me again, did you migrate these servers from a previous Exchange version? You are still using 2007? or was it 2010?

As regarding to the setting, no it will not open up to SPAM as you are using the Symantec protection gateway if I remember correctly.

You should let some exchange admin connect remotely to your server to let him take a look at it, maybe he will find the problem? You can find many freelancers willing to do this for little money.

Also check event logs on the exchange servers, as well as other logs to see if you find something interesting that can help.
0
 
Zephyr ICTCloud ArchitectCommented:
Hi, the file you have linked in your post doesn't show up for me ... Could you maybe also post an excerpt of one of the NDR's your clients are getting?
0
 
dxbdxb2009Author Commented:
spravtek : thanks for your reply,

find the attached file here with...

Pls advice..
Email.jpg
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Zephyr ICTCloud ArchitectCommented:
Is there some anti-spam solution between the Internet and your server? Or your firewall acting as anti-spam? What is the exact message your users are getting when sending mails?

Did you test DNS (forward/reverse)?
0
 
dxbdxb2009Author Commented:
we did not have any spam solution,

DNS forward is okay..i am suspecting reverse dns lookup...

can you check & advice if revers dns lookup for my abc.com domain is correct or not...?

thanks ....
0
 
Zephyr ICTCloud ArchitectCommented:
You do have a problem with reverse DNS, you have that part right!

You can use this tool to check for yourself:

http://centralops.net/co/
0
 
Zephyr ICTCloud ArchitectCommented:
I think it depends on where you're looking from, some tools don't report a problem, did you recently change your DNS?
0
 
Zephyr ICTCloud ArchitectCommented:
The connection with your mail server seems ok, so it might also be DNS resolution?

[Contacting mail.alqasba.ae [213.42.203.13]...]
[Connected]
220 ********************************************
EHLO hexillion.com
250-smtp.qda.ae says EHLO to 70.84.211.98:4654
250-SIZE 15728640
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 PIPELINING
MAIL FROM:<HexValidEmail@hexillion.com>
250 MAIL FROM accepted
RCPT TO:<admin@alqasba.ae>
250 RCPT TO accepted
RSET
250 RSET OK
QUIT
221 smtp.qda.ae closing connection
[Connection closed]
0
 
dxbdxb2009Author Commented:
thanks spravtek for your valuable reply & help...

as per my test with the tool/link you suggested here : http://centralops.net/co/

13.203.42.213.in-addr.arpa      IN      PTR      mail.alqasba.ae      21600s      (06:00:00)

Here it must be second domain name.... mail.almon*******.ae = am I correct?

kindly advice any solution to work around with 2 domain hosting on one exchange server with correct PTR pointed as they really required..

thanks once again for your interest in this question..
0
 
Zephyr ICTCloud ArchitectCommented:
Yes, there seems to be only 1 domain being resolved for that IP-address, so in order for the other address being resolved to the same IP-address it should be configured in the same manner as the one that translates at the moment.

both DNS names need to resolve to the same IP

mail.abc.com - 213.42.203.13
mail.xyz.com - 213.42.203.13
0
 
dxbdxb2009Author Commented:
both DNS names need to resolve to the same IP..... How & where I can configure to resolve both name with same IP....

Kindly advice...

Thanks...
0
 
Zephyr ICTCloud ArchitectCommented:
Well, you need to make sure you have the mx records in place for starters

mx 10 mail.abc.com
mx 10 mail.xyz.com

Then make sure you have the correct ptr records for each mx record.
so if you make a reverse dns for mail.xyz.com it resolves like this:

13.203.42.213.in-addr.arpa      IN      PTR      mail.xxxxxxx.ae

You'll need to configure it on each domain...

It seems to be working for the one domain, so it should be set up the same for the other domain.
0
 
dxbdxb2009Author Commented:
Okay...what I understood:

1. mx records = will set it up on cPanel of my ISP/DNS provider here it is Etisalat = Correct?

2. ptr records = again will ask my ISP to set the 2 PTR as below:
13.203.42.213.in-addr.arpa      IN      PTR      mail.xyz.ae
13.203.42.213.in-addr.arpa      IN      PTR      mail.abc.ae

I am confused here=? kindly correct if I am wrong here :(

pls help...
0
 
Zephyr ICTCloud ArchitectCommented:
No ... I need to correct myself here ... Don't create two PTR records, that will not work...

You need to create the MX records for both domains as well as make sure that the A-record points to the correct IP-address

mx 10 mail.abc.com
mx 10 mail.xyz.com

A mail.abc.com 1.1.1.1
A mail.xyz.com 1.1.1.1

then make sure there's only 1 PTR record, it doesn't matter what domain this PTR record points to, as long as the IP results are the same. What matters is that the reverse DNS points to that IP-address, that is what is being checked.
0
 
dxbdxb2009Author Commented:
Thanks for clarification...
Just leaving for the day... Shell resume tomorrow... Kindly bear with me... Thanks once again
0
 
dxbdxb2009Author Commented:
sorry ...spravtek for delay reply....

So I will not create 2 PTR records...
"You need to create the MX records for both domains...." I thing MX records are already configured for both...will double check ..if not created will create for both... as advised above...

also will create the A record as well...

One question = where i will create these records?
where the DNS name is registered like ...if it is with GoDaddy.com i will create it there or if it is with my ISP...

pls advice me to solve the issue & close this question ....

many thanks once again...
0
 
Zephyr ICTCloud ArchitectCommented:
Hello ...

I don't know the other domain name, so I can't check the MX record of it, but since there's only 1 MX record that shows when doing a reverse DNS on the IP-address, I'm thinking it might not exist or point to another IP?

When doing another check of your domain alqasba.ae, following things don't add up:

PTR record points to: 14.203.42.213.in-addr.arpa      IN      PTR      mailqaq.ae

While you do a DNS check of mail.alqasba.ae the PTR points to: 13.203.42.213.in-addr.arpa      IN      PTR      mail.alqasba.ae

Which is correct, I don't know what the other PTR is needed for, but it could cause problems.

The DNS record for 213.42.203.13 looks to be ok at the moment.

These records need to be created at the provider that has the authoritative Name Servers for you domain, in most cases this is the provider where you acquired your domain name.

If you acquired your name at GoDaddy for example, they will most likely carry your DNS records yes...

If acquired your domain name through your ISP, then they probably take care of the DNS, this is I think the case for you, the NS records point to www.etisalat.ae, so I'm guessing you can change the settings there, or ask them to change it for you, if you explain your situation they most likely will know what to do.
0
 
dxbdxb2009Author Commented:
thanks once again for being with me...

"I don't know the other domain name...." = attaching here with,

" I'm thinking it might not exist or point to another IP?....." = no it is pointing to the same IP address,

"Which is correct, I don't know what the other PTR is needed for, but it could cause problems....." = . I could not understand your statement...kindly explain..

So what i understood...
* each domain name must have its own MX records + A records poinging to same IP (if both email services hosted on same server/IP) = am I correct?
* any one domain name (out of two can be configured for PTR records as now i can see it is
 13.203.42.213 .in - addr . arpa -      IN      - PTR      -  mail.alqasba.ae / which is correct....now I dont need to create any other PTR for my domain domain name ... just to create the MX & A records pointing to the same IP will solve my issue....= am i correct?

pls advice....accordingly ....
Domain-name.txt
0
 
Zephyr ICTCloud ArchitectCommented:
"I don't know the other domain name...." = attaching here with,

Thank you...

I checked the configuration of DNS, that seems to be ok.

"Which is correct, I don't know what the other PTR is needed for, but it could cause problems....." = . I could not understand your statement...kindly explain..

Open in new window


When you do a DNS lookup of your domain alqasba DOT ae (withouth "mail" in front of it) you get another PTR record (14.203.42.213.in-addr.arpa      IN      PTR      mailqaq.ae)

This can be causing problems for mail delivery... I don't know if that domain is from you or from the provider, so I just mentioned it.

So what i understood...
* each domain name must have its own MX records + A records poinging to same IP (if both email services hosted on same server/IP) = am I correct?
* any one domain name (out of two can be configured for PTR records as now i can see it is
 13.203.42.213 .in - addr . arpa -      IN      - PTR      -  mail.alqasba.ae / which is correct....now I dont need to create any other PTR for my domain domain name ... just to create the MX & A records pointing to the same IP will solve my issue....= am i correct?

* Yes
* yes, when you perform a PTR lookup of the IP-address, there is a valid response, in normal circumstances the domain name isn't looked at in PTR records.

As it stands now, your mails should arrive and go out ...

This is the reply you get when performing an nslookup with option PTR:

> 213.42.203.13
Server:            192.168.1.2
Address:      192.168.1.2#53

Non-authoritative answer:
13.203.42.213.in-addr.arpa      name = mail.alqasba.ae.

If you still have problems now, we need to dig deeper.
0
 
dxbdxb2009Author Commented:
thanks once again...

"As it stands now, your mails should arrive and go out ... ........" as i stated in my question that mails are going & coming but only from few domains we have the issue...& as I have read that some mail server strictly check the reverse DNS lookup if mismatched those servers will reject such mails which results NDRs,

So I belive once I have MX + A records setup properly, the issue should get resolved = am I correct?

What I can see using the tool you adviced (http://centralops.net/co/)
DNS Records: (for mail.alm****h.ae)
mail.alm****h.ae        IN       A       213.42.203.13 ( pls comments = is it correct?)
PTR:
13.203.42.213.in-addr.arpa      IN      PTR      mail.alqasba.ae ( pls comments  = is it sufficient for both domain & configured correctly ?)

If all above is okay...we have to look here  for :

14.203.42.213.in-addr.arpa      IN      PTR      mailqaq.ae

kindly advice .....this must be again mail.alqasba.ae (if we dont have any mail services with this) = i am correct?

Much appreciate you great help...

thanks in advance...
0
 
Zephyr ICTCloud ArchitectCommented:
So I belive once I have MX + A records setup properly, the issue should get resolved = am I correct?

Yes, but as they are now configured they should be ok...

DNS Records: (for mail.alm****h.ae)
mail.alm****h.ae        IN       A       213.42.203.13 ( pls comments = is it correct?)
PTR:
13.203.42.213.in-addr.arpa      IN      PTR      mail.alqasba.ae ( pls comments  = is it sufficient for both domain & configured correctly ?)

Yep, looks ok ...

If all above is okay...we have to look here  for :

14.203.42.213.in-addr.arpa      IN      PTR      mailqaq.ae

Yes, this one is strange, I don't think you need this one for anything.

So to sum-up:

- for each mail.yourdomain.ae you need an A record point to 213.42.203.13
- for each mail.yourdomain.ae you need an MX record
- Only 1 PTR record needed for both

Multiple PTR records can break things, if the remote mail server does a reverse DNS on the IP address it should just have 1 PTR record.

If all this is configured correctly, make sure you start configuring your spf-records as well, check following for more info:
http://technet.microsoft.com/en-us/library/ff714972.aspx and https://en.wikipedia.org/wiki/Sender_Policy_Framework
0
 
dxbdxb2009Author Commented:
thanks  spravtek ....

can this NDR report help us to find the issue...

attached here with the NDR i received...

kindly have a look & advice...
NDR.txt
0
 
dxbdxb2009Author Commented:
One more NDR report attaching here with for your ready reference...

requesting you to have a look & advice...

many thanks in advance...
mail.txt
0
 
Zephyr ICTCloud ArchitectCommented:
Hi... Sorry for the late reply, got hung up on my own problems :)

Ok, lets see ... Error 550 hmmm...

Let me take a look, I'll report back
0
 
dxbdxb2009Author Commented:
thanks for your reply..

would be waiting for your valuable reply..
0
 
Zephyr ICTCloud ArchitectCommented:
Hi,

Are you sure there isn't some anti-spam service running somewhere?

I get to see this in the header when I send a mail:

smtp.qda.ae (Symantec Messaging Gateway)

Open in new window


Maybe the domain isn't configured on this SMG, hence gets rejected?
0
 
dxbdxb2009Author Commented:
yes..i SMG is there....& second domain is configured well...

well where else ..could be the issue...

pls advice..
0
 
Zephyr ICTCloud ArchitectCommented:
Without knowing more about your environment or being able to take a look at it, it will be difficult to troubleshoot, DNS seems ok so far... We can connect to your mail server just fine, it's after the connection the issues start.

Does this happen to all users of that second domain? Or only some users?

As far as I can tell it's either SMG that refuses the emails from that domain, or Exchange can't find the users and rejects the mail.
0
 
dxbdxb2009Author Commented:
thanks again...
just leaving for the day...
will update you tomorrow...
thanks..
0
 
dxbdxb2009Author Commented:
Hi spravtek...i am back..

I have double check with SMG & compare with other hosted domain & double check with my ISP, all records seems to be updated & correct,

kindly advice...what all information I might provide you to dig more & troubleshoot at your end..
much appreciate if you can help me to get this issue solved ...

thanks for your understanding in advance..
0
 
dxbdxb2009Author Commented:
@ spravtek : In your free time..kindly advice/reply what all other network info you need to troubleshoot more...

thanks....
0
 
Zephyr ICTCloud ArchitectCommented:
Hi...

Sorry for the late reply,  I got called out to solve a problem with a customer ..

I'll take a look at your case again tomorrow afternoon to see if I can help out more.
0
 
dxbdxb2009Author Commented:
thanks spravtek...for your reply...

would be waiting for your kind advice...

many thanks...
0
 
Zephyr ICTCloud ArchitectCommented:
Hi,

Just a quick mail for some information I can later use to troubleshoot.

Do you have a mail address that exists on this domain and that I can use to send testmails?
0
 
dxbdxb2009Author Commented:
okay...do as per your wish....

i am enclosing the email id in the attachments & requesting you keep ur name & identity hidden/anonymous...

hope you understand & support,

many thanks..
mail.txt
0
 
Zephyr ICTCloud ArchitectCommented:
Hi,

Thanks for the email address...

Some things:

- There seems to be an issue with DNS again, at least 1 Name Server claims he is non-authoritative for your domains, according to this:

MXTB-PWS3v2 1380ms
  0  ns2.aedns.ae  79.98.121.73  NON-AUTH  251 ms  Received 4 Referrals , rcode=    NS: dxbans1.ecompany.ae,NS: auhans2.ecompany.ae,NS: auhans1.ecompany.ae,NS: dxbans2.ecompany.ae,  

  1  dxbans1.ecompany.ae  194.170.1.6  AUTH  258 ms  Received 1 Referrals , rcode=    SOA: mname=dxbans2.ecompany.ae/rname=send.mail.2.dns.at.ies.etisalat.ae/serial=2011012300,  

  1  auhans1.ecompany.ae  194.170.1.99  AUTH  350 ms  Received 1 Referrals , rcode=    SOA: mname=dxbans2.ecompany.ae/rname=send.mail.2.dns.at.ies.etisalat.ae/serial=2011012300,  

  1  auhans2.ecompany.ae  195.229.237.52  AUTH  264 ms  Received 1 Referrals , rcode=    SOA: mname=dxbans2.ecompany.ae/rname=send.mail.2.dns.at.ies.etisalat.ae/serial=2011012300,  

  1  dxbans2.ecompany.ae  194.170.1.7  AUTH  256 ms  Received 1 Referrals , rcode=    SOA: mname=dxbans2.ecompany.ae/rname=send.mail.2.dns.at.ies.etisalat.ae/serial=2011012300,  

Open in new window


See the first entry? it replies with non-authoritative ( ns2.aedns.ae  79.98.121.73 ).

Do you know where this comes from? Especially aedns.ae, did you have another provider before?

Maybe your ISP can help you with that one.

- Second, the NDR's people are getting, are they sent to Distribution Lists or singular email-addresses?
0
 
dxbdxb2009Author Commented:
First : I am still checking with ISP with regards to non-authoritative reply, (which might take some time...)
Pls explain : how this "non-authoritative" can effect the email routing/delivery?

Second : NDR people are sending to single email address not to Distribution list,

kindly advice & suggest,

thanks,
0
 
Zephyr ICTCloud ArchitectCommented:
non-authoritative DNS servers answer most of the time from the cache they have from a previous lookup, this means the DNS answers can be unreliable, if the cache of this DNS server is old or has old DNS configuration of your DNS setup it can cause some issues.

You could lower the TTL on the existing DNS records, maybe that triggers the emptying of this non-authoritative DNS server's cache.

Ok ... That's something, sometimes there's an issue when people send to distribution lists.

So, do all people have issues when sending mail to your users, or is it only certain people that have this issue? And is the issue still as bad as it was in the beginning? How is the situation at the moment?

Thanks.
0
 
Zephyr ICTCloud ArchitectCommented:
Maybe you can ask the ISP to lower the TTL on your DNS records, currently this is set to 6 hours ... Lower it to 1 hour...
0
 
dxbdxb2009Author Commented:
thanks spravtek for your continues supports/comments..
finally we requested isp to update the dns entries & they have to say it is done...
i could not understand what they have done but i can see the results as attached...
email issue seems to be resolved...
but i really need to understand that what ISP have done to update the DNS entries...

kindly advice / suggest...
afterr.jpg
beforee.jpg
0
 
dxbdxb2009Author Commented:
any advice... pls...
so i can close the question by assigning points..
thanks in advance..
0
 
Zephyr ICTCloud ArchitectCommented:
Hi, sorry I missed your previous post ...

I will have a look and report back.
0
 
Zephyr ICTCloud ArchitectCommented:
It's difficult to say what your ISP has done, it looks okay indeed ... Did they report of what they have done exactly?

There are still some inconsistencies when you do a lookup of the domain name though ... But they might not have influence on the mailflow.
0
 
dxbdxb2009Author Commented:
as in the image i can see there are some changes in the "Parent"...
i am still waiting for reply from concern person who made the changes...
will keep you posted...
thanks...
0
 
Zephyr ICTCloud ArchitectCommented:
Besides some smaller inconsistencies the DNS actually looks ok now, here you can see a better overview of all the tests: http://www.dnsinspect.com/ecompany.ae

There are some stealth DNS servers not listed at the parent servers for instance.
0
 
dxbdxb2009Author Commented:
Sorry spravtek for delay reply..
I again listen that issue is still not get resolved...
kindly find the attached NDRs from user & advice..
many thanks for your support & looking for the same ...
thanks...
NDRs.txt
0
 
Zephyr ICTCloud ArchitectCommented:
Is this a mail that is sent to the user or does the user send this email to someone?

Are you sure that the user or alias exists on the mail server?

Also, don't forget to configure spf records, this will help prevent your mail servers to be regarded as spam servers, a typical spf looks like this:  

v=spf1 a mx ~all

Open in new window

0
 
dxbdxb2009Author Commented:
Thanks once again...
Sender is from Outside of Company with XYZ_Domain & outside user receive this NDR (attached here with again)
Yes...all users are exists on the mail server (as they are able to receive emails from other domains; only from some domains outside sender are getting NDRs; as described in my question)
Kindly advice how to check either SPF are configured or not with existing email servers..
thanks in advance...
NDRs1.jpg
0
 
Zephyr ICTCloud ArchitectCommented:
Hi,

I don't think this is a DNS issue, the sending party can find your mail server, can connect with your mail server, but then gets an error that either the user or their alias is not present on the server, so it can be an Exchange issue...

Error 550 5.1.1 - The same error message is received if the recipient has a mail loop. That is, if the recipient has set a forward to another email address and that email address is forwarded back to the original one. In this case, you need to remove the loop in order to receive the emails.

or If there is a forward set for an account, and an email is sent to that account, if for some reason the forwarded email is not sent, the original sender may get the above error.
For example, abc@domain.com if forwarded to abc@dom.com, if a third user xyz@dom2.com emails to abc@domain.com, he may get the above error if the forwarded email is bounced.

or it might be the Symantec mailgateway, but I remember you checked that right?

SPF is not configured at the moment, it's part of the DNS setup and it should show up when doing a DNS lookup of mail.yourdomain.com, it doesn't show up at the moment... This doesn't influence current mail flow, but it is considered best practice to have an SPF record. More info on SPF here: https://en.wikipedia.org/wiki/Sender_Policy_Framework
0
 
dxbdxb2009Author Commented:
hi...thanks once again for your suggestion...

just double checking with Symantec mailgateway...will update you soon...

thanks....
0
 
Zephyr ICTCloud ArchitectCommented:
Ok, no problem... Thanks for the update.
0
 
dxbdxb2009Author Commented:
Sorry spravtek for the long delay,

Again get the same error from one of the user:

Reason:  554 5.5.0 No recipients have been specified. (554)

Is there any way to troubleshoot & diagnose the issue..

thanks in advance..
0
 
Zephyr ICTCloud ArchitectCommented:
Do you have the NDR from the mail by any chance? To which domain or email-address was it sent ...
0
 
dxbdxb2009Author Commented:
just told the customer to send one test email from which they get NDR ...waiting for that...
will post you soon...thanks for being with me...
0
 
dxbdxb2009Author Commented:
sorry spravtek for delay reply...
just get the NDR from the customer .... enclosing here with the NDR...for your ready reference..
would really appreciate if you can have a look on it & suggest some curable talk to perform...
thanks in advance...
Email-error.pdf
0
 
Zephyr ICTCloud ArchitectCommented:
Hi, wish I could help you with this, but it's an error from the mail server (or any application in between), either the the user doesn't exist or it's written differently/wrong, or there's a problem with the account ... This has nothing to do anymore with DNS or PTR.
0
 
dxbdxb2009Author Commented:
@ spravtek : thanks for your prompt reply & support,

"either the the user doesn't exist...." =  if user does not exist then how this user is receiving emails from other domains....issue is NOT RECEIVED EMAILS FROM SOME DOMAINS"

"there's a problem with the account ... "  = Kindly advice what all could be the problems to troubleshoot...

"This has nothing to do anymore with DNS or PTR. "..... = I don't know, why i suspect on DNS/PTR...as we have issue to receive emails from some domains....

I will really appreciate if you can spare some of your important time to look into this matter...

many thanks in advance...
0
 
Zephyr ICTCloud ArchitectCommented:
Did you check this setting?

http://www.expta.com/2011/04/how-to-fix-550-511-user-unknown-error.html

Kindly advice what all could be the problems to troubleshoot...

Check the spelling of the name, make sure there's no wrong email-address in the cache of the mail client...

I don't know, why i suspect on DNS/PTR...as we have issue to receive emails from some domains....

But if these errors are 550 5.1.1 it has nothing to do with DNS or PTR ... If there are DNS issues for sending email to your domain you have other error codes.
0
 
dxbdxb2009Author Commented:
thanks for your prompt reply...
i am going to try this now...but as its for 'New Distribution Group'  as this links says....do you think it can help......? is for everyone who sends email from internet?  just confused..!

Also clearing this checkbox for 'Require that all senders are authenticated' am I going to open a window for spams .... pls advice...

many thanks once again...
0
 
dxbdxb2009Author Commented:
thanks for being with me & for your interest:
"did you migrate these servers from a previous Exchange version?..." = Yes you are correct before it was 2007 & now it is 2010,

" using the Symantec protection gateway..." = Yes, using SYM Gateway

" event logs .." = really can not see any abnormal activities in logs,

any work around or suggestion would be appreciated,
0
 
Zephyr ICTCloud ArchitectCommented:
As I mentioned earlier, try the setting mentioned in this article:

http://www.expta.com/2011/04/how-to-fix-550-511-user-unknown-error.html
0
 
dxbdxb2009Author Commented:
Hi,
Still working on it..
will update you soon..
thanks..
0
All Courses

From novice to tech pro — start learning today.