Emails blocked from an automated system
We have a few clients that send us automated emails from an address such as ghto@system1.company.com. Our Exchange server doesn't let them through. When I run an email validity test online it fails, because you can't send email to this address.
Now I know the address is valid, but how do I get Exchange to allow them through?
We are still in the midst of a cutover to Exchange 2010, so I still have Exchange 2003 in the mix. I do all my block and exceptions still on the Exchange 2003 box. I've added the particular address and a wildcard entry for the domain, but they still
can't get through.
Am I missing something on this particular setup? Once I install the Edge Transport in our organization and pull out Exchange 2003, will I have more success? More options maybe?
March 19th, 2012 12:50pm
What does message tracking say? Is the Exchange recipient a user or a group? Does the Exchange recipeint have any restrictions on who it can only receive email from? If it's a group is it set to require all senders are authenticated?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 12:57pm
I'm not seeing much in the message tracking. The recipient is a user with no restrictions for who he can receive email from.
Here is the bounce back message the other side is receiving. It's very confusing because of all the different names. At what point do you say it truly is the other end.
Diagnostic information for administrators:
Generating server: z10.zixworks.com #this is there server generating the message.
mail.ourcompany.com #<mail.ourcompany.com #5.7.1 smtp; 550 5.7.1 Sender ID (PRA) Domain Does Not Exist> #SMTP#
Original message headers:
Received: from vmv.z10.company.com (ZixVPM [127.0.0.1])
by Outbound.z10.company.com (Proprietary) with ESMTP id 863ED4BCFC
for <user@ourcompany.com>; Fri, 10 Feb 2012 13:10:07 -0600 (CST)
Received: from ghto.system1@company.com (ghto.system1@company.com
[30.x.x.x])
by fx3.company.com (Postfix) with SMTP id B9CF578098;
Fri, 10 Feb 2012 13:10:03 -0600 (CST)
Date: Fri, 10 Feb 2012 14:10:03 -0500
Subject: Letter
From: ghto.system1@company.com
Sender: ghto.system1@company.com
To: user@ourcompany.com
X-Mailer: 9.02.02M3P041310
MIME-Version: 1.0
Content-Type: text/plain
March 19th, 2012 2:18pm
Looks like you are blocking their domain because they don't have a sender id spf record. You need to add an exception for their domain.
http://www.allspammedup.com/2009/01/managing-whitelists-and-blocklists-for-exchange-server-environments/James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 2:29pm
Looks like you are blocking their domain because they don't have a sender id spf record. You need to add an exception for their domain.
http://www.allspammedup.com/2009/01/managing-whitelists-and-blocklists-for-exchange-server-environments/
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Aha! That makes total sense! That's an excellent link too. So with that being said, I can't really do anything about it until I bring up my Edge Transport server and completely retire Exchange 2003, is that correct? I don't have any anti-spam components
in our Exchange 2010 environment. All anti-spam features are currently being carried out by our Exchange 2003 box.
March 19th, 2012 2:56pm
Ahh for 2003 try this link for the exception.
http://exchangepedia.com/2006/12/imf-wheres-the-whitelist.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2012 3:09pm
Ahh for 2003 try this link for the exception.
http://exchangepedia.com/2006/12/imf-wheres-the-whitelist.html
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
This will also help until I can successfully retire Exchange 2003. Thank you very much!!! Much appreciated!
March 19th, 2012 4:17pm
I followed the instruction from the 2003 link for setting up a Global Accept and Deny List Configuration. Bounce back message shown below. At what point do you say the other side is the problem? I hate having to point fingers, but at this
point I've added the other sides external IP address to a whitelist and they are still getting a bounce back message.
Diagnostic information for administrators:
Generating server: CH1MMR1-001.057d.mgd.mfts.net
mailto:jim.bob@ourcompany.com
#550 5.1.3 STOREDRV.Submit; invalid recipient address #SMTP#
Original message headers:
Received: from CH1MMR1-001.057d.mgd.mfts.net ([169.254.2.60]) by
CH1MMR1-001.057d.mgd.mfts.net ([202.27.52.10]) with mapi id
14.01.0355.003; Tue, 20 Mar 2012 13:02:35 -0500
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: "Jones, Tom" <Tom.Jones@company.com>
To: "mailto:jim.bob@ourcompany" <jim.bob@ourcompany.com>
Subject: Test eMail FAILED - from Tom Jones at OtherCompany
Thread-Topic: Test eMail FAILED - from Tom Jones at OtherCompany
Thread-Index: AQHNBsOhv+Y7ru21o0qTgBvtfdO0eQ==
Date: Tue, 20 Mar 2012 13:02:35 -0500
Message-ID: <D7B3F73629E58447ADB8241B19F9175F0318BFDB@056-CH1MMR1-001.057d.mgd.mfts.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <D7B3F73629E58447ADB8241B19F9175F0318BFDB@CH1MMR1-001.057d.mgd.mfts.net>
MIME-Version: 1.0
X-Originating-IP: [10.20.30.40]
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 7:21pm
Who is
Generating server: CH1MMR1-001.057d.mgd.mfts.net
Is this your server or theirs? If their server that's generating the ndr for them with invalid recipient then it's something local to their system perhaps thay have an invalid contact for your recipient.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
March 20th, 2012 11:28pm
Who is
Generating server: CH1MMR1-001.057d.mgd.mfts.net
Is this your server or theirs? If their server that's generating the ndr for them with invalid recipient then it's something local to their system perhaps thay have an invalid contact for your recipient.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
The generating server CH1MMR-1-001.057d.mgd.mfts.net is on their end. They are sending to the correct address, yet they say I'm the one that's rejecting the email.
Free Windows Admin Tool Kit Click here and download it now
March 21st, 2012 12:19pm
I don't think the message was submitted to their exchange store and their exchange store denied it right away. Usually this can happen if their user as a bad contact for
bob@ourcompany.com in their address book or possibly using a mailmerge. You can tell this is the case if you look at the header it shows the "mailto"
To: "mailto:jim.bob@ourcompany" <jim.bob@ourcompany.com>James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
March 22nd, 2012 3:16pm
I don't think the message was submitted to their exchange store and their exchange store denied it right away. Usually this can happen if their user as a bad contact for
bob@ourcompany.com in their address book or possibly using a mailmerge. You can tell this is the case if you look at the header it shows the "mailto"
To: "mailto:jim.bob@ourcompany" <jim.bob@ourcompany.com>
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
I know they are using a 3rd party for encryption from Zix Corp http://www.zixcorp.com/privacy-policy/ I strongly feel this is the problem, because if they don't send from that automated system, the emails come through no problem.
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 5:40pm