Solved

451 4.1.8 Possibly forged hostname

Posted on 2014-11-03
9
270 Views
Last Modified: 2014-11-03
We have a problem with only one domain when sender send emails to this domain we receive this error

Last Error: 451 4.1.8 Possibly forged hostname for 207.253.1.70

What should i do ?

On http://mxtoolbox.com/ everything is ok (green)

Connecting to 207.253.1.67

220 mail.ville.blainville.qc.ca Microsoft ESMTP MAIL Service ready at Mon, 3 Nov 2014 11:41:53 -0500 [624 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-mail.ville.blainville.qc.ca Hello [64.20.227.133]
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING [671 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [671 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay [5678 ms]

MXTB-PWS3v2 8268ms

I don't know why it's listing 207.253.1.70 because my exchange server mail.ville.blainville.qc.ca is for 207.253.1.67

Thanks for helping me
0
Comment
Question by:jfguenet
  • 4
  • 3
  • 2
9 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40419857
is .70 your gateway or some anti-spam appliance?
0
 

Author Comment

by:jfguenet
ID: 40419885
It's my checkpoint firewall with antispam it it
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40419939
if the mail is going through the firewall (as if exchange is using the firewall as smarthost) then the message would appear as if it was coming from the firewall on .70

if you send a message from there to a gmail address and look at the headers, i'm guessing it shows .70 as received from?
0
 

Author Comment

by:jfguenet
ID: 40419973
yes

Received: from mail.ville.blainville.qc.ca ([207.253.1.70])
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:ReneD100
ID: 40419977
It's a little strange setup then though, because incoming mail would go to .67, (that's where the mx points to). So if your exchange smarthost is pointing to .70 that means you're scanning all outgoing messages for spam, but not the incoming ones...
.70 shows vpn?
vpn.ville.blainville.qc.ca [207.253.1.70]
0
 

Author Comment

by:jfguenet
ID: 40419993
It's a checkpoint fw with antispam on it

We are scanning incoming mails arriving to it (check screenshot)

207.253.1.67 is a NAT for our exchange server in our network

207.253.1.70 is our main ip address for the checkpoint firewall
2014-11-03-13-07-38-192.168.100.3---Chec
0
 
LVL 5

Accepted Solution

by:
ReneD100 earned 250 total points
ID: 40420058
If the .70 would point to the DMZ (thus on an internal IP address) I should be able to connect on port 25 on the .70 address and that does not work - only .67. I am personally not familiar with the CheckPoint Firewall, but maybe it has multiple IP addresses defined and .67 is linking to your Exchange?
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 250 total points
ID: 40420081
are you required to scan outgoing messages?  any reason why exchange doesn't connect directly?

the remote system is receiving from .70 thought the PTR points to .67 which would cause issues like this; PTR should match the sending address

also noticed no SPF record for your domain; something else you want to consider as some remote systems will drop if missing

http://www.openspf.org/SPF_Record_Syntax
0
 

Author Closing Comment

by:jfguenet
ID: 40420773
Thanks i had two object in my checkpoint fw

One object with a static nat of 207.253.1.67 and one object with not nat.

I deleted the second one and now everything is fine and no more error message.  If i checked the headers now i see 207.253.1.67 instead of 207.253.1.70

Thanks you guys

Seth: Do you have a good link to configure SPF record for my exchange 2013 on my domain Windows 2012

Thanks !
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now