exchange 2010

i am sending one email to outside client but is getting rejected with error 4.7.1 error , just this email is getting rejected

all other email are working showed on my proof point gateway.

I checked the customer end, he says no emails are being rejected by their exchange server
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David AtkinTechnical DirectorCommented:
Possibly a DNS issue.  Check that your exchange server can resolve the domain name and MX records of your client.
Chris HInfrastructure ManagerCommented:
A 4.7.1 implies that it's not leaving your organization.  Is it possible that email you're sending to has been assigned to a contact or user in your AD?

OPen a command prompt on the server.


when you get >   type 'set type=mx'
(without quotes)

then type the name of the mail domain (ie if email type '')

Do you get a public IP address?
Chris HInfrastructure ManagerCommented:
Also, are you trying to send FROM as a different user?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Could you provide some more information? Other than 4.7.1, is there verbiage with that reject notice? 4.7.1 can be a number of things depending on the provider that is sending back that error. Some examples are:

** 454 4.7.1 Relay access denied
** Client does not have permission to submit mail to this server. The server response was: 4.7.1 <>: Relay access denied
** 421 4.7.1 : Sender address rejected: Account disabled

The common theme in these appears to be the sender account and its lack of permissions to send email.

However, there are others as well.

** 450 4.7.1 Client Host Rejected Cannot Find Your Hostname
------- This occurs when your receive connector is not setup correctly to issue HELO/EHLO to verify the server's identity.
** 451 4.7.1 Please try again later
** 451 4.7.1 Greylisting in action, come back in x minutes (where x is a number)
------- The two above can be researched here: 

I hope that helps!
pramod1Author Commented:
I am getting below with particular email.
deferred: 403 4.7.0 TLS handshake failed
Chris HInfrastructure ManagerCommented:
Your outbound TLS settings are too aggressive for the recipient.
pramod1Author Commented:
so how should I correct it, please let me know
Chris HInfrastructure ManagerCommented:

This guy talks about his outlook email client cert expiring
pramod1Author Commented:
I didn't get your answer,  it states disable disable client-mode starttls?
pramod1Author Commented:
pramod1Author Commented:
Chris HInfrastructure ManagerCommented:
PRAMOD, Are you sure you shouldn't be sending to instead of  The one without the hyphen looks shady.
pramod1Author Commented:
how it looks shady, just concerned?
Chris HInfrastructure ManagerCommented:
I'm about 100000% sure that is a honey pot and does not serve email, have valid MX records, SPF records or would ever abide by a secure TLS policy.

Go to   and then go to


Non-authoritative answer:      MX preference = 10, mail exchanger =      MX preference = 10, mail exchanger =      nameserver =      nameserver =      nameserver =       internet address =       internet address =   AAAA IPv6 address = 2001:8a8:21:4::2

        primary name server =
        responsible mail addr =
        serial  = 1437505385
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
pramod1Author Commented:
now  when I send it says mail delayed , we will try again
pramod1Author Commented:
We are still getting the TLS error(attached)
pramod1Author Commented:


please find the error
pramod1Author Commented:
on mxtool box , I checked smtp tls , it says server cannot do starttls
pramod1Author Commented:
receipent disabled tls and the email started working

and our exchange server has starttls enabled, so what does this all mean
Chris HInfrastructure ManagerCommented:
You may have weaker versions of TLS disabled for security reasons.  I'm noticing in your error messages that you might work for someone in the healthcare industry?  It's mandated all outgoing email communication (for us and our carriers, at least) that all email transmission uses TLS 1.2 or higher.

A direct connection indicates they do use TLS, though:
220 ESMTP Server Zurich Airport
250 SPCH1111.zrh.local
220 2.0.0 Ready to start TLS
Chris HInfrastructure ManagerCommented:
Maybe your Cert used for TLS is expired?
pramod1Author Commented:
we were having problems sending email to and our email were bouncing back with
4.7.1 tls handshake failed.

our certificate for tls has not expired.

the receipent disabled tls and email started flowing.

so how our email will work when they have disabled tls
Chris HInfrastructure ManagerCommented:
TLS Mismatch?  

I was able to issue a STARTTLS to both of your mail server.

Maybe you're not really set up correctly to use TLS.  Is your exchange server hosting the session or do you have an appliance that sends mail?
pramod1Author Commented:
This is the feedback from receipent server (

[000.734]            Cert Hostname DOES NOT VERIFY ( != *
[000.734]            (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
[000.734]            So email is encrypted but the host is not verified

They changed something on the parameters.

any inference you can draw
pramod1Author Commented:
our email goes through proofpoint gateway
Chris HInfrastructure ManagerCommented:

Matching is performed using the matching rules specified by
   [RFC2459].  If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.) Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., * matches but
   not f*.com matches but not

In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.

Your issue is DNS.

You need two wild cards *.* in your TLS cert from your host provider.
Cert Hostname DOES NOT VERIFY ( != *

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.