Mail Flow issue

I have a really urgent issue that I've wasted days going in the wrong direction trying to troubleshoot and now need some help please experts!

Many messages sent through my exchange server are sitting in the outbound queue with the error

451 4.4.0 Primary target IP address responded with "421 please try again later" attempted to failover to alternate host but that did not succeed.

I have googled this error, but the resulting posts are too complicated for me to follow without risking breaking my server completely.

Would some kind soul please talk me through fixing this issue.
dangermouse1977Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KorbusCommented:
I would start with a sanity check:  use telnet to simulate a SMTP connection to the domain that is sending you this response(http://exchangeguy.blogspot.com/2007/06/using-telnet-to-simulate-server.html).   This will help determine if the issue is related to your exchange server, or something else.  If you get a similar response using the telnet, session, that would eliminate your exchange server.

Does this issue occur with only certain recipient domains, or is it totally random?  Any patterns you can spot might be helpful.
0
dangermouse1977Author Commented:
It seems likely that this is caused by the fact that my forward and reverse DNS entries do not match.... there is one digit different in the IP address.

Which one is correct, the IP address for the forward DNS or the IP address for the rDNS and where do I go to change them?
0
dangermouse1977Author Commented:
I've tried to follow those instructions, however every domain i try to telnet to immediately responds with 421 please try again later, connection to host lost

My e-mail sending error only applies to certain domains (including some fairly large ones like gmail and hotmail) and it applies to all messages sent to any of those domains by anyone in my company.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

pcmghouseCommented:
Dear DangerMouse,

I do not suspect your exchange server as you are saying it is able to send emails to certain domains.
It's not clear about your DNS concerns. If you are concerned about your MX records, PTR records and SPF records, please go to http://mxtoolbox.com and check your records.
If you suspect something is wrong there you need to contact your ISP to make changes there.
0
dangermouse1977Author Commented:
Hi

I apoligise, I probably haven't explained myself too well...let me give you the exact details then maybe my issue (and the fix) will be clearer.

when I use MXToolbox to check for blacklisting, it reports that my IP address 94.200.114.244 is listed on UCEProtect...... UCEProtect says that it's listed because...

94.200.114.244:
Reverse DNS (PTR) exists and claimes to be: mail.adc-international.com

Forward DNS for mail.adc-international.com is: 94.200.114.245


WARNING: Forward-DNS does NOT match Reverse-DNS.
DNS is INCONSISTENT.

however, i'm confused because when I run an MX record check on mail.adc-international.com it links to 94.200.114.245
when I run a reverse lookup on 94.200.114.245 it links to mail.adc-international.com

so that to me says that all is OK...

however.... when i run a reverse lookup to 94.200.114.244 it also links to mail.adc-international

Could this be the cause of the confusion?
0
Alan HardistyCo-OwnerCommented:
You can check your Reverse DNS on www.blacklistalert.org - MXToolbox won't report correctly, so ignore those results please.

According to that site, you have Reverse DNS configured properly.

I don't see any Blacklistings that I would be concerned about either, so have you cleared any recently?

You also have a neutral reputation on www.senderbase.org.

So - as has been suggested, run a telnet test to a problem recipient and see what they respond with when trying to send them an email.

If you have reverse DNS setup on the .244 address, I would remove it and also and DNS records pointing mail.yourdomain.com to the .244 address and see if that changes anything.

Alan
0
Dave BaldwinFixer of ProblemsCommented:
Are a lot of those email addresses Yahoo email addresses?  It doesn't take much for Yahoo to decide they don't like your domain and "421 please try again later" is the error they usually give although... trying later probably won't help.
0
pcmghouseCommented:
I do not find any MX records for your domain. There are DNS records only.
MX-Records.png
0
Alan HardistyCo-OwnerCommented:
This is what I get not using MXToolbox!

preference = 25 sgmail.adc-international.com. [203.126.89.195]
preference = 100 mailbackup.active-ns.com. [93.89.85.137]
preference = 21 mail.adc-international.com. [94.200.114.245]
0
pcmghouseCommented:
Alan is true http://www.dnsqueries.com/en/mx-lookup.php is reporting your MX records.
But I am not sure why your records are not seen by MXtoolbox.com

Your records are not a problem.
0
dangermouse1977Author Commented:
Alan

That looks right to me, highest priority is our exchange box in head office, next is the linked exchange box at our office in Singapore and finally the mailbackup at the ISP where the domain is registered.

You'll see from the attachment what I get from blacklistalerts when I run the query.

DNS result
Finally, I tried to do the telnet thing to a domain with mail stuck in the queue.

telnet olivegroup.com 25

i get an immediate response of 421please try again later
connection to host lost
0
Alan HardistyCo-OwnerCommented:
Are you sending from the .244 address?
0
dangermouse1977Author Commented:
This is probably the crux of the matter, this server was not set up by me so I don't actually know what we're sending from.... If you tell me how to check I will post back asap
0
Alan HardistyCo-OwnerCommented:
Visit www.whatismyip.com from the Exchange server or send me a test email to testmail@sohomail.co.uk and I'll tell you.

Alan
0
KorbusCommented:
After you go to whatismyip.com as Alan suggested, you will need to confirm your IP address you got matches your DNS records.  (note: this IP address SHOULD match the WAN IP address on your internet router/firewall)

To do this you will need to go logon your DNS host's webpage(usually your domain name registrar), and configure the entries there to match your IP address.

You will first need to configure an "A record" to point at your IP address.. something like mail.mydomain.com  

Then create an MX record, which will reference your A record.  When done, this should be your only MX record listed (unless you have a backup "store-and-forward" service available from a third party, in which case, you would add that service's address as a secondary MX record.)

The PTR record is a bit more difficult to setup, and you will actually need to ask your ISP to set this up for you.  (Only they can make this record change, since they "own" the IP address you are given)
0
dangermouse1977Author Commented:
OK.... it gets more curious

whatsmyip shows 94.200.114.244
The WAN IP address on my router is 94.200.114.244

All of my DNS searches though reveal 94.200.114.245
Our 1st MX record is set to 94.200.114.245
the Host A record is also .245

I should also possibly point out that we've been working fine with this config for 3 years now, I haven't changed anything!

I'm getting really confused now!
0
KorbusCommented:
It's POSSIBLE that is in fact a valid IP address for your mail!
Some firewalls have the ability to use multiple WAN IP addresses.  Some admins choose to use this to make normal web traffic flow on one WAN IP address, and email traffic flow on a second IP.  You will need to dig into your firewall config to see about this.   If this IS the case in your situation, looking at the firewall & NAT rules would show this .245 address. (Also, note that in this scenario, whatismyipadress.com web traffic would NOT show the IP address your system uses for email- it would only show the IP address used for normal web traffic!)

Before making any DNS changes,  better figure out exactly whats happening on the firewall.  You can also check with your ISP to confirm that .245 address is indeed yours.

I cannot test your exchange server at that .245 address at the moment, but perhaps another expert can.

Possible cause of issue suddenly cropping up after three years: perhaps you WERE using the .245 address, and your ISP messed up and gave it to someone else!   This is a total shot in the dark, of course.  We'll get to something solid, may just take a bit more digging.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
Send me a test email to the address above and I will confirm what your IP is when you send out and if that is the .244, then you need to change Reverse DNS and configure a new DNS record and change the FQDN on the server or point mail to a different DNS record e.g., inbound.domain.com or something equally creative ;)

Alan
0
dangermouse1977Author Commented:
Now that might make sense...   .244 and .245 are definately part of the range of addresses that we have from our ISP and I do vaguely remember being told that the system was set up with an amount of bandwidth reserved for exchange traffic with another amount used for standard web traffic.

I have sent the mail to the address above.
0
Alan HardistyCo-OwnerCommented:
Okay - I received that from the .245 address not the .244 address.

As that is all setup correctly, you will need to contact the domains that don't like you and ask them to stop blocking you or tell you what the problem is (not that I can see any) and then you might be able to resolve the problem.

Alan
0
dangermouse1977Author Commented:
If it's OK with both, I'm going to split the points between Korbus and Alan.... my issue isn't solved yet but you've both helped hugely and given me a much more defined area to look at.
0
Alan HardistyCo-OwnerCommented:
They are your points and whatever you decide to do with them is fine by me.  If you need any additional help, please just post again here.

Thanks for the points and good luck getting the last leg sorted.

Alan
0
KorbusCommented:
I agree with Alan.  (what a surprise, lol)

Looks like you are indeed going to need to give them a call.  Might be a good idea to start with a smaller domain,  admins tend to be more available/approachable at smaller places than say, gmail.  
Happy to help further, if possible, and if you figure it out yourself, please post back the resolution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.