I am seeing some odd bounce messages to email sent from an Exchange 2007 server. If a user sends a message to john.doe@abc.com, an error comes back stating: john.doe@abc.com def.com #550 5.1.1 <john.doe@abc.com> User unknown; rejecting ## Where does the def.com come from? I checked the MX record for abc.com and everything looks fine (preference 10 points to mail.abc.com and preference 50 points to another server that isn't def.com). The recipient does exist on the abc.com domain so I don't understand the rejection. Any suggestions? I have no idea what kind of server is at abc.com but it looks like the email is not getting there anyway. Bert

def.com is the server that reported the error. The message was never accepted by abc.com

Why would def.com report the error, though? If abc.com is the receiving server and it rejects the message, shouldn't the error message come from abc.com? Bert

Hi Penney, Do you have the same issue when you send email to other domains? If the issue just happens when the users send emails to this domain, please post some information about the delivery, such as smtp log. Also maybe caused by the recepient side block your server/IP through some gateway or third party gateway. Regards! gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Why would def.com report the error, though? If abc.com is the receiving server and it rejects the message, shouldn't the error message come from abc.com? Bert Because abc.com is doing recipient filtering and rejected the message before it was accepted. The message is going through def.com and def.com connects to abc.com and says: "Hey I have a message for john.doe@abc.com" Abc.com replies: "I dont have anyone named john.doe@abc.com" Def.com then bounces back the message to you "Sorry, no one there named john.doe@abc.com"

Gavin - Yes, this happens with other domains. I will find the smtp log an d upload it later. Andy - The problem is that this seems to be intermittent. Sometimes, the email goes through. How can you tell if the initial connection to anc.com is actually through def.com? I checked the MX records and both domains have entries which are different. If both domains had the same ip address, then it would be obvious that one of them is filtered by the other but that is not the case. Also, the email from other domains - such as gmail or hotmail - do get through. Bert

Here's the complete SMTP log (doctored). I hope I didn't delete anything important.... Delivery has failed to these recipients or distribution lists: John Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. Joe Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. Mark Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. The following organization rejected your message: def.com. ________________________________________ Sent by Microsoft Exchange Server 2007 Diagnostic information for administrators: Generating server: ServerEX1.domaina.mydomain.com john.doe@abc.com def.com #550 5.1.1 <john.doe@abc.com> User unknown; rejecting ## joe.doe@abc.com def.com #550 5.1.1 <joe.doe@abc.com> User unknown; rejecting ## mark.doe@abc.com def.com #550 5.1.1 <mark.doe@abc.com> User unknown; rejecting ## Original message headers: Received: from ServerEX1.domaina.mydomain.com ([fe80::6891:9027:711c:eaa1]) by ServerEX1.domaina.abc.com ([fe80::6891:9027:711c:eaa1%10]) with mapi; Mon, 15 Aug 2011 08:42:12 -0600 From: "User, Local" <local.user@mydomain.com> To: John Doe <john.doe@abc.com> CC: Joe Doe <joe.doe@abc.com>, "Mark Doe" <mark.doe@abc.com>, "User, Local2" <local2.user@mydomain.com> Return-Receipt-To: <local.user@mydomain.com> Date: Mon, 15 Aug 2011 08:42:10 -0600 Subject: RE: glycol parts Thread-Topic: glycol parts Thread-Index: AcxH78qEizFyYHAqRla7BEMKcIA0QwC5msJwA2wiVKAAtJd6gA== Message-ID: <FC81ED7A4AC96044A4B7EA5289A7EB050428B71C2D04@ServerEX1.domaina.mydomain.com> References: <111AF9FA390D9446B4A66373CF42E9196158A9734C@WESTSD-SVR-101.abc.local> <FC81ED7A4AC96044A4B7EA5289A7EB050428B709E3F3@ServerEX1.domaina.mydomain.com> <111AF9FA390D9446B4A66373CF42E919774CC20477@WESTSD-SVR-101.abc.local> In-Reply-To: <111AF9FA390D9446B4A66373CF42E919774CC20477@WESTSD-SVR-101.abc.local> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US x-tm-as-product-ver: SMEX-10.0.0.1459-6.800.1017-18324.007 x-tm-as-result: No--50.356800-5.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/related; boundary="_004_FC81ED7A4AC96044A4B7EA5289A7EB050428B71C2D04ServerEX1al_"; type="multipart/alternative" MIME-Version: 1.0

Gavin - Yes, this happens with other domains. I will find the smtp log an d upload it later. Andy - The problem is that this seems to be intermittent. Sometimes, the email goes through. How can you tell if the initial connection to anc.com is actually through def.com? I checked the MX records and both domains have entries which are different. If both domains had the same ip address, then it would be obvious that one of them is filtered by the other but that is not the case. Also, the email from other domains - such as gmail or hotmail - do get through. Bert You would have to check the SMTP protocol log. By the way, what is def.com? A server you control? A smarthost? ISP server?

Here's the complete SMTP log (doctored). I hope I didn't delete anything important.... Delivery has failed to these recipients or distribution lists: John Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. Joe Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. Mark Doe The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. The following organization rejected your message: def.com. ________________________________________ Sent by Microsoft Exchange Server 2007 Diagnostic information for administrators: Generating server: ServerEX1.domaina.mydomain.com john.doe@abc.com def.com #550 5.1.1 <john.doe@abc.com> User unknown; rejecting ## joe.doe@abc.com def.com #550 5.1.1 <joe.doe@abc.com> User unknown; rejecting ## mark.doe@abc.com def.com #550 5.1.1 <mark.doe@abc.com> User unknown; rejecting ## Original message headers: Received: from ServerEX1.domaina.mydomain.com ([fe80::6891:9027:711c:eaa1]) by ServerEX1.domaina.abc.com ([fe80::6891:9027:711c:eaa1%10]) with mapi; Mon, 15 Aug 2011 08:42:12 -0600 From: "User, Local" <local.user@mydomain.com> To: John Doe <john.doe@abc.com> CC: Joe Doe <joe.doe@abc.com>, "Mark Doe" <mark.doe@abc.com>, "User, Local2" <local2.user@mydomain.com> Return-Receipt-To: <local.user@mydomain.com> Date: Mon, 15 Aug 2011 08:42:10 -0600 Subject: RE: glycol parts Thread-Topic: glycol parts Thread-Index: AcxH78qEizFyYHAqRla7BEMKcIA0QwC5msJwA2wiVKAAtJd6gA== Message-ID: <FC81ED7A4AC96044A4B7EA5289A7EB050428B71C2D04@ServerEX1.domaina.mydomain.com> References: <111AF9FA390D9446B4A66373CF42E9196158A9734C@WESTSD-SVR-101.abc.local> <FC81ED7A4AC96044A4B7EA5289A7EB050428B709E3F3@ServerEX1.domaina.mydomain.com> <111AF9FA390D9446B4A66373CF42E919774CC20477@WESTSD-SVR-101.abc.local> In-Reply-To: <111AF9FA390D9446B4A66373CF42E919774CC20477@WESTSD-SVR-101.abc.local> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US x-tm-as-product-ver: SMEX-10.0.0.1459-6.800.1017-18324.007 x-tm-as-result: No--50.356800-5.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/related; boundary="_004_FC81ED7A4AC96044A4B7EA5289A7EB050428B71C2D04ServerEX1al_"; type="multipart/alternative" MIME-Version: 1.0 That is the header from the message, I believe Gavin is referring to the actual SMTP protocol log.

You would have to check the SMTP protocol log. By the way, what is def.com? A server you control? A smarthost? ISP server? I have no idea what def.com is. No, I don't control that domain, either. Bert

That is the header from the message, I believe Gavin is referring to the actual SMTP protocol log. My mistake. Sorry. I will see if I can get the protocol log, then. Bert

It appears that logging was not turned on at the time of the message in this thread. It is now, but that doesn't help resove this issue. Is there anything else I can do to figure out what is happening here? Thanks Bert

It appears that logging was not turned on at the time of the message in this thread. It is now, but that doesn't help resove this issue. Is there anything else I can do to figure out what is happening here? Thanks Bert Resend the message and see if it happens again? If your server is handing off the message through this def.com server and you have no control of that server, the protocol logs may not be useful, but worth checking.

I have a bunch more but I am getting a bit confused. An email is sent to one domain but the MX record has entries for another domain and the bounce message originates from a third domain. So, how do you find out who or what is rejecting the email? Bert

On Fri, 19 Aug 2011 00:42:29 +0000, Penney wrote: >I have a bunch more but I am getting a bit confused. An email is sent to one domain but the MX record has entries for another domain and the bounce message originates from a third domain. So, how do you find out who or what is rejecting the email? You look at the domain registration information and contact the people that manage it. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Manage which domain? The one the email is sent to, the one listed as the MX record or the one that the bounce message comes from? Also, is it safe to say that the domain listed as the MX destination is an anti-spam server for the domain the email is destined for? I checked the logs and as far as I can tell, the domain listed as the MX did accept the email without any error. Since the bounce came from a 3rd domain, is it safe to say tha the "MX" domain forwarded the email onto the 3rd domain for further processing? If so, what processing would it be doing? Bert

Hi Penney, Did you check the smtp log? Per your description, it seems there are some issue with resolving the domain step. How about to change your DNS server for sesolving the external domain? Or, maybe some virus issue with your server. Could you please check your outbound email flow, any other server or third party server involved? Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I checked the log and it seems like the email in question went through without a problem. I also ran nslookup on the Exchange server to verify DNS functionality and it gave me the same results that I got when running it on my own equipment. So far, I can see no problem with the outgoing flow for this particular message and I can see no tie to the domain that sent the bounce message. I am trying to ferret that out now but I don't have anything further on it yet. BTW: The bounce message seems to have come back something like 45 minutes after the message was sent - assuming I am reading everything correctly. Bert

I don't know if this is going to help or confuse the issue but I started checking another failed message and I get a completely different scenario. When I chacked the MX record for the recipient's domain, it was the same domain. However, when I checked the SMTP log to see what happened, the ip address tha the Exchange box connected to was not the same as the ip address listed for the MX record and the server name was different. When the Exchange box sent the "RCPT TO:" command, the receiving server responded with a "250 OK" followed by a "550 relay not permitted". The bounce message for this email lists relay not permitted as the error, as you would expect. What I don't understand is why the Exchange box connected to that ip address in the first place. Where did it come from? It's definately not listed as the MX record's ip address although it is fairly close (connected to a server with a first octet of 64 while the MX query says the first octet is 66). Bert

Hi Bert, Which public DNS server you are using, how about change it, and then makes some tests? If the log seems well, I thinke the issue not caused by your side, if you have not relay your emails through other server. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contacttngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

On Fri, 19 Aug 2011 02:23:41 +0000, Penney wrote: >Manage which domain? The one the email is sent to, the one listed as the MX record or the one that the bounce message comes from? Start with the domain to which the message was sent. In your example, that would be abc.com. They should be able to tell you where the message went. You server should only be sending the message to the machines mentioned in the MX record. If the message went to some other machine then there's a DNS problem, usually on your side. >Also, is it safe to say that the domain listed as the MX destination is an anti-spam server for the domain the email is destined for? No. The only asumption is that is a MTA for the domain. >I checked the logs and as far as I can tell, the domain listed as the MX did accept the email without any error. Since the bounce came from a 3rd domain, is it safe to say tha the "MX" domain forwarded the email onto the 3rd domain for further processing? In a very general sense, yes. >If so, what processing would it be doing? Perhaps the domain def.com is an internal domain that's part of thier e-mail system? Or the mailbox (or MTA) is redirecting the message? All anyone except the people that manage the abc.com domain can do is speculate about the procession. If you're content to speculate then please continue doing so. If you're interested in finding out what happened, then contact the admins at abc.com and ask. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 19 Aug 2011 03:33:52 +0000, Penney wrote: > > >I don't know if this is going to help or confuse the issue but I started checking another failed message and I get a completely different scenario. When I chacked the MX record for the recipient's domain, it was the same domain. However, when I checked the SMTP log to see what happened, the ip address tha the Exchange box connected to was not the same as the ip address listed for the MX record and the server name was different. What about the "A" record fore the domain? If your server cannot get an IP address using the MX record it'll try the "A" record. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I just marked Gavin's reply as the answer. I don't know why I didn't think of it earlier, but after reading Gavin's reply I decided to verify the configuration of the Exchange box. I found that, for some reason, it was configured with two internal DNS servers and four external ones. I had the four external ones removed from the config and everything seems to be fine - at least for now. I guess it is safe to assume that at least one of those external DNS servers is corrupt. Thanks everyone for your input. Bert