Solved

Exchange incoming - A record being seen only ?

Posted on 2014-02-27
8
278 Views
Last Modified: 2014-03-08
Working through something and hoping to get some feedback/different perspectives to look at.

Exchange 2010 one primary domain (@primarydomain.com) with setting to allow incoming from @acceptmailfromotherdomaintoo.com

external filter mxlogic(inbound) only.

suddenly over last several weeks(nothing has changed on servers(exhange or dns) mail from some clients sent to username@acceptmailfromotherdomaintoo.com isn't making it through.  Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like mxtoolbox.com etc...

two things:
1. there was a change from external web person that assigned new ip to @primarydomain.com due to blacklisting issues before.
2. I tested something that when I sent mail to user@acceptmailfromotherdomaintoo.com from hotmail I got the 554 error, sparadically, I think when I unchecked
"automatically update based on email policy" on a test@primarydomain.com user that i added the test@acceptmailfromotherdomaintoo.com
alias to the mail went through.   ???  What could be the relationship/things to look at based on this insight?
3. Both domainprimary and acceptotherdomaintoo are A records with same IP on hosted site.

So, not tha most users can accept email from any of the domains with one set as primary.  So for now I have those users that have the issues having their clients use username@primarydomain.com.  

Thanks really hoping for some activity on this issue and feedback on thinks i can consider but i'm not clear this isnt our issue and not the senders.
0
Comment
Question by:dee30
  • 5
  • 2
8 Comments
 
LVL 2

Expert Comment

by:nifdrift
ID: 39891942
554 is actually "Relay Denied"-message. How have you configured the transport security for the cas and transport role? Can you explain how your environment is set up? How many, and what servers have what roles etc. Any anti-spam gateway?
0
 

Author Comment

by:dee30
ID: 39892483
1 server has all roles(Hub, CAS, and Mailbox)
2010 v14.01.0270.001
Server is pat of one primarydomainname with various accepted domains set up under Hub Tranasport.  in this case one of those accepted being @acceptmailfromotherdomaintoo.com which is authoritive. Email to user @acceptmailfromotherdomaintoo.com is having the issue.

The error actually is 550, my typo,...turn on SMTP Auth in your mail client when the sender get's it.  I have two clients that seem to be using same external filtering company and one that has none.  All three have this issue but sometimes they don't get NDR for a while or at all.

I honestly don't see how the internal  exchange server setup is the issue b/c the mail never makes it to our external filters?  We're using the external's mxrecords(mxlogic).  

Thx
0
 

Author Comment

by:dee30
ID: 39892722
also want to go over the config steps for DNS...

1. mail server  mail.domainname.com external is - from server www.whatisyip.com 12.205.200.1

2. hosting site cpanl DNS manager for @primarydomain.com - a record for 12.205.200.1
3. hosting site DIFFERENT cpanl DNS manager for @acceptedomaintoo.com - a record for 66.80.10.1(IPs they assigned that shouldn't be blacklisted).

4. hosting site cpanl DNS manager for @primarydomain.com - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  
5. hosting site DIFFERENT cpanl DNS manager for @acceptedomaintoo.com - mx records pointing to our external filtering companies. two different ones at 10 and 20 priority.  

6. Exchange 2010 SMTP connector FQN matches A record - mail.primarydomain.com

I'm not sure where/IP the rDNS should be registered and also not sure if missing something in the DNS setup above.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39892805
their smpt snippets are showing the a record for the domain rather than mx, which is progogated and can be confirmed on external tools like mxtoolbox.com

in SMTP, when there is no MX record, the A record is used instead

it seems possible that your MX record is missing on one dns server, so the mail gets sent to the A record, which hosts a server that rejects incoming mail (possibly the exchange server, which is likely configured to reject any mail that does not come through your filtering service)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:dee30
ID: 39893382
Skullnobrains..thanks i get this but as I said the mx records are verifying and I posted the DNS/Exchange config setup hoping someone can point out where something was missed.
Bear in mind this has been working all along.  

Thx
0
 

Author Comment

by:dee30
ID: 39893390
again to reiterate this is my DNS config for my exchange:

exchange2010 part of one domain trust and forest, set to also accept mail from other domain.

1. Exchange server pub IP12.205.200.1
primarydomain.com hosting company cpanl DNS manager A record 12.205.200.1 for mail.primarydomain.com.
svracceptdomaintoo.com same hosting company diff cpanl DNS manager A record 66.80.10.1

1a. Our internal DNS svr for primarydomain.com has A record for 66.80.10.1

2. MX records for both(via same hosting co but separate/their own cpanl access) set to point to External filtering company that has our public 12.205.200.1 for mail.primarydomain.com and MX records to use. Priority 10 and 20.

3. SPF under cpanl of @primarydomain.com DNS mgr is setup like "v=spf1 +a +mx include:primarydomain.com ip4:12.205.200.1 ptr:primarydomain.com -all"

Exchange 2010 SMTP connector FQN matches A record - mail.primarydomain.com

Not sure if something is missing, all is right if reverse DNS entry(ptr record) needed somewhere?
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39894206
would you mind posting the domain name so we can run some basic tests ? and the log snippets you were mentioning earlier ?

please don't rely on external tools or at least post information regarding what they check. most tools that check "dns propagation" will check the caches of the main ISPs but not necessarily perform a recursive dns lookup and check all the NS servers associated with your domain.

Cleints are gettng 554 check smtp settings, their smpt snippets are showing the a record for the domain rather than mx

if the smtp session is targetted to the A record instead of the mx (which i understand from the previous sentence), the mx is definitely not propagated properly. maybe we are talking about internal clients from one domain trying to access the other ? then the checks should be performed internally rather than externally. as a general rule run checks from the location of the machine that reports the failure.

if you're talking about MUAs of internal users such as thunderbird, outlook, .... then the server which receives the connection is hard-coded in their config. post the relevant information : this may not be dns-mx-related at all.

---

as far as PTRs are concerned :
- your internal dns server does not have one. this is unusual but not required
- your external filtering company does not have one either for 12.... this is likely ok since i'd assume your outgoing mail flows through some different address which does have a PTR. the PTR is not necessary to receive incoming smtp traffic.

but then i'm unsure you are posting the proper addresses. from my location, i can't connect to port 25 on 12....1 but this may also be because i'm at home and my address is probably on the cbl and various other dynamic ip pool lists

---

there is a mistake in your SPF field : you should NOT include:domainX in the SPF record of domainX. you may and probably should include the spf record of the primary in the spf record of your secondary domain. most spf implementation will probably just ignore the include. some will just ignore spf altogether. it is unlikely but some may decide to defer or reject the message.
0
 

Author Closing Comment

by:dee30
ID: 39914698
Thanks think good for now... will monitor next and post again if still help. thx
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now