Delivery has failed.. because of security policies.. rejected your message (smtp 5.7.1 550)
One of our users is having trouble emailing a user on a certain domain.. they get a bounce back from our exchange 2007 server:
Delivery has failed to these recipients.. Message wasn't delivered because of security policies..
Generating server name : spam.domain.com (our Sonicwall antispam email security device)
remotedomain.edu 5.7.1 smtp; 550 5.7.1 client host rejected: cannot find your hostname [10.1.10.1]
Any thoughts on what could be causing this bounce back.. to me it sounds like an issue on their end, not ours..
Our DNS is set through network solutions and looks fine to me.
Thanks
September 3rd, 2008 7:11pm
This sure looks like a problem on the remote end. Can you set yourself up a GMail account (or some other external account) and then try to send to that user from another mail system? Do you get the same error.
There is one possibility, though, that could be on yourside. In the error generated by the Sonicwall:
cannot find your hostname [10.1.10.1]
Did you change the 10.1.10.1 IP address in your posting? Was this originally YOUR public IP address? If so, the problem *might* be that the Sonicwall is doing a reverse look up on your public IP address and trying to see if it has a PTR record associated with it.
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2008 8:50pm
Hi,
It seems like your sending your internal IP-address when sending e-mail. This looks like a NAT issue. Because the DNS-server of the receiving server can't find a valid record for your internal IP-address you receive this error. Please check your NAT settings on your firewall/router.
Regards,
Johan
visit my site: www.johanveldhuis.nl
September 3rd, 2008 8:51pm
Johan Veldhuis wrote:
Hi,
It seems like your sending your internal IP-address when sending e-mail. This looks like a NAT issue. Because the DNS-server of the receiving server can't find a valid record for your internal IP-address you receive this error. Please check your NAT settings on your firewall/router.
Regards,
Johan
visit my site: www.johanveldhuis.nl
Nah.. i just took out our public ip that was listed in the error .. ie: 10.1.x.x. is really 70.x.x.x. (a public ip address).
I checked my exchange 2007 settings.. i do have exchange02.domain.local for the relay address in the receive connectors.. and i have the sonicwall pointing to the ip address of exchange02.. which i believe is correct..
I guess this is on their end, though i havent tried a test email from a hotmail account yet..
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2008 9:04pm
Exchange 2007 doesnt behave like exchange 2000 or 2k3 in the case of email relaying .======================i had encountered these issues a couple of months back .The same error . The situation i had was that there are various applications configured in my organization to relay emails both internally and externally.Internally it works fine since there is the " default connector " in the hub servers , used to relaying .Solution implemented :1) Register your domain using the shell command. If your domain is "contoso.com" then , in the shell screen ,enter the below cmd . This will register to all the receive connectors currently present
September 4th, 2008 9:08am
Another check to do here is " default recieve connector" in your exchange console - "anonymous " is check marked ?The easiest way to address this is to add the "Anonymous users" on the Default Receive Connector.http://msexchangeteam.com/archive/2006/11/17/431555.aspxlet me know if this works.
Free Windows Admin Tool Kit Click here and download it now
September 4th, 2008 9:36am
claw_Scorp wrote:
Another check to do here is " default recieve connector" in your exchange console - "anonymous " is check marked ?The easiest way to address this is to add the "Anonymous users" on the Default Receive Connector.http://msexchangeteam.com/archive/2006/11/17/431555.aspxlet me know if this works.
Wouldn't this be a security loophole, enabling for anonymous users, that is.. making your site an open relay?
September 4th, 2008 6:00pm
query : is there an application which is trying to relay an email ? internally it works but externally the email fails ? if yes, then create a new custom receive connector for that application ip alone with permissions tab = TLS and external check markauthentication tab= exchange servers check mark====================================================================================stage1: create a new custom recieve connector to allow only this ip alone , using GUI ( exchange 2007 sp1 will allow it) Bet you might know this already. Once created ,run the shell cmd to check its properties.[PS] >>>Get-ReceiveConnector -Identity "new receive connector 1" |flAuthMechanism : Tls, ExternalAuthoritativeBanner :BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : note:it shows blank here for default domain now===========================================================================================Step2: register your domain now.Set-ReceiveConnector -identity new receive connector 1 -DefaultDomain contoso.com=============================================================================================Stage 3: now the default domain shows as "contoso.com "final result[PS] >>>>>Get-ReceiveConnector -Identity "new receive connector 1" |flAuthMechanism : Tls, ExternalAuthoritativeBanner :BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : contoso.comDeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : <<<hub transport server fqdn here>>>Comment :Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : ExchangeServersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {ip address of application }RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : hub server1SizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : new receive connector 1DistinguishedName : CN=new receive connector 11,CN=SMTP Receive Connectors,CN=Protocols,CN=hub server1,CN=Servers,CN=Exchange Administrative Group (CN=Administrative Groups,CN=Energy,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=comIdentity : hub1\contoso.comGuid : 69c23ba9-ef08-4a2f-8963-9fed5bb3bd69ObjectCategory : contoso.com/Configuration/Schema/ms-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 7/10/2008 5:10:40 PMWhenCreated : 7/10/2008 4:36:47 PMOriginatingServer : dc name IsValid : True=========================================================================================let me know your comments
Free Windows Admin Tool Kit Click here and download it now
September 4th, 2008 6:24pm
in addition to my above post, i wanted to add this final note too.3rd Party Application or Mail Server May Fail to Send To or Relay Mail Through Exchange Server 2007http://support.microsoft.com/kb/944302thats the official MSKB article i had followed . Worked for me. Take a peek at it . Should lend some credibiltity to this scenario .
September 4th, 2008 6:39pm
claw_Scorp wrote:
in addition to my above post, i wanted to add this final note too.3rd Party Application or Mail Server May Fail to Send To or Relay Mail Through Exchange Server 2007http://support.microsoft.com/kb/944302thats the official MSKB article i had followed . Worked for me. Take a peek at it . Should lend some credibiltity to this scenario .
Yeah i bet this is it.. ours is blank (default domain)..
Again, we have client, default and a custom one called "relay1" for rec connectors..
I think client is just local outlook.. while default is the world and relay1 is so local ips can use exchange 2007 as a relay without authentication..
So i would set the default domain on the default one to our domain name like:
"domain.com" or should it match the mx record address(es): ie: "wan1.domain.com" and "wan2.domain.com".. i'm guessing it should just be domain.com?
Free Windows Admin Tool Kit Click here and download it now
September 4th, 2008 7:26pm
markm75 wrote:
claw_Scorp wrote:
in addition to my above post, i wanted to add this final note too.3rd Party Application or Mail Server May Fail to Send To or Relay Mail Through Exchange Server 2007http://support.microsoft.com/kb/944302thats the official MSKB article i had followed . Worked for me. Take a peek at it . Should lend some credibiltity to this scenario .
Yeah i bet this is it.. ours is blank (default domain)..
Again, we have client, default and a custom one called "relay1" for rec connectors..
I think client is just local outlook.. while default is the world and relay1 is so local ips can use exchange 2007 as a relay without authentication..
So i would set the default domain on the default one to our domain name like:
"domain.com" or should it match the mx record address(es): ie: "wan1.domain.com" and "wan2.domain.com".. i'm guessing it should just be domain.com?
I did the domain.com as default domain, had the user retry.. they still received the error message.. any other thoughts?
Perhaps it is on the other end, not ours?
September 5th, 2008 10:30pm
running this shell command will register the root domain , on all the receive connectors in the hub server . >>>Get-ReceiveConnector | Set-ReceiveConnector -DefaultDomain "contoso.com"Just a thought, and a basic query.....1) what happens when composing a new email and sent from say yahoo or aol or msn ? (and not your messaging system)does it deliver successfully or fails. ....is the recepient email id a valid one ?
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2008 7:19am
claw_Scorp wrote:
running this shell command will register the root domain , on all the receive connectors in the hub server . >>>Get-ReceiveConnector | Set-ReceiveConnector -DefaultDomain "contoso.com"Just a thought, and a basic query.....1) what happens when composing a new email and sent from say yahoo or aol or msn ? (and not your messaging system)does it deliver successfully or fails. ....is the recepient email id a valid one ?
It seems to work, at least, i dont get a bounce back with an externally based email system.
September 8th, 2008 4:35pm
claw_Scorp wrote:
running this shell command will register the root domain , on all the receive connectors in the hub server . >>>Get-ReceiveConnector | Set-ReceiveConnector -DefaultDomain "contoso.com"Just a thought, and a basic query.....1) what happens when composing a new email and sent from say yahoo or aol or msn ? (and not your messaging system)does it deliver successfully or fails. ....is the recepient email id a valid one ?
I should add.. if you do an nslookup on the ip in the error message (our wan1 comcast ip address).. it comes back, with something other than the mx record that is in our network solutions dns settings (it should be wan1.domain.com).. its more like.. businessname-ip addres...comcastbusiness.net
if you do the same nslookup on the other wan address (verizon) at our location.. it has the secondary mx record and looks correct..
A long while ago, before we could get a "true" static ip from comcast, we had this issue, we had to bind our router's incoming port 25 to the verizon connection..
It would appear this may still be the case.. i'm not sure how to fix this one.. it sounds like a reverse dns issue with network solutions/and/or comcast?
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2008 7:46pm
markm75c wrote:
claw_Scorp wrote:
running this shell command will register the root domain , on all the receive connectors in the hub server . >>>Get-ReceiveConnector | Set-ReceiveConnector -DefaultDomain "contoso.com"Just a thought, and a basic query.....1) what happens when composing a new email and sent from say yahoo or aol or msn ? (and not your messaging system)does it deliver successfully or fails. ....is the recepient email id a valid one ?
I should add.. if you do an nslookup on the ip in the error message (our wan1 comcast ip address).. it comes back, with something other than the mx record that is in our network solutions dns settings (it should be wan1.domain.com).. its more like.. businessname-ip addres...comcastbusiness.net
if you do the same nslookup on the other wan address (verizon) at our location.. it has the secondary mx record and looks correct..
A long while ago, before we could get a "true" static ip from comcast, we had this issue, we had to bind our router's incoming port 25 to the verizon connection..
It would appear this may still be the case.. i'm not sure how to fix this one.. it sounds like a reverse dns issue with network solutions/and/or comcast?
I simply called comcast, had them update our ptr record to point to our correct mx record.. now everything is working fine!
Thanks for everyones help in getting to this point.
Short version: check nslookup ipaddress.. if it mismatches, then fix dns (call comcast in our case)...
I now understand this one.
Cheers
September 8th, 2008 8:59pm
Thanks for sharing the solution . Great work Mark!
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2008 5:15am