Solved

Exchange 2010 send/recieve troubles with just a few domains, others working fine

Posted on 2014-04-11
28
462 Views
Last Modified: 2014-04-14
About five weeks ago we started getting email rejection notices for only certain domains we send to. We also started getting phone calls that we could not receive email sent to us from just a few domains. 90% of the in/out email is working without trouble but a few select domains started having trouble either sending or receiving with our domain. No update or changes that I can think of on environment.

When our email is rejected, we receive a delay notice or two and finally a rejection with '#550 4.4.7'

The rejection notice going back those who we can not receive from is '451 Timeout Trying to Verify RCPT'

VMware VM Server 2008 R2 with Exchange 2010 running Forefront, domain name is domain.com and using iPage hosting and mail traffic via mail.domain.com

Troubleshooting so far:
- Scanned entire network with AV and Malwarebytes...everything shows clean at servers and workstations
- Checked blacklists, nothing listed for our domain or the domains we have trouble with
- MXToolbox shows no Reverse DNS PTR record found and time out delay warning but not a failure
- Messages in Exchange queue are all valid from good senders to good addresses with code 451 4.4.0
- Put in a work ticket with ISP for a PTR record to be established, not complete yet
- No SPF record in DNS, I need help creating and installing one if anyone thinks it would help, I'm a noob with this
- Our domain has been using the server's own self authored security certificate for years without trouble but I'm thinking of purchasing an authority authored one and installing it if you guys think it would help?
- I've added domains to whitelist in ForeFront and via the exchange powershell for domains that we could not receive email from, no help
0
Comment
Question by:Ryan Gates
  • 15
  • 12
28 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995068
Hi Ryan,

Okay - can you ping a test email to testmail @ sohomail.co.uk and I'll see if you are configured properly for sending and report back on anything odd that I find.

What Router / Firewall do you have and is it up-to-date with Firmware?

An SSL certificate won't help with mail-flow, but IMHO, you should buy one and add one if you want to have Mobile Phones and Outlook Anywhere working (shout if this is all greek to you).

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995120
That all makes sense to me...I'll send a test email to that address. Our office hasn't been using OWA and the mobile phones have been working with the accept all certificates setting so the SSL hasn't been an issue....but it's always bugged me...so I think I'm going to get it anyway so everything is proper. I think my biggest trouble now is not having a PTR setup with our ISP and the reverse DNS not working correctly because of it.

However, our email exchange has been working this way for years...why all the sudden is it a problem with only a few select domains?

Standby for test email ping....thanks again!
0
 

Author Comment

by:Ryan Gates
ID: 39995133
Alan, I'm doing something wrong...could you walk me through the steps to send an email test to you? I apologize for being a noob! lol

You are talking about using Telnet...aren't you?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995163
No - just write me an email and send it to the address above - add a subject e.g. Test and hit send.  If you get past my defences, great, if not, then you should get an informative bounce and we can progress from there.
0
 

Author Comment

by:Ryan Gates
ID: 39995190
Test message sent and no bounce back so far... no sign of it in my exchange queue either...any luck getting it on your end?

To answer your question about my router, it's a Cisco Linksys E4200
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39995202
Okay - email received.

Few problems to correct.

1. The FQDN on your SEND Connector should be mail.domain.com (not posting your actual domain name here - I'll tidy up the question later to remove it from the actual question).
2. Your Reverse DNS is currently set to www.domain.com and needs to be change to mail.domain.com - whilst what you have is correct as www.domain.com resolves to your IP Address and looking up the IP Address returns www.domain.com, you don't put www.domain.com as the FQDN on your SEND connector (well - you don't usually).

Your SPF record doesn't include your current IP Address and should be set differently, but I'll tackle that in your other question.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995249
Thank you, Alan...

1. I understand needing to change the FQDN on my send connector - I'm rusty but sure I can google the 'how to' and remind myself how to navigate exchange to change that

2. Is there something I can do locally on my server to get the Reverse DNS to resolve properly or do I need to file a trouble ticket with my ISP to have them update my PTR? If I do need to make the change with my ISP do I request that they ADD mail.mydomain.com in addition to www.mydomain.com or do I have that replaced so that mail.mydomain.com is the only reference in the record?

I'll work on changing my send connector's FQDN until I hear back from you. Thanks for all the help!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995260
For 1 - open up the Exchange Management Console and drill down to Organisation Config> Hub Transport> Send Connector> Your Send Connector and then select your SEND Connector and choose Properties.  Then modify the FQDN and click OK.

Restart the Microsoft Exchange Transport Service service afterwards (always good practise when you change something like the SEND or RECEIVE connector).

For 2 - you need to ask your ISP to make the change on your fixed IP Address.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995276
Okay, just to be sure and remove all my doubt in myself...I'm going to contact my ISP and ask them to change my reverse DNS in my PTR record for the SIP I'm using, from www.mydomain.com to mail.mydomain.com, correct?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995287
100% correct.
0
 

Author Comment

by:Ryan Gates
ID: 39995298
Okay, I'm filing my trouble ticket with my ISP right now...then I'll finish changing my FQDN on my send connector...then is it a waiting game to see if I can send/receive with those few problematic domains or is there something else I can do in the meantime? Would it be appropriate to send another test email to you after these changes are made...I know my ISP won't have the PTR record changed that soon, but would it help test everything else?
0
 

Author Comment

by:Ryan Gates
ID: 39995344
I've attached an SMTP report ran with MXToolbox...I understand the warning on my reverse DNS...you addressed that here and I've requested the change with my ISP...is there anything you can do to help me with the second warning on TRANSACTION TIME ? Should I be concerned? Think that will resolve when I get my FQDN on my send connector right and my ISP updates the DNS record?
smtp-report-4.11.14.docx
0
 

Author Comment

by:Ryan Gates
ID: 39995358
Alan, I realize I've posted several questions without waiting for your answers above this post. I thank you again for all your attention.

I changed my FQDN on my send connector...guess what I found when I got there? It was blank! I added in mail.mydomain.com and am restarting the service. I'm curious about a setting I saw there...

Do I set the "protocol logging level:" to 'Verbose' or leave it at 'None'?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995359
I wouldn't worry about it personally.  My transaction time to my 2010 server is slower than yours and I'm on Fibre!!  I've never had any problems now nor did I when I was on regular broadband.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995364
Wait until you have made all the changes and your ISP has changed your Reverse DNS record before trying the problem domains again.  If they till reject you then fire another test email across, but I would expect my server to accept your message.

You may have to contact the remote domain and ask them why they are not letting your messages through - they may be blacklisting you for some reason that isn't readily apparent.

Protocol logging is useful if you are troubleshooting mail-flow issues.  Set to None normally, but change to Verbose if you want to start examining the logs, which you will need to configure / enable so that you can examine and interpret the logs to help solve issues.
0
 

Author Comment

by:Ryan Gates
ID: 39995397
Okay, thank you...I've done all that you've suggested and I'm only waiting on my ISP to report the reverse DNS record is updated. I'll try the remote domains again after that and report back here.

I'm still very, very curious...why, for years now, has my domain worked sending/receiving emails with these problematic remote domains and all the sudden at once I have trouble with about 6 of them? All at once and at the same time my filter started allowing more spam/junk mail through. Yet, the majority of the other remote domains we send/receive with have gone on as normal and continued to work fine?

My reverse DNS problem showed in tests but never stopped email in the past years and I've never installed an SPF record of my own...I just used the default one from our host service...also, same server and send connector with a blank FQDN all this time. I wonder what the trigger was with these domains?

Have you ever heard of something like this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995410
It is difficult to know for sure, but they could have updated something their side of the equation and now they have more strict anti-spam checks going on.

Technically your Reverse DNS is configured correctly - it's not wrong - but your FQDN wasn't set correctly and as you had a .local domain name in it and as .local domains are being phased out by the world (as of Nov 2015 as far as SSL certificate names are concerned), they may have decided they don't like you all of a sudden.

You may never get to the bottom of the reasons why - all you can do is make sure your side is configured as best as possible and that you are RFC compliant and if you are, then if you get rejected, you know it's not for any reason you have control over.

IT is always a constantly changeable beast.  Updates come out, newer firmware for hardware etc and sometimes updates break more than they fix!  As it is so fluid, it can work happily for years and then a small, insignificant change can make a dramatic difference.
0
 

Author Comment

by:Ryan Gates
ID: 39995418
I'm curious what tool you used to check all my DNS and mail flow? I've been using MXToolbox. I've used the MS Exchange test tool in the past too when troubleshooting MX with our mobile devices....is that what you used? How would I test this myself to see similar results?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995429
I use www.dnsstuff.com - I have a subscription for the tools that aren't free and it's a very useful site.  That tells me info about your Domain (well - the domain report does at least).

With the mail-flow it is a case of looking at the Vamsoft Logs on my Exchange 2010 server and tools like nslookup (from a command prompt).

nslookup IP_Address returns the Reverse DNS record (if assigned) and nslookup mail.domain.com returns the IP Address - to work properly, they should all match each other.

The MS test site is great for lots of troubleshooting and is a massively useful tool.

I used to use MXTOOLBOX but hardly ever use it now.

I also use www.blacklistalert.org and dnsstuff for details of any sites an IP Address may be listed on and www.senderbase.org for IP Address reputation.
0
 

Author Comment

by:Ryan Gates
ID: 39995465
Great...thanks for the tips! I guess I'm just waiting on the ISP to update my reverse DNS and then I can test mail flow with those remote domains again. I report back then.

I'm brand new to the community here...I'm wondering if there is a way to "friend" other members to stay in touch or to send private messages or a chat room setting? Or do I have to just remember your name so I can send a shout for help in the future?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995496
Yep - it should all come good in a short amount of time (with any luck).

EE doesn't have a way to contact other members on-site (yet), but plans are in the making for that to happen.

Some Experts (me included) do have their email addresses posted in their EE Profiles, so you can make direct contact if you want to.

If you post a question on EE and don't get any responses then you can use the Request Attention button to call the Moderators, who can be busy (and are all volunteers) and they should respond to your Request as soon as they can.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39996176
Alan, I got an email from my ISP stating the changes had been made with a copy of the record. I sent it to your email for your review before I confirmed it was correct with them. I out a delayed delivery with your domain now too... I'm sure it will reject soon.

Message:
Delivery is delayed to these recipients or groups:

alan@alxxxxxxxsty.com (alan@alxxxxxxxsty.com)

Subject: FW: CI001099642 ptr record updated

This message hasn't been delivered yet. Delivery will continue to be attempted.

The server will keep trying to deliver this message for the next 1 days, 19 hours and 55 minutes. You'll be notified if the message can't be delivered by that time.
0
 

Author Comment

by:Ryan Gates
ID: 39996190
Please see previous post... I'll email that PTR info with my personal email account so it will go through.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39996202
Please don't send the test to that account - use the testmail @ sohomail.co.uk.

That's my personal Microsoft Account, but it still begs the question why you can't send to MS, but that may be a case of having to request de-listing from them.

alan
0
 

Author Comment

by:Ryan Gates
ID: 39996438
Alan, or anyone else reading this, I'm still having the same problem with them same remote domains excepting my email. I haven't confirmed, and won't be able to until the work week, but I assume the same remote domains that I could not receive are having the same problem as well...even though I've made these changes and white listed them in FF and MXPS.

Alan, I've sent another test email to you from my problematic domain...do you see any clues there?

My Reverse DNS PTR record has been changed and with my ISP and reports fine now, as far as I can tell, and I've added an SPF record to my DNS profile with my host service, and I've changed my FQDN on my send connector as directed here.

I still have messages in my exchange queue with a '451 4.4.0 dns query failed' error. I've manually sent them to 'retry' a couple of times.

Is there maybe a wait time with these remote domains I'm having trouble with? Do they query my DNS as soon as I send or am I going to have to wait for them to propagate the changes I've made on my local server and with my services? One of the domains is an MS domain and another is a .gov domain; substantially prominent domains that I would expect not to have a problem with at this point.

Could my FF filter/settings be causing trouble with sending or would that only be with the receiving? I suppose I could turn it completely off and try the domains again to test it?

I'm starting to think I have something else going on besides just the dns errors....despite changing those to a correct standard recently....all mail traffic has been working fine for years with these remote domains until just a few weeks back, and they all rejected me at once, I'm so puzzled. HELP???
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39997945
The other possibility is that the domains can't be resolved properly in DNS.  Are you using DNS forwarders to lookup external Domain Names?

Have you tried telnet to test out the connection to the problem remote servers.  If you can telnet to the FQDN of the remote server happily, then DNS isn't an issue.  If you can't but you can to the IP Address, then DNS is an issue.

Try that and if you can't resolve the names, add forwarders to your DNS servers and try it again.

Alan
0
 

Author Closing Comment

by:Ryan Gates
ID: 39999257
Yep, that's it...had local DNS issues too and no forwarders...It's all working well now, thanks so much for the help, the tips, and the links. I appreciate all your time!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

MS outlook is a premier email client that enable you to send and receive the e-mails with various file formats of attachments such as document files, media file, and many others formats. There is some scenario occurs when a receiver of an e-mail mes…
Easy CSR creation in Exchange 2007,2010 and 2013
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now