• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2344
  • Last Modified:

Exchange Server Emails Bounced Back Suddenly

Some of the outbound emails were bounced back suddenly starting yesterday.

There are three types of undeliverable errors:
1. #552 5.2.0 IB212 msg rejected as spam ##, from secureserver.net
2. #554 5.7.1 [P4] Message blocked due to spam content in the message. ##, from embarq.synacor.com
3. #554 Denied (Mode: normal) ##, from mxlogic.net

I ran a test on mxtoobox.com, and didn't find any error for our domain. It isn't on any blacklist. 4 warnings found:

smtp: mail.domain, SMTP Transaction Time, 8.284 seconds - Not good! on Transaction Time
smtp: mail.domain, SMTP TLS, Warning - Does not support TLS.
dns:  domain, DNS SOA Expire Value, SOA Expire Value out of recommended range
dns: domain, DNS SOA Serial Number Format, SOA Serial Number Format is Invalid

What's causing the problem? Can anyone help please?
  • 5
  • 3
  • 2
1 Solution
Hypercat (Deb)Commented:
If you're not on any blacklists, you should check two other things. First of all, you should have an SPF record for your domain.  Many large ISPs, including for example secureserver.net (I think this is GoDaddy, IIRC), will reject email from domains without an SPF record.  Also, take a look at the TLS issue - some domains may reject email if opportunistic TLS is not enabled.  I can't remember if it's enabled by default on Exchange 2007, although I'm pretty sure it is on Exchange 2010.
Hypercat (Deb)Commented:
Also, a third thing I just remembered, is to make sure you have a PTR (rDNS) record for your mail server, if you're hosting your own email.  The absence of a PTR record can also be a common reason for email being rejected as spam.
You should definitely follow hypercat's advice. It may be the issue.

You can sometimes get more information on reasons for failures by tryign to send email using telnet. I have frequently found the reason why email has been denied from places, including GoDaddy (secureserver.net), by doing so.

Instructions on how to email using telnet: http://www.wikihow.com/Send-Email-Using-Telnet

Run that from your Exchange server. If telnet isn't installed go to windows features in the server manager and install the telnet client feature. Run the telnet on port 25 against the first MX record their domain has listed.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

stillsyraAuthor Commented:
I just created a SPF record, and there's a PTR record.

When I use telnet on the Exchange server, with command EHLO, the 250-starttls isn't shown, but the 250-x-anonymoustls is shown. So it looks like the opportunistic TLS isn't enabled.

How do I enable the opportunistic TLS on my Exchange 2007 server?
Did you proceed to try to send the email using telnet and see if you get any errors? I would go through the whole process as you may get a more specific reason why your email is blocked, which I have seen before with GoDaddy.

I'm not familiar with Opportunistic TLS, hopefully hypercat can help you with that if it is the issue.
Hypercat (Deb)Commented:
I just double-checked the documentation and opportunistic TLS IS enabled by default in Exchange 2007. So, if you have an SSL certificate properly installed on your Exchange server, and if Exchange 2007 is configured to use this SSL certificate for SMTP communications, then it will automatically use that certificate if the external server it is sending to is configured to request or require TLS.  

Do you have an SSL certificate configured for SMTP on your Exchange server?
Hypercat (Deb)Commented:
stillsyra - if you don't know the answer to my previous question, then you can check by opening the Exchange Management Shell and typing:

get-exchangecertificate | fl

This will produce a list showing you what, if any, certificates are enabled on your server for Exchange and what services (i.e., SMTP, IIS, etc.) the certificate is used for. It will also tell you if the certificates are valid or expired, which would be important to know.
stillsyraAuthor Commented:
Here's the result of get-exchangecertificate | fl. It doesn't look like the opportunitisct TLS is enabled. If so, how do I enable it?

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyA
CertificateDomains : {mail.domain, www.mail.domain, autodiscover.domain}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scot
                     tsdale, S=Arizona, C=US
NotAfter           : 8/19/2015 2:24:16 PM
NotBefore          : 8/14/2013 11:38:27 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04968AD1BAE896
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain, OU=Domain Control Validated
Thumbprint         : 571C1E094518B6CCA126DC744D7564F7E53E0670
Hypercat (Deb)Commented:
<<Services           : IMAP, POP, IIS, SMTP>>

This shows that the certificate, which is a GoDaddy SSL certificate, is enabled for SMTP, so you're all set with opportunistic TLS.  If you want to confirm that, make sure that your send and receive connectors are set to verbose mode, so that the communications are logged.  Then you can check the SMTP protocol logs (they are in the Exchange folder under [Drive]\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog).  You'll see two folders there, SMTP Receive and SMTP Send.  Look in the SMTP Send folder and open the log in a text reader like Notepad.

What you're looking for is communication like this:

External SMTP Connector,08D0890102A648EF,14,,,>,STARTTLS,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,15,,,<,220 2.0.0 SMTP server ready,
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,16,,,*,,Sending certificate
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,17,,,*,"CN=[Your SMTP server name], OU=Domain Control Validated",Certificate subject
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,18,,,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,19,,,*,4F00CF17A03742,Certificate serial number
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,20,,,*,F037F80DBA3CE48D32CF8BB6368E916B67FC0FBD,Certificate thumbprint
2013-09-27T00:54:42.034Z,External SMTP Connector,08D0890102A648EF,21,,,*,[Your certificate valid server names],Certificate alternate names
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,22,,,*,,Received certificate
2013-09-27T00:54:51.331Z,External SMTP Connector,08D0890102A648EF,23,,,*,D4AC9CAA518865B1EF4BF3050B8AFFDF7074D02E,Certificate thumbprint
stillsyraAuthor Commented:
It's been a few days and looks like the problem is solved. Thanks everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now