Unable to send emails - error 421
I am Unable to send most emails to most domains. We are using Sophos XG as the sending relay.
All (almost all) emails are stuck in the queue with error:
421 service not available (connection refused, generic failure).
some emails that give these errors sometimes are getting delivered.
Problem started only yesterday!
All (almost all) emails are stuck in the queue with error:
421 service not available (connection refused, generic failure).
some emails that give these errors sometimes are getting delivered.
Problem started only yesterday!
Mail sending is far more complex than most people imagine.
https://www.experts-exchange.com/questions/29165628/Sending-Email-by-getting-email-address-from-database.html provides a bare minimum of setup steps required, to enable you to send email + actually have it delivered in a reliable manner.
If only one site drops connections with an occasional 421, then one site has a problem.
If many sites drop connections to your IP with a 421, likely you've missed some setup step out of the URL provided.
https://www.experts-exchange.com/questions/29165628/Sending-Email-by-getting-email-address-from-database.html provides a bare minimum of setup steps required, to enable you to send email + actually have it delivered in a reliable manner.
If only one site drops connections with an occasional 421, then one site has a problem.
If many sites drop connections to your IP with a 421, likely you've missed some setup step out of the URL provided.
Tip: For best assistance, provide your actual domain + also the sending IP (or IP range) having problems.
Or you can just go through the URL provided above + ensure all the items on this minimal list are setup correctly.
Or you can just go through the URL provided above + ensure all the items on this minimal list are setup correctly.
ASKER
email was working perfectly since 1 year, this only started few days ago. I ca categorize emails to 3 cats:
1- domains that never receive my emails (this include gmail.com)
2- domains that receive my emails after 5-12 hours (this include yahoo.com)
3- domain that receive my emails normally (this include outlook.com)
With Yahoo and others similar, when I connect using telnet mail.yahoo.com 25, most of the time I get the error, but after almost 10-20 attempts it is accepted.
I will go thru the provided link..
1- domains that never receive my emails (this include gmail.com)
2- domains that receive my emails after 5-12 hours (this include yahoo.com)
3- domain that receive my emails normally (this include outlook.com)
With Yahoo and others similar, when I connect using telnet mail.yahoo.com 25, most of the time I get the error, but after almost 10-20 attempts it is accepted.
I will go thru the provided link..
This might mean Verizon (owns Yahoo + AOL email) has updated to require TLS to connect to it's servers + a few are broken, still allowing port 25 connection. Unsure as Oath rarely states how their tech works.
Several things to note.
1) The lookup you're doing returns many IPs...
i
2) Best test each of these in turn.
Note: This IP list rotates every few minutes.
Note: When I telnet to port 25 of any of the above IPs, all IPs connect...
3) Likely best to configure your MTA to attempt an opportunistic TLS connection first, then fall back to non-TLS connection.
Looking at my Oath related logs, all connections occur via opportunistic TLS.
4) Just because email has worked before, does not mean it will every work again.
With email, you start over every day.
This is why many people use a relay service like https://MailGun.com as MailGun handles tracking + fixing delivery problems... which is expensive... dividing the cost across many clients.
Several things to note.
1) The lookup you're doing returns many IPs...
i
mac> dig +short yahoo.com mx
1 mta6.am0.yahoodns.net.
1 mta7.am0.yahoodns.net.
1 mta5.am0.yahoodns.net.2) Best test each of these in turn.
Note: This IP list rotates every few minutes.
Note: When I telnet to port 25 of any of the above IPs, all IPs connect...
3) Likely best to configure your MTA to attempt an opportunistic TLS connection first, then fall back to non-TLS connection.
Looking at my Oath related logs, all connections occur via opportunistic TLS.
4) Just because email has worked before, does not mean it will every work again.
With email, you start over every day.
This is why many people use a relay service like https://MailGun.com as MailGun handles tracking + fixing delivery problems... which is expensive... dividing the cost across many clients.
ASKER
The issue since yesterday is getting worse, now unable to send to almost any domain. Same error always:
421 service not available (connection refused, generic failure)
421 service not available (connection refused, generic failure)
By pass sophos and use exchange server public IP to send a test email using telnet and see if that gets delivered.
ASKER
Already did that - same error
I tried using telnet on port 25 and getting same error instantly.
I tried using telnet on port 25 and getting same error instantly.
Modified my comment above, as I'd done an A record lookup, rather than MX record lookup.
All Yahoo MX records pickup for me when I connect using telnet.
So the problem might be your ISP, as many ISPs block all outgoing port 25 mail submissions now because Windows machines are so easily hacked, then used in Bot Farms to send spam.
Could also be your sending IP or domain is blacklisted.
1) To test for ISP blocks, just pick any other random SMTP server + attempt a connection, like...
If this fails, then you'll have to ssh into some public machine to do your connections.
2) Check https://mxtoolbox.com/ -> Blacklist Check to see if your IP or domain is blacklisted anywhere.
If you're blacklisted, open a new question about how to clear this, as the process can be complex, depending on exactly where you're blacklisted + why.
All Yahoo MX records pickup for me when I connect using telnet.
So the problem might be your ISP, as many ISPs block all outgoing port 25 mail submissions now because Windows machines are so easily hacked, then used in Bot Farms to send spam.
Could also be your sending IP or domain is blacklisted.
1) To test for ISP blocks, just pick any other random SMTP server + attempt a connection, like...
telnet aspmx.l.google.com 25If this fails, then you'll have to ssh into some public machine to do your connections.
2) Check https://mxtoolbox.com/ -> Blacklist Check to see if your IP or domain is blacklisted anywhere.
If you're blacklisted, open a new question about how to clear this, as the process can be complex, depending on exactly where you're blacklisted + why.
ASKER
I think the problem is our sending IP - although is a fixed IP, it is on a dynamic space. Looks like there is a trend to block dynamic IPs by default.
I sent to outlook.com, Yahoo, gmail, and IBM requests to check why my emails are not going thru, and the reply from Microsoft is:
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Connections from dynamic IP space may not be accepted.
No reply yet from IBM, Yahoo and Google.
Note: we are not listed on any RBL.
I sent to outlook.com, Yahoo, gmail, and IBM requests to check why my emails are not going thru, and the reply from Microsoft is:
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Connections from dynamic IP space may not be accepted.
No reply yet from IBM, Yahoo and Google.
Note: we are not listed on any RBL.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You said, "our sending IP is on a dynamic space" which means each time your IP changes you must ensure all steps from the checklist are somehow automatically done for you.
Then each time you change IP, you'll have to go through a warm up period for the IP, which will run days to months, depending many factors.
For high email deliverability, you'll always use the same static IP, never IPs from a "dynamic space".
Then each time you change IP, you'll have to go through a warm up period for the IP, which will run days to months, depending many factors.
For high email deliverability, you'll always use the same static IP, never IPs from a "dynamic space".
ASKER
Can this be something related to the ISP?