Exchange 2010 periodically rejecting Asana.com email alerts

Our company has been using the 3rd party service Asana.com for the past year.  Last week their system alerts stopped being delivered and Asana was receiving error 550 5.7.1 Access denied from our Exchange 2010 system.   To me this usually meant a configuration issue within their DNS record that our system didn't like.

Then everything became sporadic.  We would get some of the alerts, some users received more and some users received zero.

I have been in contact with Asana support.  The only thing I could find was running a DNS report on Asana.com I would get the following error: Malformed greeting or no A records found matching banner text for following servers, and banner is not an address literal.  

Asana.com does have a SPF record.  They use google apps for email and a couple of 3rd party mail list programs.

We have went thru a few troubleshooting steps and I have added Asana.com to our Exchange 2010 white list.  Anything else that I can try or have them modify on their end I would appreciate it.  

I had to explain to them why I would not modify my system to be an open relay.  

We do not have any issues receiving alerts from any other system and Asana reps say the same thing.  Unfortunately all troubleshooting will have to start from my end, they won't assist proactively without my prompting.   I am just running out of ideas of what I can do on my side.
jbmos2333Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

datadrewCommented:
A quick nslookup shows this:
Default Server:  router.asus.com
Address:  10.3.7.1

> set q=mx
> asana.com
Server:  router.asus.com
Address:  10.3.7.1

Non-authoritative answer:
asana.com       MX preference = 10, mail exchanger = aspmx.l.google.com
asana.com       MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
asana.com       MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
asana.com       MX preference = 40, mail exchanger = aspmx2.googlemail.com
asana.com       MX preference = 50, mail exchanger = aspmx3.googlemail.com
> set q=txt
> asana.com
Server:  router.asus.com
Address:  10.3.7.1

Non-authoritative answer:
asana.com       text =

        "google-site-verification=ELz_Zq8mezZ-jMGFhX6bz95lUtBDnE5U7reJR-5qVkM"
asana.com       text =

        "google-site-verification=PsdrQY64fgMD4yY4BzT63Mh9XiPxa_LoRJO2UGfgnmQ"
asana.com       text =

        "v=spf1 include:sendgrid.net include:_spf.google.com include:spf.mtasv.net include:spf.recurly.com a:phab.asana.com/32 -all"
>

What we've learned here is they are using google apps for their corp email, not specifically their "alert" email.  You will need to pull the headers from their rejected emails and take a look. Check the originating IP against the IP's listed in the MX records.  Pref      Hostname      IP Address      TTL      
10      aspmx.l.google.com      64.233.160.27      7 days      Blacklist Check      SMTP Test
10      aspmx.l.google.com      2607:f8b0:4003:c0d::1a      7 days      Blacklist Check
20      alt1.aspmx.l.google.com      64.233.185.27      7 days      Blacklist Check      SMTP Test
20      alt1.aspmx.l.google.com      2607:f8b0:4002:c09::1b      7 days      Blacklist Check
30      alt2.aspmx.l.google.com      173.194.205.27      7 days      Blacklist Check      SMTP Test
30      alt2.aspmx.l.google.com      2607:f8b0:400d:c02::1a      7 days      Blacklist Check
40      aspmx2.googlemail.com      173.194.219.27      7 days      Blacklist Check      SMTP Test
40      aspmx2.googlemail.com      2607:f8b0:4002:c09::1b      7 days      Blacklist Check
50      aspmx3.googlemail.com      173.194.205.27      7 days      Blacklist Check      SMTP Test
50      aspmx3.googlemail.com      2607:f8b0:400d:c02::1b      7 days      Blacklist Check

IF your rejected emails are coming from an IP outside this range, this is the reason for the rejections.

In the SPF query, there is something that says: phab.asan.com/32, this may be a block of webservers kicking the alerts out.  

Like most things, you will have to really do the investigation to get them to fix whatever the problem is.  Assuming your exchange server is configured correctly, and it sounds as though it is, you'll probably find they added a new alert/web server that is outside of their spf record.  Add it to your whitelist, and then you are off the races.  Next step, after you finish that, and get things working, inform Asana, and get a discount, or bill them for your time.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbmos2333Author Commented:
Thanks for the info.  We didn't may any changes on our end and all of a sudden the alerts started working.   I agree that the web servers they use must have changed or something for this to just stop working.  No problems for a year.  

I usually encounter these types of issues with other smaller companies and its easier to work thru and I can help them test.  This was more difficult.

I got nervous when they told me that I needed to make my system an open relay.   I knew I was in some trouble working with their tech team and their grasps of email protocols.  Then I literally got a message that said please tell us  what else we can test on our end or how to make configuration changes.

Good times.
0
jbmos2333Author Commented:
The feedback validate info that I was looking for in helping a 3rd party troubleshoot email delivery issues.
0
datadrewCommented:
Glad this was helpful. I have had the same problems before, and generally, if you can firewall off the IP's of the webservers you are OK, until they change the IP's or retire the servers.  

Lazy coders!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.