451 4.1.8 Possibly forged hostname

We have a problem with only one domain when sender send emails to this domain we receive this error

Last Error: 451 4.1.8 Possibly forged hostname for 207.253.1.70

What should i do ?

On http://mxtoolbox.com/ everything is ok (green)

Connecting to 207.253.1.67

220 mail.ville.blainville.qc.ca Microsoft ESMTP MAIL Service ready at Mon, 3 Nov 2014 11:41:53 -0500 [624 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-mail.ville.blainville.qc.ca Hello [64.20.227.133]
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING [671 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [671 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay [5678 ms]

MXTB-PWS3v2 8268ms

I don't know why it's listing 207.253.1.70 because my exchange server mail.ville.blainville.qc.ca is for 207.253.1.67

Thanks for helping me
Jean-François GuénetNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
is .70 your gateway or some anti-spam appliance?
0
Jean-François GuénetNetwork AdministratorAuthor Commented:
It's my checkpoint firewall with antispam it it
0
Seth SimmonsSr. Systems AdministratorCommented:
if the mail is going through the firewall (as if exchange is using the firewall as smarthost) then the message would appear as if it was coming from the firewall on .70

if you send a message from there to a gmail address and look at the headers, i'm guessing it shows .70 as received from?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Jean-François GuénetNetwork AdministratorAuthor Commented:
yes

Received: from mail.ville.blainville.qc.ca ([207.253.1.70])
0
ReneD100Commented:
It's a little strange setup then though, because incoming mail would go to .67, (that's where the mx points to). So if your exchange smarthost is pointing to .70 that means you're scanning all outgoing messages for spam, but not the incoming ones...
.70 shows vpn?
vpn.ville.blainville.qc.ca [207.253.1.70]
0
Jean-François GuénetNetwork AdministratorAuthor Commented:
It's a checkpoint fw with antispam on it

We are scanning incoming mails arriving to it (check screenshot)

207.253.1.67 is a NAT for our exchange server in our network

207.253.1.70 is our main ip address for the checkpoint firewall
2014-11-03-13-07-38-192.168.100.3---Chec
0
ReneD100Commented:
If the .70 would point to the DMZ (thus on an internal IP address) I should be able to connect on port 25 on the .70 address and that does not work - only .67. I am personally not familiar with the CheckPoint Firewall, but maybe it has multiple IP addresses defined and .67 is linking to your Exchange?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
are you required to scan outgoing messages?  any reason why exchange doesn't connect directly?

the remote system is receiving from .70 thought the PTR points to .67 which would cause issues like this; PTR should match the sending address

also noticed no SPF record for your domain; something else you want to consider as some remote systems will drop if missing

http://www.openspf.org/SPF_Record_Syntax
0
Jean-François GuénetNetwork AdministratorAuthor Commented:
Thanks i had two object in my checkpoint fw

One object with a static nat of 207.253.1.67 and one object with not nat.

I deleted the second one and now everything is fine and no more error message.  If i checked the headers now i see 207.253.1.67 instead of 207.253.1.70

Thanks you guys

Seth: Do you have a good link to configure SPF record for my exchange 2013 on my domain Windows 2012

Thanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.