Unable to send emails - error 421

Ehab Salem
Ehab Salem used Ask the Experts™
on
I am Unable to send most emails to most domains. We are using Sophos XG as the sending relay.
All (almost all) emails are stuck in the queue with error:
421 service not available (connection refused, generic failure).
some emails that give these errors sometimes are getting delivered.
Problem started only yesterday!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
When i telnet to the failed servers on port 25, most of the time it gives the error above, but sometimes connection succeeds!
Can this be something related to the ISP?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Mail sending is far more complex than most people imagine.

https://www.experts-exchange.com/questions/29165628/Sending-Email-by-getting-email-address-from-database.html provides a bare minimum of setup steps required, to enable you to send email + actually have it delivered in a reliable manner.

If only one site drops connections with an occasional 421, then one site has a problem.

If many sites drop connections to your IP with a 421, likely you've missed some setup step out of the URL provided.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: For best assistance, provide your actual domain + also the sending IP (or IP range) having problems.

Or you can just go through the URL provided above + ensure all the items on this minimal list are setup correctly.

Author

Commented:
email was working perfectly since 1 year, this only started few days ago. I ca categorize emails to 3 cats:
1- domains that never receive my emails (this include gmail.com)
2- domains that receive my emails after 5-12 hours (this include yahoo.com)
3- domain that receive my emails normally (this include outlook.com)

With Yahoo and others similar, when I connect using telnet mail.yahoo.com 25, most of the time I get the error, but after almost 10-20 attempts it is accepted.

I will go thru the provided link..
David FavorFractional CTO
Distinguished Expert 2018

Commented:
This might mean Verizon (owns Yahoo + AOL email) has updated to require TLS to connect to it's servers + a few are broken, still allowing port 25 connection. Unsure as Oath rarely states how their tech works.

Several things to note.

1) The lookup you're doing returns many IPs...

i
mac> dig +short yahoo.com mx
1 mta6.am0.yahoodns.net.
1 mta7.am0.yahoodns.net.
1 mta5.am0.yahoodns.net.

Open in new window


2) Best test each of these in turn.

Note: This IP list rotates every few minutes.

Note: When I telnet to port 25 of any of the above IPs, all IPs connect...

3) Likely best to configure your MTA to attempt an opportunistic TLS connection first, then fall back to non-TLS connection.

Looking at my Oath related logs, all connections occur via opportunistic TLS.

4) Just because email has worked before, does not mean it will every work again.

With email, you start over every day.

This is why many people use a relay service like https://MailGun.com as MailGun handles tracking + fixing delivery problems... which is expensive... dividing the cost across many clients.

Author

Commented:
The issue since yesterday is getting worse, now unable to send to almost any domain. Same error always:
421 service not available (connection refused, generic failure)
Saif ShaikhServer engineer

Commented:
By pass sophos and use exchange server public IP to send a test email using telnet and see if that gets delivered.

Author

Commented:
Already did that - same error
I tried using telnet on port 25 and getting same error instantly.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Modified my comment above, as I'd done an A record lookup, rather than MX record lookup.

All Yahoo MX records pickup for me when I connect using telnet.

So the problem might be your ISP, as many ISPs block all outgoing port 25 mail submissions now because Windows machines are so easily hacked, then used in Bot Farms to send spam.

Could also be your sending IP or domain is blacklisted.

1) To test for ISP blocks, just pick any other random SMTP server + attempt a connection, like...

telnet aspmx.l.google.com 25

Open in new window


If this fails, then you'll have to ssh into some public machine to do your connections.

2) Check https://mxtoolbox.com/ -> Blacklist Check to see if your IP or domain is blacklisted anywhere.

If you're blacklisted, open a new question about how to clear this, as the process can be complex, depending on exactly where you're blacklisted + why.

Author

Commented:
I think the problem is our sending IP - although is a fixed IP, it is on a dynamic space. Looks like there is a trend to block dynamic IPs by default.

I sent to outlook.com, Yahoo, gmail, and IBM requests to check why my emails are not going thru, and the reply from Microsoft is:
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Connections from dynamic IP space may not be accepted.

No reply yet from IBM, Yahoo and Google.

Note: we are not listed on any RBL.
Commented:
The issue is as I mentioned, our sending IP is on a dynamic space. We are now seeking alternatives, probably a smart host solution.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You said, "our sending IP is on a dynamic space" which means each time your IP changes you must ensure all steps from the checklist are somehow automatically done for you.

Then each time you change IP, you'll have to go through a warm up period for the IP, which will run days to months, depending many factors.

For high email deliverability, you'll always use the same static IP, never IPs from a "dynamic space".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial