#550 4.4.7 QUEUE.Expired; message expired ##

Victor Esselman
Victor Esselman used Ask the Experts™
on
as many others I have also problem #550 4.4.7 QUEUE.Expired; message expired ##
Exchange 2010 works fine for years, suddenly is refuse to send mails to some e-mail addresses.

I checked, MXtoolbox
reversed dns (PTR) is set
in exchange send connector FQDN is filled in and is the same as the PTR


please advice,

Many thanks Victor
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi,

it sounds like your domain doesn’t designate permitted as a sender hosts (anymore). I suggest that you check and see if you still have an SPF record to your domain.

Cheers
Arif KhanSystem Administrator

Commented:
Yes, I used to get this kind of problem gmail.com and some other domains were rejecting my mail. Verify and correct your PTR and SPF record.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Arif KhanSystem Administrator

Commented:
I will suggest you also to check the black list of your domain and IP
Hi,

okay then I don't think there is  an issue with your domain but it could well be a DNS issue.

4.4.7:

4.x.x = Persistent Transient Failure
x.4.x = Network and Routing Status
x.x.7 = Delivery time expired

On the Exchange server drop to an admin command prompt and see if you can resolve the MX records for the particular domains

nslookup

set q=mx

somedomain.com

If not then  you can try to clear the DNS cache by flushing with 'ipconfig /flushdns' and stop & start the DNS service.

Cheers
Okay so it appears it does have a DNS issue:

      SMTP Banner Check -- Reverse DNS does not match SMTP Banner

Furthermore It accepts mail to domains for which it is not responsible and then passes it along to the proper server. So it is kind of acting like an open relay. Your server responded with a 200 accepted code to an RCPT TO command of a non existing adress/domain so it could well be relaying loads and loads of e-mails as we speak.

Author

Commented:
Hi Thanks helping me investigate this,

see results:  for both domains  patyna.nl  and opella.nl
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.CSZ>nslookup
Default Server:  UnKnown
Address:  192.168.140.35

> set q=mx
> patyna.nl
Server:  UnKnown
Address:  192.168.140.35

Non-authoritative answer:
patyna.nl       MX preference = 10, mail exchanger = mail02.patyna.nl
patyna.nl       MX preference = 10, mail exchanger = mail01.patyna.nl

mail02.patyna.nl        internet address = 185.103.16.42
mail01.patyna.nl        internet address = 185.103.16.41
>
>
> opella.nl
Server:  UnKnown
Address:  192.168.140.35

Non-authoritative answer:
opella.nl       MX preference = 10, mail exchanger = mailrelay.acknowledge.nl
opella.nl       MX preference = 10, mail exchanger = mailrelay.acknowledge.services
opella.nl       MX preference = 30, mail exchanger = mailrelay002.acknowledge.services
opella.nl       MX preference = 20, mail exchanger = mailrelay001.acknowledge.services

mailrelay.acknowledge.nl        internet address = 185.99.205.234
mailrelay.acknowledge.nl        internet address = 185.99.205.233
mailrelay.acknowledge.services  internet address = 185.99.205.233
mailrelay.acknowledge.services  internet address = 185.99.205.234
mailrelay002.acknowledge.services       internet address = 185.99.205.234
mailrelay001.acknowledge.services       internet address = 185.99.205.233
>

About open relay,
I accept only incoming mail on port 25 from a external cloud spamfilter. they can't bypass the spamfilter to drop it at directly @ mail.collegesanering.nl on port 25.
I send mail only true the send connector FQDN  =  mail.collegesanering.nl
Mail Queue is almost empty, no excessive network traffic at all.

I'm searching now for weeks and I'm out of options.......

Best regards,

Victor
Arif KhanSystem Administrator

Commented:
Why your DNS name is not getting resolve? If you have enabled ipv6 then disable it from registery and reboit server

Author

Commented:
Hi,

IPv6 was off so I fixed Server: Unknown issue.
I fixed the DNS, reverse lookup zone was missing.



> set q=mx
> opella.nl
Server:  csz1.csz.ad
Address:  192.168.140.35

Non-authoritative answer:
opella.nl       MX preference = 10, mail exchanger = mailrelay.acknowledge.nl
opella.nl       MX preference = 10, mail exchanger = mailrelay.acknowledge.servi
ces
opella.nl       MX preference = 20, mail exchanger = mailrelay001.acknowledge.se
rvices
opella.nl       MX preference = 30, mail exchanger = mailrelay002.acknowledge.se
rvices

mailrelay.acknowledge.nl        internet address = 185.99.205.233
mailrelay.acknowledge.nl        internet address = 185.99.205.234
mailrelay.acknowledge.services  internet address = 185.99.205.234
mailrelay.acknowledge.services  internet address = 185.99.205.233
mailrelay001.acknowledge.services       internet address = 185.99.205.233
mailrelay002.acknowledge.services       internet address = 185.99.205.234
> patyna.nl
Server:  csz1.csz.ad
Address:  192.168.140.35

Non-authoritative answer:
patyna.nl       MX preference = 10, mail exchanger = mail01.patyna.nl
patyna.nl       MX preference = 10, mail exchanger = mail02.patyna.nl

mail01.patyna.nl        internet address = 185.103.16.41
mail02.patyna.nl        internet address = 185.103.16.42
>

I sent new test mails, I let you know.

best regards.

Author

Commented:
still same problem:

This message hasn't been delivered yet. Delivery will continue to be attempted.
The server will keep trying to deliver this message for the next 1 days, 19 hours and 56 minutes. You'll be notified if the message can't be delivered by that time.

If I test via MXtoolbox is says SOA Expire Value out of recommended range?
I investigate this, nslookup tell me:
> collegesanering.nl

collegesanering.nl
        primary name server = ns1.reasonnet.com
        responsible mail addr = hostmaster.collegesanering.nl
        serial  = 2018020201
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

recommend TTL is between 2-4 hours, can that be the problem?

I'm lost, any help is welcome?

thanks in advance.

Author

Commented:
NSlookup

office365.com
        primary name server = sn2mgt0101dc120.prdmgt01.prod.exchangelabs.com
        responsible mail addr = msnhst.microsoft.com
        serial  = 2014389395
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 2419200 (28 days)
        default TTL = 300 (5 mins)
> gmail.com
Server:  navigator.dns.local
Address:  192.168.160.2

Niet-bindend antwoord:
gmail.com
        primary name server = ns1.google.com
        responsible mail addr = dns-admin.google.com
        serial  = 190884454
        refresh = 900 (15 mins)
        retry   = 900 (15 mins)
        expire  = 1800 (30 mins)
        default TTL = 60 (1 min)
>
Patrick BogersDatacenter platform engineer Lindows

Commented:
Hi

Above has become ugly to read. From my understanding there is a issue with outgoing mail right?  (because all of a sudden we speak about incoming mail on port 25??)
If outgoing only, please check your exchange 2010 outgoing connector to see what is the address outgoing mails are sent to.
With this info start a telnet session like    c:\   telnet mail.server.nl 25
mail from: test@mydomain.com where this is a real address that used to work, next TO:test@theirdomain.com which also should be a working one (in the past) and enter.... what does the smtp server tell you? All except OK is acceptable, if it errors or claim they break rules too they block you.

Cheers.
if emails are expiring, look in the queue viewer to see what the last error code is on mails that are failing to be sent
nociSoftware Engineer
Distinguished Expert 2018

Commented:
You mentioned opella.nl, patyna.nl .... Did you check spf for opella.nl, patyna.nl? are those valid...
What name does your server use in HELO/EHLO?
is that name resolving to the IP address of that server, how is the reverselookup resolving?

Author

Commented:
Hi all,

thanks for your time,

MXTOOLBOX spf reports no issues for opella.nl, patyna.nl
it's only an outgoing mail problem.
if I look in de Que viewer last error says 451 4.4.0 DNS query failed

Next: I telnet to mail.collegesanering.nl  and can't test it because a firewall rule says accept only incoming mail from external spamfilter.
So: I added my own IP to the firewall to test it, when I telnet I get 421 4.3.2 Service not available
Then: I try the same on de exchange server telnet 127.0.0.1 25 and get also 421 4.3.2 Service not available

when: I search for 421 4.3.2 Service not available I found a tread that say do Get-ReceiveConnector connector |fl

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\administrator.CSZ> Get-ReceiveConnector csz
Get-ReceiveConnector : The operation couldn't be performed because object 'vmExchange01.csz.ad\csz' couldn't be found o
n 'csz1.csz.ad'.
At line:1 char:21
+ Get-ReceiveConnector <<<<  csz
    + CategoryInfo          : NotSpecified: (:) [Get-ReceiveConnector], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : ACD2056D,Microsoft.Exchange.Management.SystemConfigurationTasks.GetReceiveConnector


I checked, al the Exchange services are running.

I feel that we are coming closer to the problem.


please advice.

regards Victor
nociSoftware Engineer
Distinguished Expert 2018

Commented:
I do known about mail, but i have no releveant knowledge on the subject of "How to manage Exchange services" ...
I do know it can become a minefield very quick. So i'll pass from now on.

Author

Commented:
I appreciate your honesty ;-)

Author

Commented:
anyone else?

I can't telnet to 127.0.0.1 25 get error 421 4.3.2 Service not available
But I can telnet to 127.0.0.1 587

helo respond with

220 mail.collegesanering.nl Microsoft ESMTP MAIL Service ready at Fri, 6 Apr 201
8 10:31:33 +0200
helo
250 mail.collegesanering.nl Hello [127.0.0.1]
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Did you enable port 25? You will need a listener on port 25 to receive mail.
Port 587 is local submission protocol, not quite the same thing, there are other assumption like no sender verification on a submission port.
Port 587 should never be exposed to the internet.

Port 465 was formerly used for SMTP over SSL (now TLS on port 25 is used).

Author

Commented:
Mmm...

port 25 inbound is firewalled to accept only mail from external spamfilter.
It's not a receive problem but a send problem to certain email domains opella.nl and patyna.nl  
I think their server want to check on port 25 if I'm exist etc.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
That is quite possible. (it is called sender verification ie. they ask your server if the sender exists on that server).
Anybody can do that.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial