dangermouse1977
asked on
Mail Flow issue
I have a really urgent issue that I've wasted days going in the wrong direction trying to troubleshoot and now need some help please experts!
Many messages sent through my exchange server are sitting in the outbound queue with the error
451 4.4.0 Primary target IP address responded with "421 please try again later" attempted to failover to alternate host but that did not succeed.
I have googled this error, but the resulting posts are too complicated for me to follow without risking breaking my server completely.
Would some kind soul please talk me through fixing this issue.
Many messages sent through my exchange server are sitting in the outbound queue with the error
451 4.4.0 Primary target IP address responded with "421 please try again later" attempted to failover to alternate host but that did not succeed.
I have googled this error, but the resulting posts are too complicated for me to follow without risking breaking my server completely.
Would some kind soul please talk me through fixing this issue.
ASKER
It seems likely that this is caused by the fact that my forward and reverse DNS entries do not match.... there is one digit different in the IP address.
Which one is correct, the IP address for the forward DNS or the IP address for the rDNS and where do I go to change them?
Which one is correct, the IP address for the forward DNS or the IP address for the rDNS and where do I go to change them?
ASKER
I've tried to follow those instructions, however every domain i try to telnet to immediately responds with 421 please try again later, connection to host lost
My e-mail sending error only applies to certain domains (including some fairly large ones like gmail and hotmail) and it applies to all messages sent to any of those domains by anyone in my company.
My e-mail sending error only applies to certain domains (including some fairly large ones like gmail and hotmail) and it applies to all messages sent to any of those domains by anyone in my company.
Dear DangerMouse,
I do not suspect your exchange server as you are saying it is able to send emails to certain domains.
It's not clear about your DNS concerns. If you are concerned about your MX records, PTR records and SPF records, please go to http://mxtoolbox.com and check your records.
If you suspect something is wrong there you need to contact your ISP to make changes there.
I do not suspect your exchange server as you are saying it is able to send emails to certain domains.
It's not clear about your DNS concerns. If you are concerned about your MX records, PTR records and SPF records, please go to http://mxtoolbox.com and check your records.
If you suspect something is wrong there you need to contact your ISP to make changes there.
ASKER
Hi
I apoligise, I probably haven't explained myself too well...let me give you the exact details then maybe my issue (and the fix) will be clearer.
when I use MXToolbox to check for blacklisting, it reports that my IP address 94.200.114.244 is listed on UCEProtect...... UCEProtect says that it's listed because...
94.200.114.244:
Reverse DNS (PTR) exists and claimes to be: mail.adc-international.com
Forward DNS for mail.adc-international.com
WARNING: Forward-DNS does NOT match Reverse-DNS.
DNS is INCONSISTENT.
however, i'm confused because when I run an MX record check on mail.adc-international.com
when I run a reverse lookup on 94.200.114.245 it links to mail.adc-international.com
so that to me says that all is OK...
however.... when i run a reverse lookup to 94.200.114.244 it also links to mail.adc-international
Could this be the cause of the confusion?
I apoligise, I probably haven't explained myself too well...let me give you the exact details then maybe my issue (and the fix) will be clearer.
when I use MXToolbox to check for blacklisting, it reports that my IP address 94.200.114.244 is listed on UCEProtect...... UCEProtect says that it's listed because...
94.200.114.244:
Reverse DNS (PTR) exists and claimes to be: mail.adc-international.com
Forward DNS for mail.adc-international.com
WARNING: Forward-DNS does NOT match Reverse-DNS.
DNS is INCONSISTENT.
however, i'm confused because when I run an MX record check on mail.adc-international.com
when I run a reverse lookup on 94.200.114.245 it links to mail.adc-international.com
so that to me says that all is OK...
however.... when i run a reverse lookup to 94.200.114.244 it also links to mail.adc-international
Could this be the cause of the confusion?
You can check your Reverse DNS on www.blacklistalert.org - MXToolbox won't report correctly, so ignore those results please.
According to that site, you have Reverse DNS configured properly.
I don't see any Blacklistings that I would be concerned about either, so have you cleared any recently?
You also have a neutral reputation on www.senderbase.org.
So - as has been suggested, run a telnet test to a problem recipient and see what they respond with when trying to send them an email.
If you have reverse DNS setup on the .244 address, I would remove it and also and DNS records pointing mail.yourdomain.com to the .244 address and see if that changes anything.
Alan
According to that site, you have Reverse DNS configured properly.
I don't see any Blacklistings that I would be concerned about either, so have you cleared any recently?
You also have a neutral reputation on www.senderbase.org.
So - as has been suggested, run a telnet test to a problem recipient and see what they respond with when trying to send them an email.
If you have reverse DNS setup on the .244 address, I would remove it and also and DNS records pointing mail.yourdomain.com to the .244 address and see if that changes anything.
Alan
Are a lot of those email addresses Yahoo email addresses? It doesn't take much for Yahoo to decide they don't like your domain and "421 please try again later" is the error they usually give although... trying later probably won't help.
I do not find any MX records for your domain. There are DNS records only.
MX-Records.png
MX-Records.png
This is what I get not using MXToolbox!
preference = 25 sgmail.adc-international.c
preference = 100 mailbackup.active-ns.com. [93.89.85.137]
preference = 21 mail.adc-international.com
preference = 25 sgmail.adc-international.c
preference = 100 mailbackup.active-ns.com. [93.89.85.137]
preference = 21 mail.adc-international.com
Alan is true http://www.dnsqueries.com/en/mx-lookup.php is reporting your MX records.
But I am not sure why your records are not seen by MXtoolbox.com
Your records are not a problem.
But I am not sure why your records are not seen by MXtoolbox.com
Your records are not a problem.
ASKER
Alan
That looks right to me, highest priority is our exchange box in head office, next is the linked exchange box at our office in Singapore and finally the mailbackup at the ISP where the domain is registered.
You'll see from the attachment what I get from blacklistalerts when I run the query.
Finally, I tried to do the telnet thing to a domain with mail stuck in the queue.
telnet olivegroup.com 25
i get an immediate response of 421please try again later
connection to host lost
That looks right to me, highest priority is our exchange box in head office, next is the linked exchange box at our office in Singapore and finally the mailbackup at the ISP where the domain is registered.
You'll see from the attachment what I get from blacklistalerts when I run the query.
Finally, I tried to do the telnet thing to a domain with mail stuck in the queue.
telnet olivegroup.com 25
i get an immediate response of 421please try again later
connection to host lost
Are you sending from the .244 address?
ASKER
This is probably the crux of the matter, this server was not set up by me so I don't actually know what we're sending from.... If you tell me how to check I will post back asap
Visit www.whatismyip.com from the Exchange server or send me a test email to testmail@sohomail.co.uk and I'll tell you.
Alan
Alan
After you go to whatismyip.com as Alan suggested, you will need to confirm your IP address you got matches your DNS records. (note: this IP address SHOULD match the WAN IP address on your internet router/firewall)
To do this you will need to go logon your DNS host's webpage(usually your domain name registrar), and configure the entries there to match your IP address.
You will first need to configure an "A record" to point at your IP address.. something like mail.mydomain.com
Then create an MX record, which will reference your A record. When done, this should be your only MX record listed (unless you have a backup "store-and-forward" service available from a third party, in which case, you would add that service's address as a secondary MX record.)
The PTR record is a bit more difficult to setup, and you will actually need to ask your ISP to set this up for you. (Only they can make this record change, since they "own" the IP address you are given)
To do this you will need to go logon your DNS host's webpage(usually your domain name registrar), and configure the entries there to match your IP address.
You will first need to configure an "A record" to point at your IP address.. something like mail.mydomain.com
Then create an MX record, which will reference your A record. When done, this should be your only MX record listed (unless you have a backup "store-and-forward" service available from a third party, in which case, you would add that service's address as a secondary MX record.)
The PTR record is a bit more difficult to setup, and you will actually need to ask your ISP to set this up for you. (Only they can make this record change, since they "own" the IP address you are given)
ASKER
OK.... it gets more curious
whatsmyip shows 94.200.114.244
The WAN IP address on my router is 94.200.114.244
All of my DNS searches though reveal 94.200.114.245
Our 1st MX record is set to 94.200.114.245
the Host A record is also .245
I should also possibly point out that we've been working fine with this config for 3 years now, I haven't changed anything!
I'm getting really confused now!
whatsmyip shows 94.200.114.244
The WAN IP address on my router is 94.200.114.244
All of my DNS searches though reveal 94.200.114.245
Our 1st MX record is set to 94.200.114.245
the Host A record is also .245
I should also possibly point out that we've been working fine with this config for 3 years now, I haven't changed anything!
I'm getting really confused now!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Now that might make sense... .244 and .245 are definately part of the range of addresses that we have from our ISP and I do vaguely remember being told that the system was set up with an amount of bandwidth reserved for exchange traffic with another amount used for standard web traffic.
I have sent the mail to the address above.
I have sent the mail to the address above.
Okay - I received that from the .245 address not the .244 address.
As that is all setup correctly, you will need to contact the domains that don't like you and ask them to stop blocking you or tell you what the problem is (not that I can see any) and then you might be able to resolve the problem.
Alan
As that is all setup correctly, you will need to contact the domains that don't like you and ask them to stop blocking you or tell you what the problem is (not that I can see any) and then you might be able to resolve the problem.
Alan
ASKER
If it's OK with both, I'm going to split the points between Korbus and Alan.... my issue isn't solved yet but you've both helped hugely and given me a much more defined area to look at.
They are your points and whatever you decide to do with them is fine by me. If you need any additional help, please just post again here.
Thanks for the points and good luck getting the last leg sorted.
Alan
Thanks for the points and good luck getting the last leg sorted.
Alan
I agree with Alan. (what a surprise, lol)
Looks like you are indeed going to need to give them a call. Might be a good idea to start with a smaller domain, admins tend to be more available/approachable at smaller places than say, gmail.
Happy to help further, if possible, and if you figure it out yourself, please post back the resolution.
Looks like you are indeed going to need to give them a call. Might be a good idea to start with a smaller domain, admins tend to be more available/approachable at smaller places than say, gmail.
Happy to help further, if possible, and if you figure it out yourself, please post back the resolution.
Does this issue occur with only certain recipient domains, or is it totally random? Any patterns you can spot might be helpful.