Solved

Your message wasn't delivered because of security policies 5.7.0 TLS encryption required Exchange 2007

Posted on 2014-01-23
4
3,962 Views
Last Modified: 2016-02-25
Dear all;

I have the following issue with one of our clients:

The issue happens with one external domain only "network-health.org", when users are trying to send emails to this domain they receive the following NDR:

Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
 
The following organization rejected your message: mxa-000e3401.gslb.pphosted.com.
 
Diagnostic information for administrators:
 
Generating server: mailx.centerlw.org
 
Jennifer.Cascio@network-health.org
mxa-000e3401.gslb.pphosted.com #<mxa-000e3401.gslb.pphosted.com #5.7.0 smtp; 503 5.7.0 TLS encryption required> #SMTP#
 
Original message headers:
 
Return-Path: <cenriquez@CenterLW.org>
Received: from mailx.centerlw.org (localhost.localdomain [127.0.0.1])
        by localhost (Email Security Appliance) with SMTP id 116364386BC_2E02084B
        for <Jennifer.Cascio@network-health.org>; Wed, 22 Jan 2014 19:48:20 +0000 (GMT)
Received: from mail.centerlw.org (clw-mail.centerlw.org [192.168.254.7])
        by mailx.centerlw.org (Sophos Email Appliance) with ESMTP id E49B94385FC_2E02082F
        for <Jennifer.Cascio@network-health.org>; Wed, 22 Jan 2014 19:48:18 +0000 (GMT)
Received: from CLW-MAIL.centerlw.org ([::1]) by CLW-MAIL.centerlw.org ([::1])
 with mapi; Wed, 22 Jan 2014 14:45:42 -0500
From: Carlos Enriquez <cenriquez@CenterLW.org>
To: "Cascio, Jennifer" <Jennifer.Cascio@network-health.org>
Date: Wed, 22 Jan 2014 14:45:40 -0500
Subject: RE: Member getting PCA services
Thread-Topic: Member getting PCA services
Thread-Index: Ac8XpsffH9a/YO7HTXygaN/wleZ+SgAA4sOA
Message-ID: <23FF1E7E9A04A84FB5CE4563808DD9E41FE5A81B6E@CLW-MAIL.centerlw.org>
References: <4FF21B15361C864DBAF26D82CD4ABE640523323168@exchange01.nwhsc.org>
In-Reply-To: <4FF21B15361C864DBAF26D82CD4ABE640523323168@exchange01.nwhsc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain
MIME-Version: 1.0

SMTPDiag results:

C:\SmtpDiag>smtpdiag cmotyka@Centerlw.org jennifer.cascio@network-health.org /V

Searching for Exchange external DNS settings.
Computer name is CLW-MAIL.
VSI 1 has the following external DNS servers:
There are no external DNS servers configured.

Checking SOA for network-health.org.
Checking external DNS servers.
Checking internal DNS servers.

Checking TCP/UDP SOA serial number using DNS server [192.168.254.7].
TCP test succeeded.
UDP test succeeded.
Serial number: 72

Checking TCP/UDP SOA serial number using DNS server [192.168.254.11].
TCP test succeeded.
UDP test succeeded.
Serial number: 72

Checking TCP/UDP SOA serial number using DNS server [127.0.0.1].
TCP test succeeded.
UDP test succeeded.
Serial number: 72
SOA serial number match: Passed.

Checking local domain records.
Starting TCP and UDP DNS queries for the local domain. This test will try to
validate that DNS is set up correctly for inbound mail. This test can fail for
3 reasons.
    1) Local domain is not set up in DNS. Inbound mail cannot be routed to
local mailboxes.
    2) Firewall blocks TCP/UDP DNS queries. This will not affect inbound mail,
but will affect outbound mail.
    3) Internal DNS is unaware of external DNS settings. This is a valid
configuration for certain topologies.
Checking MX records using TCP: Centerlw.org.
  A:     Centerlw.org [192.168.254.2]
  A:     Centerlw.org [192.168.254.11]
  A:     Centerlw.org [192.168.254.7]
  A:     Centerlw.org [192.168.254.3]
Checking MX records using UDP: Centerlw.org.
  A:     Centerlw.org [192.168.254.7]
  A:     Centerlw.org [192.168.254.11]
  A:     Centerlw.org [192.168.254.3]
  A:     Centerlw.org [192.168.254.2]
Both TCP and UDP queries succeeded. Local DNS test passed.

Checking remote domain records.
Starting TCP and UDP DNS queries for the remote domain. This test will try to
validate that DNS is set up correctly for outbound mail. This test can fail for
3 reasons.
    1) Firewall blocks TCP/UDP queries which will block outbound mail. Windows
2000/NT Server requires TCP DNS queries. Windows Server 2003 will use UDP
queries first, then fall back to TCP queries.
    2) Internal DNS does not know how to query external domains. You must
either use an external DNS server or configure DNS server to query external
domains.
    3) Remote domain does not exist. Failure is expected.
Checking MX records using TCP: network-health.org.
  MX:    mailgw01.network-health.org (10)
  MX:    mxa-000e3401.gslb.pphosted.com (2)
  MX:    mxb-000e3401.gslb.pphosted.com (4)
  A:     mailgw01.network-health.org [131.239.33.10]
Checking MX records using UDP: network-health.org.
  MX:    mxa-000e3401.gslb.pphosted.com (2)
  MX:    mxb-000e3401.gslb.pphosted.com (4)
  MX:    mailgw01.network-health.org (10)
Both TCP and UDP queries succeeded. Remote DNS test passed.
  A:     mxa-000e3401.gslb.pphosted.com [67.231.152.23]
  A:     mxb-000e3401.gslb.pphosted.com [67.231.144.68]

Checking MX servers listed for jennifer.cascio@network-health.org.
Connecting to mxa-000e3401.gslb.pphosted.com [67.231.152.23] on port 25.
Received:
220 mx0b-000e3401.pphosted.com ESMTP mfa-m0000605

Sent:
ehlo Centerlw.org

Received:
250-mx0b-000e3401.pphosted.com Hello static-216-214-245-147.isp.broadviewnet.net
 [216.214.245.147] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250 STARTTLS


Sent:
mail from: <cmotyka@Centerlw.org>

Received:
250 2.1.0 Sender ok

Sent:
rcpt to: <jennifer.cascio@network-health.org>

Received:
250 2.1.5 Recipient ok

Sent:
quit

Received:
221 2.0.0 mx0b-000e3401.pphosted.com Closing connection

Successfully connected to mxa-000e3401.gslb.pphosted.com.
Connecting to mxb-000e3401.gslb.pphosted.com [67.231.144.68] on port 25.
Received:
220 mx0a-000e3401.pphosted.com ESMTP mfa-m0000522

Sent:
ehlo Centerlw.org

Received:
250-mx0a-000e3401.pphosted.com Hello static-216-214-245-147.isp.broadviewnet.net
 [216.214.245.147] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250 STARTTLS


Sent:
mail from: <cmotyka@Centerlw.org>

Received:
250 2.1.0 Sender ok

Sent:
rcpt to: <jennifer.cascio@network-health.org>

Received:
250 2.1.5 Recipient ok

Sent:
quit

Received:
221 2.0.0 mx0a-000e3401.pphosted.com Closing connection

Successfully connected to mxb-000e3401.gslb.pphosted.com.
Connecting to mailgw01.network-health.org [131.239.33.10] on port 25.
Connecting to the server failed. Error: 10060
Failed to submit mail to mailgw01.network-health.org.

What's more; I can't establish a Telnet connection with mailgw01.network-health.org

Please note that our client are using Postini as a spam filter for incoming emails.

Please help.
0
Comment
Question by:Kinan Al-Haffar
  • 3
4 Comments
 

Author Comment

by:Kinan Al-Haffar
ID: 39803331
I also checked the PTR record and its fine..
0
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39803491
So whenever an external user sends an email to Jennifer.Cascio@network-health.org they get NDR Right ?

sending mails from specific domain to @network-health.org is only causing problem ? or from all the domain ?

So the problem is only when sending mail to Jennifer.Cascio@network-health.org or when sending to any user in the domain @network-health.org ?

Internal mail is working fine for domain @network-health.org ?



Sometimes issue with specific user is because of below settings.

"Message Delivery Restrictions"  Uncheck "require that all senders are authenticated"
0
 

Accepted Solution

by:
Kinan Al-Haffar earned 0 total points
ID: 39803545
The issue was solved by creating a new send connector to that specific domain to bypass the Sophos appliance.
0
 

Author Closing Comment

by:Kinan Al-Haffar
ID: 39814542
It solved the issue
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now