pramod1
asked on
exchange 2010
i am sending one email to outside client but is getting rejected with error 4.7.1 error , just this email is getting rejected
all other email are working fine.it showed on my proof point gateway.
I checked the customer end, he says no emails are being rejected by their exchange server
all other email are working fine.it showed on my proof point gateway.
I checked the customer end, he says no emails are being rejected by their exchange server
Possibly a DNS issue. Check that your exchange server can resolve the domain name and MX records of your client.
A 4.7.1 implies that it's not leaving your organization. Is it possible that email you're sending to has been assigned to a contact or user in your AD?
OPen a command prompt on the server.
Type NSLOOKUP
when you get > type 'set type=mx'
(without quotes)
then type the name of the mail domain (ie if email chris@send.com type 'send.com')
Do you get a public IP address?
OPen a command prompt on the server.
Type NSLOOKUP
when you get > type 'set type=mx'
(without quotes)
then type the name of the mail domain (ie if email chris@send.com type 'send.com')
Do you get a public IP address?
Also, are you trying to send FROM as a different user?
Pramod1,
Could you provide some more information? Other than 4.7.1, is there verbiage with that reject notice? 4.7.1 can be a number of things depending on the provider that is sending back that error. Some examples are:
** 454 4.7.1 Relay access denied
** Client does not have permission to submit mail to this server. The server response was: 4.7.1 <alias@domain.com>: Relay access denied
** 421 4.7.1 : Sender address rejected: Account disabled
The common theme in these appears to be the sender account and its lack of permissions to send email.
However, there are others as well.
** 450 4.7.1 Client Host Rejected Cannot Find Your Hostname
------- This occurs when your receive connector is not setup correctly to issue HELO/EHLO to verify the server's identity.
** 451 4.7.1 Please try again later
** 451 4.7.1 Greylisting in action, come back in x minutes (where x is a number)
------- The two above can be researched here: https://support.google.com/postini/answer/1408989?hl=en
I hope that helps!
Could you provide some more information? Other than 4.7.1, is there verbiage with that reject notice? 4.7.1 can be a number of things depending on the provider that is sending back that error. Some examples are:
** 454 4.7.1 Relay access denied
** Client does not have permission to submit mail to this server. The server response was: 4.7.1 <alias@domain.com>: Relay access denied
** 421 4.7.1 : Sender address rejected: Account disabled
The common theme in these appears to be the sender account and its lack of permissions to send email.
However, there are others as well.
** 450 4.7.1 Client Host Rejected Cannot Find Your Hostname
------- This occurs when your receive connector is not setup correctly to issue HELO/EHLO to verify the server's identity.
** 451 4.7.1 Please try again later
** 451 4.7.1 Greylisting in action, come back in x minutes (where x is a number)
------- The two above can be researched here: https://support.google.com/postini/answer/1408989?hl=en
I hope that helps!
ASKER
I am getting below with particular email.
deferred: 403 4.7.0 TLS handshake failed
deferred: 403 4.7.0 TLS handshake failed
Your outbound TLS settings are too aggressive for the recipient.
ASKER
so how should I correct it, please let me know
serverfault.com/questions/ 667692/rea son-403-4- 7-0-tls-ha ndshake-fa iled
This guy talks about his outlook email client cert expiring
This guy talks about his outlook email client cert expiring
ASKER
I didn't get your answer, it states disable disable client-mode starttls?
ASKER
david I did below
C--Users-con-ccisat1pwk-Desktop-I-amgett
C--Users-con-ccisat1pwk-Desktop-I-amgett
PRAMOD, Are you sure you shouldn't be sending to zurich-airport.com instead of zurichairport.com? The one without the hyphen looks shady.
ASKER
how it looks shady, just concerned?
I'm about 100000% sure that zurichairport.com is a honey pot and does not serve email, have valid MX records, SPF records or would ever abide by a secure TLS policy.
Go to www.zurichairport.com and then go to www.zurich-airport.com
MX RECORDS:
ZURICH-AIRPORT.COM
Non-authoritative answer:
zurich-airport.com MX preference = 10, mail exchanger = smtp02.zurich-airport.com
zurich-airport.com MX preference = 10, mail exchanger = smtp01.zurich-airport.com
zurich-airport.com nameserver = ns2.zrh.aero
zurich-airport.com nameserver = ns2.init7.net
zurich-airport.com nameserver = ns1.zrh.aero
smtp02.zurich-airport.com internet address = 194.146.215.104
smtp01.zurich-airport.com internet address = 194.146.215.103
ns2.init7.net AAAA IPv6 address = 2001:8a8:21:4::2
ZURICHAIRPORT.COM
zurichairport.com
primary name server = buy.internettraffic.com
responsible mail addr = hostmaster.hostingnet.com
serial = 1437505385
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Go to www.zurichairport.com and then go to www.zurich-airport.com
MX RECORDS:
ZURICH-AIRPORT.COM
Non-authoritative answer:
zurich-airport.com MX preference = 10, mail exchanger = smtp02.zurich-airport.com
zurich-airport.com MX preference = 10, mail exchanger = smtp01.zurich-airport.com
zurich-airport.com nameserver = ns2.zrh.aero
zurich-airport.com nameserver = ns2.init7.net
zurich-airport.com nameserver = ns1.zrh.aero
smtp02.zurich-airport.com internet address = 194.146.215.104
smtp01.zurich-airport.com internet address = 194.146.215.103
ns2.init7.net AAAA IPv6 address = 2001:8a8:21:4::2
ZURICHAIRPORT.COM
zurichairport.com
primary name server = buy.internettraffic.com
responsible mail addr = hostmaster.hostingnet.com
serial = 1437505385
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
ASKER
now when I send it says mail delayed , we will try again
ASKER
We are still getting the TLS error(attached)
C--Users-con-ccisat1pwk-Desktop-We-are-s
C--Users-con-ccisat1pwk-Desktop-We-are-s
ASKER
ASKER
on mxtool box , I checked smtp tls , it says server cannot do starttls
ASKER
receipent disabled tls and the email started working
and our exchange server has starttls enabled, so what does this all mean
and our exchange server has starttls enabled, so what does this all mean
You may have weaker versions of TLS disabled for security reasons. I'm noticing in your error messages that you might work for someone in the healthcare industry? It's mandated all outgoing email communication (for us and our carriers, at least) that all email transmission uses TLS 1.2 or higher.
A direct connection indicates they do use TLS, though:
220 ESMTP Server Zurich Airport
helo mydomain.com
250 SPCH1111.zrh.local
STARTTLS
220 2.0.0 Ready to start TLS
A direct connection indicates they do use TLS, though:
220 ESMTP Server Zurich Airport
helo mydomain.com
250 SPCH1111.zrh.local
STARTTLS
220 2.0.0 Ready to start TLS
Maybe your Cert used for TLS is expired?
ASKER
we were having problems sending email to Zurich-airport.com and our email were bouncing back with
4.7.1 tls handshake failed.
our certificate for tls has not expired.
the receipent Zurich-airport.com disabled tls and email started flowing.
so how our email will work when they have disabled tls
4.7.1 tls handshake failed.
our certificate for tls has not expired.
the receipent Zurich-airport.com disabled tls and email started flowing.
so how our email will work when they have disabled tls
TLS Mismatch?
I was able to issue a STARTTLS to both of your mail server.
Maybe you're not really set up correctly to use TLS. Is your exchange server hosting the session or do you have an appliance that sends mail?
I was able to issue a STARTTLS to both of your mail server.
Maybe you're not really set up correctly to use TLS. Is your exchange server hosting the session or do you have an appliance that sends mail?
ASKER
This is the feedback from receipent server (Zurich-airport.com)-IT
[000.734] Cert Hostname DOES NOT VERIFY (mxb-001b1801.gslb.pphoste d.com != *.pphosted.com)
[000.734] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
[000.734] So email is encrypted but the host is not verified
They changed something on the parameters.
any inference you can draw
[000.734] Cert Hostname DOES NOT VERIFY (mxb-001b1801.gslb.pphoste
[000.734] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
[000.734] So email is encrypted but the host is not verified
They changed something on the parameters.
any inference you can draw
ASKER
our email goes through proofpoint gateway
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.