Context: Exchange 2007 SP2 running on Windows 2008 SP2. Outlook 2007 SP2 and OWA (IE7) clients ----------------------------- To our knowledge we can deliver mail to all our correspondents... except the person in question. This person could receive mail from us until about a month ago. Since we only send them a message every week or so, it was not noticed immediately. So, YES, this did work at one time. Non-delivery has been occurring only for the last month. This person says he can receive email from everyone else. And once again, no one else has NOT been able to receive our messages. This is the message that the sender receives, notifying them the message could not be delivered. That's all we have for a clue: Delivery is delayed to these recipients or distribution lists: This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf. Delivery of this message will be attempted until 10/29/2010 4:35:30 PM (GMT-05:00) Eastern Time (US & Canada). Microsoft Exchange will notify you if the message can't be delivered by that time. We do not filter outbound mail (only inbound via Postini). We have not configured any Transport rules concerning this person ( I just checked and see only ONE Transport rule which has nothing to do with him). I am going to see if the "Mail Flow Troubleshooter" offers any other clues. What else could I do?

Mail Flow Troubleshooter was useless. After entering the sender email address and the address of the recipient, and pressing NEXT, the MFT informed me that: - IPv6 Protocol not supported. - Network Adapter IVv6 address not supported. Is this because I never bothered to assign a static IPv6 to the mail server? Note: I chose the option - Messages destined to some recipients are delayed or not recieved by some recipients.

The original NDR that you have posted is a delay message. Close to useless for diagnostics. If you look in the queue viewer it may well give you an error code. This may well turn in to finger pointing. Both sides say they can receive email from everyone else, therefore it must be your (the other side) problem. You need to verify that you are getting MX records for the recipients domain, using nslookup from the Exchange server itself. Then attempt to connect to them on port 25 using telnet. If that fails, do a tracert. It could be a routing issue. It could be that the remote side has blocked messages from your IP address for some reason. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Protocol logs will be more useful than message tracking logs. If you don't have it enabled, enable verbose protocol logging on the send connector and see what that tells you.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

The original NDR that you have posted is a delay message. Close to useless for diagnostics. Yet, this is the only error message we obtain. If you look in the queue viewer it may well give you an error code. 4514.4.0 DNS query failed You need to verify that you are getting MX records for the recipients domain, using nslookup from the Exchange server itself. > YES > set type=MX > xxxxxxarchitects.com Server: dnsServer1.ourdomain.loc Address: 10.x.x.x Non-authoritative answer: xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net inbound.xxxxxxarchitects.com.namesecuremail.net internet address = 205.178.x.x Then attempt to connect to them on port 25 using telnet. If that fails, do a tracert. I do not have a Telnet client installed, but, of course, I can install one. I did go ahead and run a tracert. Once by IP, once by domain name. The 1st is successfull and the second fails. I will post that shortly - have to go somewhere now!

You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users. The Telnet Client can be installed from Windows Features, it is very useful to have as a diagnostics tool. Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems. If the tracert fails by domain name, then that would tend to point to DNS being the issue. However that should also mean the nslookup would fail. Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again. Ensure that you get the same results. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

http://technet.microsoft.com/en-us/library/bb851512(EXCHG.80).aspx .. Would be helpful

http://technet.microsoft.com/en-us/library/bb851512(EXCHG.80).aspx .. Would be helpful http://support.microsoft.com/kb/976108

First, since I said I would post tracert results "shortly", I'm going to be good to my word on that: C:\>tracert 205.178.149.7 Tracing route to mail.networksolutionsemail.com [205.178.149.7] over a maximum of 30 hops: [...] 5 17 ms 15 ms 16 ms ae-0-11.bar2.boston1.level3.net [4.69.140.90] 6 20 ms 18 ms 18 ms ae-8-8.ebr1.newyork1.level3.net [4.69.140.98] 7 21 ms 21 ms 20 ms ae-4-4.ebr1.newyork2.level3.net [4.69.141.18] 8 19 ms 70 ms 21 ms ae-1-51.edge1.newyork2.level3.net [4.69.138.194] 9 22 ms 26 ms 34 ms er1-tengig-8-3.NewYork.savvis.net [208.174.224.133] 10 83 ms 71 ms 71 ms cr2-tengig-0-15-4-0.NewYork.savvis.net [204.70.198.17] 11 28 ms 26 ms 27 ms cr1-pos-0-0-0-0.Washington.savvis.net [204.70.192.1] 12 28 ms 25 ms 27 ms hr1-tengig-2-0-0.sterling2dc2.savvis.net [204.70.197.74] 13 25 ms 25 ms 25 ms 64.58.94.114 14 27 ms 27 ms 25 ms edg-r-01-vlan11.net.dc2.netsol.com [205.178.191.10] 15 27 ms 26 ms 24 ms 205.178.182.9 16 25 ms 26 ms 28 ms mail.networksolutionsemail.com [205.178.149.7] Trace complete. So, that works fine (Trace complete). C:\>tracert xxxxxxarchitects.com Tracing route to xxxxxxarchitects.com [205.178.190.x] over a maximum of 30 hops: (NOTE: YES, IP IS DIFFERENT HERE, SEE ABOVE - trying to be as discreet as possible - while providing useful info) [...] 5 14 ms 15 ms 16 ms ae-0-11.bar2.boston1.level3.net [4.69.140.90] 6 22 ms 49 ms 36 ms ae-8-8.ebr1.newyork1.level3.net [4.69.140.98] 7 27 ms 24 ms 24 ms ae-4-4.ebr1.newyork2.level3.net [4.69.141.18] 8 20 ms 18 ms 25 ms ae-1-51.edge1.newyork2.level3.net [4.69.138.194] 9 31 ms 31 ms 22 ms er1-tengig-8-3.NewYork.savvis.net [208.174.224.133] 10 90 ms 25 ms 65 ms cr1-tengig-0-8-3-0.NewYork.savvis.net [204.70.198.13] 11 28 ms 28 ms 29 ms cr1-tengig-0-15-0-0.Washington.savvis.net [204.70.196.101] 12 27 ms 28 ms 28 ms hr1-tengig-2-0-0.sterling2dc2.savvis.net [204.70.197.74] 13 31 ms 29 ms 28 ms 64.58.94.114 14 141 ms 55 ms 195 ms edg-r-01-vlan10.net.dc2.netsol.com [205.178.191.2] 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. [...] 30 * * * Request timed out. So tracert stops at 14. Looks like that could be an Edge server (EDG-R-01) ??? So there's my tracert info.

You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users. Nothing I configured intentionally to this effect. All Inbound SMTP traffic is filtered by Postini. All inbound ports on perimeter firewall closed, except 25 (Postini IP addresse range only) and 443 (for OWA, OUtlook Anywhere, etc.). Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems. If you mean "Use external DNS lookup settings on the transport server", then no. We do use DNS rather than "Smart Hosts" because our ISP does not support them (or so they said - they specifically told us to use DNS instead of Smart Hosts, that's all I can tell you). Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again. Not sure how to do this. I see one of my domain controllers / DNS servers comes up by default, but I don't know how to change the resolving DNS server to something else. I can google though.

You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users. Nothing I configured intentionally to this effect. All Inbound SMTP traffic is filtered by Postini. All inbound ports on perimeter firewall closed, except 25 (Postini IP addresse range only) and 443 (for OWA, OUtlook Anywhere, etc.). Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems. If you mean "Use external DNS lookup settings on the transport server", then no. We do use DNS rather than "Smart Hosts" because our ISP does not support them (or so they said - they specifically told us to use DNS instead of Smart Hosts, that's all I can tell you). Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again. OK - I had a second to re-read this and now see how you change the server. This is what I obtained using OpenDNS: C:\>nslookup Default Server: xxx.xxx.xxx Address: x.x.x.x > server resolver1.opendns.com Default Server: resolver1.opendns.com Address: 208.67.222.222 > set type=MX > xxxxxxarchitects.com Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net ------------------------------------------- So my DNS server gives me the last part with the internet address at the end. Otherwise they are the same: Non-authoritative answer: xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net inbound.xxxxxxarchitects.com.namesecuremail.net internet address = 205.178.x.x

Khoj Sahiwala, Thank you for the links. However, we do not use an Edge server.

MJOLINOR, Thank you for the suggestion. Could you send me a link on how to do this? I'll look myself but off the top of my head, I must admit I'm not familiar with this type of logging.

http://technet.microsoft.com/en-us/library/aa997624(EXCHG.80).aspx Hope this helps you get it resolved.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

I want to follow up on Sembee's (Simon's) suggestion to attempt to connect to their mail server using TELNET now that I have installed the client. Here are my results. First, I tried with the IP address of their mail server but with no port specified (TELNET defaults to 23): C:\>telnet 205.178.149.7 Connecting To 205.178.149.7...Could not open connection to the host, on port 23: Connect failed Well, they probably have TELNET blocked... So let's try with the right port... C:\>telnet 205.178.149.7 25 220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400 421 4.4.2 service timed out. Now let's try with the FQDN of the mailserver (as displayed in TRACERT): C:\>telnet mail.networksolutionsemail.com 25 220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400 220 displays as above but telnet never seems to connect (nothing happens). There is no: 421 4.4.2 service timed out. It's been a good minute. And finally: Connection to host lost. Let's try with the IP for the recipients email address (as displayed in tracert): C:\>telnet 205.178.x.x 25 Connecting To 205.178.x.x...Could not open connection to the host, on port 25: Connect failed And now with the FQDN: C:\telnet xxxxxxarchitects.com 25 Connecting to xxxxxxarchitects.com... Could not open connection to the host, on port 25: Connect failed.

SIMON, As you see, I have posted my Telnet results in the post above and also determined that nslookup results are just about the same using my DNS server as a starting point, or using an OpenDNS server (details in my post on Friday, October 29, 2010, 1:01). Any ideas at this point? And once again: We do not filter outbound mail (only inbound via Postini). We have not configured any Transport rules concerning this person ( I just checked and see only ONE Transport rule which has nothing to do with him).

On Sat, 30 Oct 2010 15:34:06 +0000, Le Pivert wrote: > > >I want to follow up on Sembee's (Simon's) suggestion to attempt to connect to their mail server using TELNET now that I have installed the client. > >Here are my results. > >First, I tried with the IP address of their mail server but with no port specified (TELNET defaults to 23): > >C:\>telnet 205.178.149.7 Connecting To 205.178.149.7...Could not open connection to the host, on port 23: Connect failed > >Well, they probably have TELNET blocked... So let's try with the right port... > >C:\>telnet 205.178.149.7 25 > >220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400 421 4.4.2 service timed out. That's not unexpected. The IP address may not be the one that's associated with the "A" record returned from a recent DNS query. For example, when I ask for the A record for the name mail.networksolutionsemail.com I get IP address 205.178.146.50. >Now let's try with the FQDN of the mailserver (as displayed in TRACERT): > >C:\>telnet mail.networksolutionsemail.com 25 > >220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400 > >220 displays as above but telnet never seems to connect (nothing happens). Well, no, the next thing that's expected is for your client to say either "HELO yourservername.domain.com" or "EHLO yourservername.domain.com". IOW, they said "Hi", now the ball's in your court. >There is no: 421 4.4.2 service timed out. > >It's been a good minute. > >And finally: > >Connection to host lost. Since you're not going to speak (it's your turn) they drop the connection. That's entirely reasonable. >Let's try with the IP for the recipients email address (as displayed in tracert): > >C:\>telnet 205.178.x.x 25 Connecting To 205.178.x.x...Could not open connection to the host, on port 25: Connect failed > >And now with the FQDN: > >C:\telnet xxxxxxarchitects.com 25 > >Connecting to xxxxxxarchitects.com... Could not open connection to the host, on port 25: Connect failed. Is "xxxxxxarchitects.com" the name of the domain or the name of the server that accepts e-mail for the domain? IOW, did you find their MX record and get the name (or the IP address) of their mail server? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Is "xxxxxxarchitects.com" the name of the domain or the name of the server that accepts e-mail for the domain? IOW, did you find their MX record and get the name (or the IP address) of their mail server? The name of the domain. "mail.networksolutionsemail.com" would be the name of the server that accepts email for the domain I imagine. IOW, did you find their MX record and get the name (or the IP address) of their mail server? I think so. This would be in my previous posts where I run nslookup and tracert. That's where I obtained the information I use for the attempt to connect with Telnet. Well, no, the next thing that's expected is for your client to say either "HELO yourservername.domain.com" or "EHLO yourservername.domain.com". IOW, they said "Hi", now the ball's in your court. OK, have to try that then. Now, if they respond to my HELO, what would that prove with respect to the original problem?

When I click submit, why does it remove my spacing!!! The situation is frustrating enough as it is!

On Sun, 31 Oct 2010 22:10:02 +0000, Le Pivert wrote: >>Is "xxxxxxarchitects.com" the name of the domain or the name of the server that accepts e-mail for the domain? IOW, did you find their MX record and get the name (or the IP address) of their mail server? >The name of the domain. "mail.networksolutionsemail.com" would be the name of the server that accepts email for the domain I imagine. Well, you'd have to more certain than "I imagine". >>IOW, did you find their MX record and get the name (or the IP address) of their mail server? >I think so. This would be in my previous posts where I run nslookup and tracert. The only nslookup I saw was this: set type=MX > xxxxxxarchitects.com Server: dnsServer1.ourdomain.loc Address: 10.x.x.x Non-authoritative answer: xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net inbound.xxxxxxarchitects.com.namesecuremail.net internet address = 205.178.x.x You've obliterated the useful information. If you want to obfuscate the domain name, try being creative, not destructive. Try something like this: d o m a i n < d o t > t l d or r e m o v e b l a n k s . d o m a i n t l d >That's where I obtained the information I use for the attempt to connect with Telnet. >>Well, no, the next thing that's expected is for your client to say either "HELO yourservername.domain.com" or "EHLO yourservername.domain.com". IOW, they said "Hi", now the ball's in your court. >OK, have to try that then. Now, if they respond to my HELO, what would that prove with respect to the original problem? So far, nothing. All you've done is connect to some intermediate host. You haven't sent any e-mail. A complete conversation would look like this: telnet <ip-address> 25 helo <your-server-name> mail from:<your@email.address> rcpt to:<their.user@theirdomain.tls> data From: your@email.address To: their.user@theirdomain.tld Subject: say something brilliant here Some something eve more brilliant here And maybe more here .. rset quit Note that you should NOT receive any status codes in the 4xx or 5xx range. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Sun, 31 Oct 2010 22:11:52 +0000, Le Pivert wrote: >When I click submit, why does it remove my spacing!!! The situation is frustrating enough as it is! HTML sux. Why MS chose to use web-based forums instead of reliable NNTP is their choice. It had something to do with people not being able to figure out how to use a NNTP newsreader, although I'm pretty sure it had mre to do with them wantong to get rid of public folders and not use something like *nix and real news server software. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hello Rich, Thanks for the advice. Well, you'd have to more certain than "I imagine". OK, let's start all over then. I'm going to run NSLOOKUP against the domain of the recipient in question (the recipient, not what I imagine his mailserver might be). ----------------------------------------------------------- nslookup [...] > set type=MX > architects.com Server: DC1.myDomain.loc Address: 10.0.0.10 Non-authoritative answer: architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net ----------------------------------------------------------- That's right. That's all. I don't even get an IP address. Strange... Because when I tried several days ago, I obtained this: architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net inbound.architects.com.namesecuremail.net internet address = 205.178.x.x What is underlined is now missing. And since my first post, I did not change ANYTHING on my server - other than installing and running the Telnet client as Simon suggested earlier. No MS updates, and no more outbound filtering than before (none), and no customized Transport Rules concerning this address (ever). So I have no IP to enter here: telnet <ip-address> 25 Otherwise, in the meantime, I am going to try to connect via TELNET using the FQDN above and see what happens.

OK, this is what happened (and here I typed as fast as I could but session timed out before I could continue the "conversation"). --------------------------------------------------------------------------- 220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Mon, 01 Nov 2010 16:06:30 -0400 HELO mail.mydomain.tld 250 cm-mr3 says HELO to 24.90.10.10:5260 421 4.4.2 service timed out. Connection to host lost. ------------------------------------------------------------------------- That took no more than 5 seconds. I only modified MY IP address and my domain name. EVERYTHING ELSE is simply copy and past from the cmd shell. ------------------------------------------------------------------------- Note that you should NOT receive any status codes in the 4xx or 5xx range. Well, as you can see, I did. First, am I proceeding correctly this time? If not, I'll make whatever corrections I need to so my posts are informative enough to resolve the issue. Second, any ideas?

Now I am going to attempt NSLOOKUP from outside our network - since the recepient claims that he does not have trouble receiving email from anyone anywhere else. That's right. A physically distinct line where my laptop will obtain an IP address from a dymanic range, distinct, here too, from the static range assigned to us by our ISP. Yes, the ISP is the same though in both cases. Note: we do not have trouble sending to anyone else. The person is a member of a committee and everyone else on the committee DOES receive the emails, attachments and all. Be back in a second!

Now I am going to attempt NSLOOKUP from outside our network - since the recepient claims that he does not have trouble receiving email from anyone anywhere else. That's right. A physically distinct line where my laptop will obtain an IP address from a dymanic range, distinct, here too, from the static range assigned to us by our ISP. Yes, the ISP is the same though in both cases. Note: we do not have trouble sending to anyone else. The person is a member of a committee and everyone else on the committee DOES receive the emails, attachments and all. Be back in a second! Just thought of something I want to clarify before moving to the other location: ALL the tests above have been performed from the mail server itself (albeit via Remote Desktop from my laptop).

Different location. Different IP. Same I-S-P (ISP). Same results. ------------------------------------------------------------------------ C:\>nslookup Default Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11 > set type=MX > architects.com Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11 Non-authoritative answer: architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net

On Mon, 1 Nov 2010 20:02:58 +0000, Le Pivert wrote: >Hello Rich, Thanks for the advice. >>Well, you'd have to more certain than "I imagine". >OK, let's start all over then. I'm going to run NSLOOKUP against the domain of the recipient in question (the recipient, not what I imagine his mailserver might be). >----------------------------------------------------------- >nslookup [...] > set type=MX > architects.com >Server: DC1.myDomain.loc >Address: 10.0.0.10 >Non-authoritative answer: >architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net >----------------------------------------------------------- >That's right. That's all. I don't even get an IP address. Strange... Because when I tried several days ago, I obtained this: >architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net So "architects.com" is the real domain? If it is, I can see why they can't receive any e-mail --- from anyone! Non-authoritative answer: architects.com MX preference = 100, mail exchanger = mx1.architects.com mx1.architects.com internet address = 10.42.23.11 The 10.0.0.0/8 network isn't routable on the Internet. Here's the results of "dig", using bitsy.mit.edu as the DNS server: 11/01/10 22:01:17 dig architects.com @ bitsy.mit.edu Dig architects.com@b.ns.anything.com (66.114.124.148) ... failed, couldn't connect to nameserver Dig architects.com@a.ns.anything.com (66.114.124.147) ... failed, couldn't connect to nameserver Dig architects.com@bitsy.mit.edu (18.72.0.3) ... Non-authoritative answer Recursive queries supported by this server Query for architects.com type=255 class=1 architects.com A (Address) 66.114.124.140 architects.com MX (Mail Exchanger) Priority: 100 mx1.architects.com architects.com TXT (Text Field) Powered by http://cr.yp.to/djbdns.html architects.com SOA (Zone of Authority) Primary NS: a.ns.anything.com Responsible person: hostmaster@architects.com serial:1279842250 refresh:16384s (40 hours) retry:2048s (340 minutes) expire:1048576s (120 days) minimum-ttl:2560s (420 minutes) architects.com NS (Nameserver) a.ns.anything.com architects.com NS (Nameserver) b.ns.anything.com architects.com NS (Nameserver) a.ns.anything.com architects.com NS (Nameserver) b.ns.anything.com mx1.architects.com A (Address) 10.42.23.11 Again -- the "A" record for the mail exchanger in on the 10.0.0.0/8 networks. >inbound.architects.com.namesecuremail.net internet address = 205.178.x.x > >What is underlined is now missing. And since my first post, I did not change ANYTHING on my server - other than installing and running the Telnet client as Simon suggested earlier. No MS updates, and no more outbound filtering than before (none), and no customized Transport Rules concerning this address (ever). > >So I have no IP to enter here: telnet <ip-address> 25 > >Otherwise, in the meantime, I am going to try to connect via TELNET using the FQDN above and see what happens. The problem isn't yours to solve. They need to fix their DNS before doing anything else. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Mon, 1 Nov 2010 20:58:29 +0000, Le Pivert wrote: >Different location. Different IP. Same I-S-P (ISP). Same results. > >------------------------------------------------------------------------ > >C:\>nslookup Default Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11 > >> set type=MX > architects.com Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11 > >Non-authoritative answer: architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net I don't know where the DNS server 24.92.226.11 got its information. Here's what I see, using the primary NS for the architects.com domain. First, get the name server records for the domain: > set q=ns > architects.com. Server: srvr005 Address: 192.168.1.25 Non-authoritative answer: architects.com nameserver = a.ns.anything.com architects.com nameserver = b.ns.anything.com a.ns.anything.com internet address = 66.114.124.147 b.ns.anything.com internet address = 66.114.124.148 Next, tell nslookup to use their DNS to do the lookups (they are, after all, authoritative for their own DNS zone -- notice that none of the answers below are "Non-authoritative", they come right from the source): > server 66.114.124.147 Default Server: [66.114.124.147] Address: 66.114.124.147 Verify the SOA agrees with the NS record for the primary DNS: > set q=soa > architects.com. Server: [66.114.124.147] Address: 66.114.124.147 architects.com primary name server = a.ns.anything.com responsible mail addr = hostmaster.architects.com serial = 1279842250 refresh = 16384 (4 hours 33 mins 4 secs) retry = 2048 (34 mins 8 secs) expire = 1048576 (12 days 3 hours 16 mins 16 secs) default TTL = 2560 (42 mins 40 secs) architects.com nameserver = a.ns.anything.com architects.com nameserver = b.ns.anything.com a.ns.anything.com internet address = 66.114.124.147 a.ns.anything.com internet address = 66.114.124.147 b.ns.anything.com internet address = 66.114.124.148 b.ns.anything.com internet address = 66.114.124.148 And now ask for their MX record: > set q=mx > architects.com. Server: [66.114.124.147] Address: 66.114.124.147 architects.com MX preference = 100, mail exchanger = mx1.architects.com architects.com nameserver = a.ns.anything.com architects.com nameserver = b.ns.anything.com mx1.architects.com internet address = 10.42.23.11 a.ns.anything.com internet address = 66.114.124.147 a.ns.anything.com internet address = 66.114.124.147 b.ns.anything.com internet address = 66.114.124.148 b.ns.anything.com internet address = 66.114.124.148 So, it's still 10.42.23.11. You're not going to send them any e-mail using that IP address unless you have a means to route to that private network (and they have a route back to your LAN). This isn't a problem you can fix. They (architects.com) need to get their DNS squared away. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

So "architects.com" is the real domain? If it is, I can see why they can't receive any e-mail --- from anyone! No. I was trying to be discrete with respect to the recipient and not posting their exact domain and IP address on a public forum. So much for my good intentions. You know where those get us. I had originally posted xxxxxxarchitects to mask the domain name, then simply shortened it to "architects". I had NO idea that you would try all kinds of tests on your end and now I'm just floored. I HATE to waste other people's time. Purely and simply horrified - You went to all that trouble... I don't see a PM option on this forum, so if I have to, I'll post the real domain.

I don't know where the DNS server 24.92.226.11 got its information. Here's what I see, using the primary NS for the architects.com domain. [...] Please see my post above...

If you are going to post munged information then you need to make it very clear that it is munged information. Otherwise people will presume it is the real domain. The most common cause of these kinds of issues are DNS related, and that means the information is public. Personally, given it is Network Solutions involved, and the recipient claims they can get email from everyone else, I think they are blocking you. That will be out of the control of the original recipient because they don't manage their own mail servers. It is a poor show from Network Solutions not to send back a decent NDR, but it doesn't surprise me based on previous experience with that company. Setup a second Send Connector for that domain and send it through your ISPs SMTP server as a smart host. Single domain issues are rarely worth spending much time on. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

The most common cause of these kinds of issues are DNS related, and that means the information is public. OK, the real domain is: hoffmanrileyarchitects.com Anyone want to try now? (said I somewhat sheepishly). Setup a second Send Connector for that domain and send it through your ISPs SMTP server as a smart host. We used Smart Hosts from the very beginning, until one day, several months ago, our outgoing email would... not go out. Our ISP told us to use simple DNS (first option on the pertinent tab - "Network" of the Send Connector properties) because they would not support the Smart Host option. Not sure if that makes sense, technically or otherwise, but that's what we were told. And when we changed the setting to DNS, the mail started flowing again. Those are the facts. So I doubt the Smart Hosts option would work for one domain if it had stopped working for any domain at one point in time. Now, if I could indicate another Smart Host than my ISP, that might work - but I doubt someone else it going to let me use them as a Smart Host just like that (???).

I see nothing wrong with that domain, so my previous comment about them blocking you is probably the case. It is unfortuante that the ISP has washed their hands of providing what I consider to be a basic service. There are third parties who offer the same service, but I notice above that you said that you are using Postini - any reason why you aren't routing email OUT through them as well? Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

[...] but I notice above that you said that you are using Postini - any reason why you aren't routing email OUT through them as well? There was an additional cost for filtering outbound email and our budget was very tight (even back then, before more recent economic turmoil). Unless... as a Postini customer, we could simply route our outbound email through them as well (without the filtering option)? We have a very basic plan with them so I do not have a rep I could call. I think the best we could do is ask on a Google forum. Unless someone knows for a fact that this is an option?

On Wed, 3 Nov 2010 20:01:17 +0000, Le Pivert wrote: > > >The most common cause of these kinds of issues are DNS related, and that means the information is public. > >OK, the real domain is: > >hoffmanrileyarchitects.com > >Anyone want to try now? (said I somewhat sheepishly). Well, let's just say that the MTA for that domain is probably not waiting long enough for the EHLO\HELO command before it sends the 421 status. Check your outbound SMTP protcol log and see what's going on and how long it is between the connection and the HELO\EHLO being sent. If you can't figure that out, use a network monitor (WireShark is good) and you can alter the time display and filter on the connection to see the chronology of the connection. I don't think I've ever seen a 421 status sent that quickly after the 220 banner is sent. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Rich, I believe SMTP Send Protocol logging (the one I'd be interested in) is disabled by default. Poster MJOLINOR (above) sent me a link on how to configure it. My idea: enable logging and attempt to send a message to the recipient in question. That should capture the communication between the two parties. But how long afterwards should I let it run? 1 hour should do, right? I do see it uses circular logging, so if I use the default size settings I should not have a disk space problem. Otherwise, I have used Wireshark a bit, so I could try that too/instead. Thank you once again for your expert assistance!

On Thu, 4 Nov 2010 20:25:08 +0000, Le Pivert wrote: >I believe SMTP Send Protocol logging (the one I'd be interested in) is disabled by default. It is. It's not enabled on the receive connectors, either. >Poster MJOLINOR (above) sent me a link on how to configure it. > >My idea: enable logging and attempt to send a message to the recipient in question. Okay. >That should capture the communication between the two parties. Yes, it will. >But how long afterwards should I let it run? 1 hour should do, right? The answer is "forever". Why not capture the information all the time you'll need to find problems? >I do see it uses circular logging, so if I use the default size settings I should not have a disk space problem. You can adjust the log file size and the directory size and the retention period for the log files. See the "set-transportserver" cmdlet. >Otherwise, I have used Wireshark a bit, so I could try that too/instead. If you're down to needing to see the time between data packets you'll need a tool to capture packets. Wireshark is free and pretty easy to use. >Thank you once again for your expert assistance! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

This is the response from name secure to our inquiry. We have failed to get email to this guy using a GMAIL account - namesecure just responds (truthfully or not) that they have no problem. And what is the nonsense about configuring our server to communicate properly with theirs. They won't tell us what ot do because it's a secret. I am sorry to hear that you were experiencing issues with sending to Name Secure mailbox from exchange server. 1. The traceroute and other tests failed to the domain hoffmanrileyarchitects.com because that is the website and not email. You would need to traceroute mail.hoffmanrileyarchitects.com 2. I am able to send to address from Gmail without issue. 3. Our server have a security feature that the sending server is not responding appropriately to. The sender needs to contact server manufacturer to further troubleshoot how to configure their server to respond to a secure server. Due to security restrictions we are not able to disclose how this feature works. It is the responsibility of the server administrator to configure the sending server accordingly. This issue only occurs when sending from an Exchange server using the default configurations.