why are external emails being blocked?

CRL ltd
CRL ltd used Ask the Experts™
on
We have a client who use exchange 2010 on an SBS2011 box.  they cant receive any external emails, internally its fine, and they can send externally.  they use Trend Worry Free Business for spam filtering which sits on the SBS server.  i have disabled Trend this and still the same result.  when i perform a message trace, it shows no external emails even hitting the server.

i have attached a bounce back for you to see.

any help will be appreciated.
Undeliverable-RE-test.msg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
This is near impossible to debug in theory.

Sounds like there's a DNS problem.

Post the recipient domain for testing, so for a user foo@voodoo.com, then voodoo.com is the recipient domain.

Also the attachment you posted is some sort of binary. If this is meant to be a full message, with all headers, then post it as pure text.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Test your domain using mxtoolbox and post the result.
https://mxtoolbox.com/diagnostic.aspx
Check blacklist as well.
https://mxtoolbox.com/blacklists.aspx
Sam Simon NasserIT Support Professional

Commented:
check your domain if it's blocked or not. this happens when a user is infected and sends a lot of spam messages, the domain becomes blocked.
https://mxtoolbox.com/blacklists.aspx
https://whatismyipaddress.com/blacklist-check
https://www.ultratools.com/tools/spamDBLookup
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Commented:
If you're going to debug this yourself, start by auditing your entire DNS setup.

This means stress testing that each NS record is actually returning the correct MX/SPF/DKIM records for every request.

Can't tell you how many mail problems I've tracked down to faulting DNS.

Always start with a DNS audit, then go through using other tools suggested above.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
it shows no external emails even hitting the server

I agree with the above points. There is a record you need ( your ISP may need to put the record in) that tells outside senders you are a valid recipient (SPF record).   Make sure this is in place and correct.  Get assistance from your ISP.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Good to follow Jon's suggestion.

If you haven't already opened a ticket with your hosting company, this should be your first step.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
If you can try telnet your server from outside.
Maybe this is simple firewall issue

Author

Commented:
MAS: this is the result from MXTOOLBOX

Connecting to 145.239.6.121

220 host.wearesupport.co.uk ESMTP [689 ms]
EHLO EC2AMAZ-CT1LM3F.mxtoolbox.com
250-host.wearesupport.co.uk
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME [673 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 ok [687 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) [687 ms]

LookupServer 3769ms
David FavorFractional CTO
Distinguished Expert 2018

Commented:
This type of test is great, only after you audit your DNS.

If you'd like someone to audit your DNS for you, post the actual recipient domain your using, per my comment above.

Commented:
Looks like you are using Google for your MX record, correct? How do they fit into the mail flow picture?

You may want to give them a call as well and see whats going on as some of their IPs appear to be blacklisted.

https://mxtoolbox.com/domain/wearesupport.co.uk/
David FavorFractional CTO
Distinguished Expert 2018

Commented:
If wearesupport.co.uk is your actual recipient domain, meaning you're sending from foo@wearesupport.co.uk then this property has some significant  DNS + blacklisting problems.

Likely best if you publish the From: + To: address of your message, just so people are clear about what to test.

Tip: Debugging this sort of issue can take substantial time. If you're new to this sort of debugging, might be good for you to hire someone to assist you.

Author

Commented:
the domain is autowash.co.uk

we had an update from the client, BT have been ding some work on their line today in perpetration for an upgrade, so we suspect this may have caused an issue.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
I'm sorry but this is NOT DNS issue.
Telnet have told you your server is not accepting messages.

Did you have check if your domain is blacklisted ??

Double check all your Receive connectors settings

I don't have Ex 2010 but check this as reference from 2013.
Check Transport Hub and Frontend connector

Capture.JPG
Capture.JPG

Author

Commented:
thanks for that, still no luck, i'm afraid

Author

Commented:
i can get OWA, still no external emaisl going through

Author

Commented:
and nothing coming up on blacklisting sites for domain or the clients IP

Commented:
Getting into OWA is not the same as sending/receiving emails - one is client access (OWA) and the other is transport (mail flow). When you send emails from an external source, do you receive a bounceback email?
Is mail flow internally between your users working properly?
Can your users send emails out of the organization?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
https://mxtoolbox.com/SuperTool.aspx?action=dns%3aautowash.co.uk&run=toolpage shows the first problem.

Look at the SOA differences.

This might or might not be a problem + should be fixed before proceeding.

Author

Commented:
yes, internal is fine and sending externally is fine
David FavorFractional CTO
Distinguished Expert 2018

Commented:
DNS stress test shows identical MX + A record for MX are begin returned consistently from all NS servers, so that's good.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Ah... I think I see the problem...

Port 25 submission is configured incorrectly.

When connecting to port 25 there's some bogus (er... non SMTP protocol compliant) prompt with a banner of Account:, then the SMTP conversation hangs waiting for input.

Whatever code implements this prompt will block all incoming SMTP conversations, as SMTP has no idea what an interactive prompt for Account: might be.

There's no port 587 listener, so port 25 is the only submission channel for this SMTP server.

Just change the config to be normal SMTP + likely all will be well.

Commented:
@David Favor, when I telnet to mail.autowash.co.uk i am getting the proper response from Exchange with no issues.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Can you post screenshot from your Transport Hub configuration ?

try to use telnet but using real account not toolbox test
DrDave242Principal Support Engineer

Commented:
I got inconsistent results when querying well-known public DNS servers for mail.autowash.co.uk. OpenDNS and 4.2.2.2 resolved it to a valid address (and I got the expected header when telnetting to that address on port 25), but 8.8.8.8 and 1.1.1.1 gave me a big fat Nope.

Also, SPF records don't come into play here. They're used for outbound mail only.
Sam Simon NasserIT Support Professional

Commented:
according to this error 553 sorry, that domain isn't in my list of allowed rcpthosts, try the solution here https://social.technet.microsoft.com/Forums/en-US/b33a4aad-463e-4078-b801-681d1f6e74f7/553-sorry-that-domain-isnt-in-my-list-of-allowed-rcpthosts-571-fix?forum=exchangesvrclientslegacy
As it turns out the problem was simply that she did not check the "Use same settings as my incoming mail server" under the "Outgoing Server" tab as required by our provider.
and many others simply mentioning the same thing
Outlook 2003 and up:
Open Outlook 2003 > Click Tools > E-Mail Accounts > View or change existing e-mail accounts
Select the email account > Click Change > Click 'More Settings' > Click the 'Outgoing Server' Tab
Check the checkbox "My outgoing server (SMTP) requires authentication"
Click OK > Next > Finish
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Telnet to mail.autowash.co.uk seems to be working for me now too.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Just check what DrDave242 suggested + stress tested 8.8.8.8 and 1.1.1.1 returns.

Seems to be working for me too.

Since many people seem to be getting different results from your DNS, my guess is DNS is part of the problem.

Doing a SMTP test transaction, the conversation looks correct...

imac> swaks --to=test@foo.com --server=mail.autowash.co.uk
=== Trying mail.autowash.co.uk:25...
=== Connected to mail.autowash.co.uk.
<-  220 remote.autowash.co.uk Microsoft ESMTP MAIL Service ready at Thu, 3 Jan 2019 12:07:09 +0000
 -> EHLO davids-imac.local
<-  250-remote.autowash.co.uk Hello [136.62.164.224]
<-  250-SIZE 52183040
<-  250-PIPELINING
<-  250-DSN
<-  250-ENHANCEDSTATUSCODES
<-  250-STARTTLS
<-  250-AUTH
<-  250-8BITMIME
<-  250-BINARYMIME
<-  250 CHUNKING
 -> MAIL FROM:<david@davids-imac.local>
<-  250 2.1.0 Sender OK
 -> RCPT TO:<test@foo.com>
<** 550 5.7.1 Unable to relay
 -> QUIT
<-  221 2.0.0 Service closing transmission channel
=== Connection closed with remote host.

Open in new window


I'd suggest your next step is to use SWAKS to debug your SMTP conversations.

Start by running SWAKS inside your network, then ssh into some remote machine + run SWAKS from there.

If you watch the entire SMTP conversation in SWAKS, likely you'll quickly see the problem.

I use SWAKS many times each day. SWAKS is a tool I can't imagine living without.

Author

Commented:
Hi All,  we found the issue, it was IP Block List Providers being enabled on the server.  when we disabled that mail started flowing again.  in the list there was spamhaus, spamcop and dnsbl.njabl.org.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Glad you tracked down the problem!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial