Particular recipient cannot receive mail from our organization
Context: Exchange 2007 SP2 running on Windows 2008 SP2. Outlook 2007 SP2 and OWA (IE7) clients
-----------------------------
To our knowledge we can deliver mail to all our correspondents... except the person in question.
This person could receive mail from us until about a month ago.
Since we only send them a message every week or so, it was not noticed immediately.
So, YES, this did work at one time. Non-delivery has been occurring only for the last month.
This person says he can receive email from everyone else. And once again, no one else has NOT been able to receive our messages.
This is the message that the sender receives, notifying them the message could not be delivered. That's all we have for a clue:
Delivery is delayed to these recipients or distribution lists:
This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.
Delivery of this message will be attempted until 10/29/2010 4:35:30 PM (GMT-05:00) Eastern Time (US & Canada). Microsoft Exchange will notify you if the message can't be delivered by
that time.
We do not filter outbound mail (only inbound via Postini).
We have not configured any Transport rules concerning this person ( I just checked and see only ONE Transport rule which has nothing to do with him).
I am going to see if the "Mail Flow Troubleshooter" offers any other clues.
What else could I do?
October 28th, 2010 9:05am
Mail Flow Troubleshooter was useless.
After entering the sender email address and the address of the recipient, and pressing NEXT, the MFT informed me that:
- IPv6 Protocol not supported.
- Network Adapter IVv6 address not supported.
Is this because I never bothered to assign a static IPv6 to the mail server?
Note: I chose the option - Messages destined to some recipients are delayed or not recieved by some recipients.
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 9:21am
The original NDR that you have posted is a delay message. Close to useless for diagnostics.
If you look in the queue viewer it may well give you an error code.
This may well turn in to finger pointing. Both sides say they can receive email from everyone else, therefore it must be your (the other side) problem.
You need to verify that you are getting MX records for the recipients domain, using nslookup from the Exchange server itself.
Then attempt to connect to them on port 25 using telnet. If that fails, do a tracert. It could be a routing issue. It could be that the remote side has blocked messages from your IP address for some reason.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
October 28th, 2010 9:28am
Protocol logs will be more useful than message tracking logs. If you don't have it enabled, enable verbose protocol logging on the send connector and see what that tells you.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 9:50am
The original NDR that you have posted is a delay message. Close to useless for diagnostics.
Yet, this is the only error message we obtain.
If you look in the queue viewer it may well give you an error code.
4514.4.0 DNS query failed
You need to verify that you are getting MX records for the recipients domain,
using nslookup from the Exchange server itself. > YES
> set type=MX
> xxxxxxarchitects.com
Server: dnsServer1.ourdomain.loc
Address: 10.x.x.x
Non-authoritative answer:
xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net
inbound.xxxxxxarchitects.com.namesecuremail.net internet address = 205.178.x.x
Then attempt to connect to them on port 25 using telnet. If that fails, do a tracert.
I do not have a Telnet client installed, but, of course, I can install one. I did go ahead and run a tracert. Once by IP, once by domain name. The 1st is successfull and the second fails. I will post that shortly - have to go somewhere now!
October 28th, 2010 3:02pm
You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users.
The Telnet Client can be installed from Windows Features, it is very useful to have as a diagnostics tool. Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems.
If the tracert fails by domain name, then that would tend to point to DNS being the issue. However that should also mean the nslookup would fail.
Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again. Ensure that you get the same results.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 3:16pm
http://technet.microsoft.com/en-us/library/bb851512(EXCHG.80).aspx ..
Would be helpful
October 28th, 2010 3:22pm
http://technet.microsoft.com/en-us/library/bb851512(EXCHG.80).aspx ..
Would be helpful
http://support.microsoft.com/kb/976108
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 3:23pm
First, since I said I would post tracert results "shortly", I'm going to be good to my word on that:
C:\>tracert 205.178.149.7
Tracing route to mail.networksolutionsemail.com [205.178.149.7]
over a maximum of 30 hops:
[...]
5 17 ms 15 ms 16 ms ae-0-11.bar2.boston1.level3.net [4.69.140.90]
6 20 ms 18 ms 18 ms ae-8-8.ebr1.newyork1.level3.net [4.69.140.98]
7 21 ms 21 ms 20 ms ae-4-4.ebr1.newyork2.level3.net [4.69.141.18]
8 19 ms 70 ms 21 ms ae-1-51.edge1.newyork2.level3.net [4.69.138.194]
9 22 ms 26 ms 34 ms er1-tengig-8-3.NewYork.savvis.net [208.174.224.133]
10 83 ms 71 ms 71 ms cr2-tengig-0-15-4-0.NewYork.savvis.net [204.70.198.17]
11 28 ms 26 ms 27 ms cr1-pos-0-0-0-0.Washington.savvis.net [204.70.192.1]
12 28 ms 25 ms 27 ms hr1-tengig-2-0-0.sterling2dc2.savvis.net [204.70.197.74]
13 25 ms 25 ms 25 ms 64.58.94.114
14 27 ms 27 ms 25 ms edg-r-01-vlan11.net.dc2.netsol.com [205.178.191.10]
15 27 ms 26 ms 24 ms 205.178.182.9
16 25 ms 26 ms 28 ms mail.networksolutionsemail.com [205.178.149.7]
Trace complete.
So, that works fine (Trace complete).
C:\>tracert xxxxxxarchitects.com
Tracing route to xxxxxxarchitects.com [205.178.190.x] over a maximum of 30 hops:
(NOTE: YES, IP IS DIFFERENT HERE, SEE ABOVE - trying to be as discreet as possible - while providing useful info)
[...]
5 14 ms 15 ms 16 ms ae-0-11.bar2.boston1.level3.net [4.69.140.90]
6 22 ms 49 ms 36 ms ae-8-8.ebr1.newyork1.level3.net [4.69.140.98]
7 27 ms 24 ms 24 ms ae-4-4.ebr1.newyork2.level3.net [4.69.141.18]
8 20 ms 18 ms 25 ms ae-1-51.edge1.newyork2.level3.net [4.69.138.194]
9 31 ms 31 ms 22 ms er1-tengig-8-3.NewYork.savvis.net [208.174.224.133]
10 90 ms 25 ms 65 ms cr1-tengig-0-8-3-0.NewYork.savvis.net [204.70.198.13]
11 28 ms 28 ms 29 ms cr1-tengig-0-15-0-0.Washington.savvis.net [204.70.196.101]
12 27 ms 28 ms 28 ms hr1-tengig-2-0-0.sterling2dc2.savvis.net [204.70.197.74]
13 31 ms 29 ms 28 ms 64.58.94.114
14 141 ms 55 ms 195 ms edg-r-01-vlan10.net.dc2.netsol.com [205.178.191.2]
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
[...]
30 * * * Request timed out.
So tracert stops at 14. Looks like that could be an Edge server (EDG-R-01) ???
So there's my tracert info.
October 29th, 2010 8:58am
You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users.
Nothing I configured intentionally to this effect.
All Inbound SMTP traffic is filtered by Postini.
All inbound ports on perimeter firewall closed, except 25 (Postini IP addresse range only) and 443 (for OWA, OUtlook Anywhere, etc.).
Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems.
If you mean "Use external DNS lookup settings on the transport server", then no.
We do use DNS rather than "Smart Hosts" because our ISP does not support them (or so they said - they specifically told us to use DNS instead of Smart Hosts, that's all I can tell you).
Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again.
Not sure how to do this. I see one of my domain controllers / DNS servers comes up by default, but I don't know how to change the resolving DNS server to something else. I can google though.
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2010 9:06am
You should get a fatal failure message, unless you have something on the network that is preventing those being seen by the users.
Nothing I configured intentionally to this effect.
All Inbound SMTP traffic is filtered by Postini.
All inbound ports on perimeter firewall closed, except 25 (Postini IP addresse range only) and 443 (for OWA, OUtlook Anywhere, etc.).
Have you configured external DNS on the Send Connector? If so, remove them, as that can cause problems.
If you mean "Use external DNS lookup settings on the transport server", then no.
We do use DNS rather than "Smart Hosts" because our ISP does not support them (or so they said - they specifically told us to use DNS instead of Smart Hosts, that's all I can tell you).
Try changing the DNS server you are using in nslookup to something public like the OpenDNS servers (server resolver1.opendns.com) and then test again.
OK - I had a second to re-read this and now see how you change the server. This is what I obtained using OpenDNS:
C:\>nslookup
Default Server: xxx.xxx.xxx
Address: x.x.x.x
> server resolver1.opendns.com
Default Server: resolver1.opendns.com
Address: 208.67.222.222
> set type=MX
> xxxxxxarchitects.com
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net
-------------------------------------------
So my DNS server gives me the last part with the internet address at the end. Otherwise they are the same:
Non-authoritative answer:
xxxxxxarchitects.com MX preference = 10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net
inbound.xxxxxxarchitects.com.namesecuremail.net internet address = 205.178.x.x
October 29th, 2010 9:06am
Khoj Sahiwala,
Thank you for the links.
However, we do not use an Edge server.
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2010 3:09pm
MJOLINOR,
Thank you for the suggestion. Could you send me a link on how to do this? I'll look myself but off the top of my head, I must admit I'm not familiar with this type of logging.
October 29th, 2010 3:10pm
http://technet.microsoft.com/en-us/library/aa997624(EXCHG.80).aspx
Hope this helps you get it resolved.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2010 3:36pm
I want to follow up on Sembee's (Simon's) suggestion to attempt to connect to their mail server using TELNET now that I have installed the client.
Here are my results.
First, I tried with the IP address of their mail server but with no port specified (TELNET defaults to 23):
C:\>telnet 205.178.149.7
Connecting To 205.178.149.7...Could not open connection to the host, on port 23: Connect failed
Well, they probably have TELNET blocked... So let's try with the right port...
C:\>telnet 205.178.149.7 25
220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400
421 4.4.2 service timed out.
Now let's try with the FQDN of the mailserver (as displayed in TRACERT):
C:\>telnet mail.networksolutionsemail.com 25
220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400
220 displays as above but telnet never seems to connect (nothing happens).
There is no: 421 4.4.2 service timed out.
It's been a good minute.
And finally:
Connection to host lost.
Let's try with the IP for the recipients email address (as displayed in tracert):
C:\>telnet 205.178.x.x 25
Connecting To 205.178.x.x...Could not open connection to the host, on port 25: Connect failed
And now with the FQDN:
C:\telnet xxxxxxarchitects.com 25
Connecting to xxxxxxarchitects.com... Could not open connection to the host, on port 25: Connect failed.
October 30th, 2010 11:39am
SIMON,
As you see, I have posted my Telnet results in the post above and also determined that nslookup results are just about the same using my DNS server as a starting point, or using an OpenDNS server (details in my post on Friday, October 29, 2010,
1:01).
Any ideas at this point?
And once again:
We do not filter outbound mail (only inbound via Postini).
We have not configured any Transport rules concerning this person ( I just checked and see only ONE Transport rule which has nothing to do with him).
Free Windows Admin Tool Kit Click here and download it now
October 30th, 2010 11:45am
On Sat, 30 Oct 2010 15:34:06 +0000, Le Pivert wrote:
>
>
>I want to follow up on Sembee's (Simon's) suggestion to attempt to connect to their mail server using TELNET now that I have installed the client.
>
>Here are my results.
>
>First, I tried with the IP address of their mail server but with no port specified (TELNET defaults to 23):
>
>C:\>telnet 205.178.149.7 Connecting To 205.178.149.7...Could not open connection to the host, on port 23: Connect failed
>
>Well, they probably have TELNET blocked... So let's try with the right port...
>
>C:\>telnet 205.178.149.7 25
>
>220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400 421 4.4.2 service timed out.
That's not unexpected. The IP address may not be the one that's
associated with the "A" record returned from a recent DNS query.
For example, when I ask for the A record for the name
mail.networksolutionsemail.com I get IP address 205.178.146.50.
>Now let's try with the FQDN of the mailserver (as displayed in TRACERT):
>
>C:\>telnet mail.networksolutionsemail.com 25
>
>220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 30 Oct 2010 11:17:29 -0400
>
>220 displays as above but telnet never seems to connect (nothing happens).
Well, no, the next thing that's expected is for your client to say
either "HELO yourservername.domain.com" or "EHLO
yourservername.domain.com". IOW, they said "Hi", now the ball's in
your court.
>There is no: 421 4.4.2 service timed out.
>
>It's been a good minute.
>
>And finally:
>
>Connection to host lost.
Since you're not going to speak (it's your turn) they drop the
connection. That's entirely reasonable.
>Let's try with the IP for the recipients email address (as displayed in tracert):
>
>C:\>telnet 205.178.x.x 25 Connecting To 205.178.x.x...Could not open connection to the host, on port 25: Connect failed
>
>And now with the FQDN:
>
>C:\telnet xxxxxxarchitects.com 25
>
>Connecting to xxxxxxarchitects.com... Could not open connection to the host, on port 25: Connect failed.
Is "xxxxxxarchitects.com" the name of the domain or the name of the
server that accepts e-mail for the domain? IOW, did you find their MX
record and get the name (or the IP address) of their mail server?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 30th, 2010 5:38pm
Is "xxxxxxarchitects.com" the name of the domain or the name of the
server that accepts e-mail for the domain? IOW, did you find their MX
record and get the name (or the IP address) of their mail server?
The name of the domain.
"mail.networksolutionsemail.com" would be the name of the server that accepts email for the domain I imagine.
IOW, did you find their MX
record and get the name (or the IP address) of their mail server?
I think so.
This would be in my previous posts where I run nslookup and tracert. That's where I obtained the information I use for the attempt to connect with Telnet.
Well, no, the next thing that's expected is for your client to say
either "HELO yourservername.domain.com" or "EHLO
yourservername.domain.com". IOW, they said "Hi", now the ball's in
your court.
OK, have to try that then.
Now, if they respond to my HELO, what would that prove with respect to the original problem?
Free Windows Admin Tool Kit Click here and download it now
October 31st, 2010 6:14pm
When I click submit, why does it remove my spacing!!! The situation is frustrating enough as it is!
October 31st, 2010 6:15pm
On Sun, 31 Oct 2010 22:10:02 +0000, Le Pivert wrote:
>>Is "xxxxxxarchitects.com" the name of the domain or the name of the server that accepts e-mail for the domain? IOW, did you find their MX record and get the name (or the IP address) of their mail server?
>The name of the domain. "mail.networksolutionsemail.com" would be the name of the server that accepts email for the domain I imagine.
Well, you'd have to more certain than "I imagine".
>>IOW, did you find their MX record and get the name (or the IP address) of their mail server?
>I think so. This would be in my previous posts where I run nslookup and tracert.
The only nslookup I saw was this:
set type=MX > xxxxxxarchitects.com Server: dnsServer1.ourdomain.loc
Address: 10.x.x.x
Non-authoritative answer: xxxxxxarchitects.com MX preference =
10, mail exchanger = inbound.xxxxxxarchitects.com.namesecuremail.net
inbound.xxxxxxarchitects.com.namesecuremail.net internet address =
205.178.x.x
You've obliterated the useful information.
If you want to obfuscate the domain name, try being creative, not
destructive. Try something like this:
d o m a i n < d o t > t l d
or
r e m o v e b l a n k s . d o m a i n
t l d
>That's where I obtained the information I use for the attempt to connect with Telnet.
>>Well, no, the next thing that's expected is for your client to say either "HELO yourservername.domain.com" or "EHLO yourservername.domain.com". IOW, they said "Hi", now the ball's in your court.
>OK, have to try that then. Now, if they respond to my HELO, what would that prove with respect to the original problem?
So far, nothing. All you've done is connect to some intermediate host.
You haven't sent any e-mail. A complete conversation would look like
this:
telnet <ip-address> 25
helo <your-server-name>
mail from:<your@email.address>
rcpt to:<their.user@theirdomain.tls>
data
From: your@email.address
To: their.user@theirdomain.tld
Subject: say something brilliant here
Some something eve more brilliant here
And maybe more here
..
rset
quit
Note that you should NOT receive any status codes in the 4xx or 5xx
range.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 31st, 2010 6:56pm
On Sun, 31 Oct 2010 22:11:52 +0000, Le Pivert wrote:
>When I click submit, why does it remove my spacing!!! The situation is frustrating enough as it is!
HTML sux. Why MS chose to use web-based forums instead of reliable
NNTP is their choice. It had something to do with people not being
able to figure out how to use a NNTP newsreader, although I'm pretty
sure it had mre to do with them wantong to get rid of public folders
and not use something like *nix and real news server software.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
October 31st, 2010 6:59pm
Hello Rich,
Thanks for the advice.
Well, you'd have to more certain than "I imagine".
OK, let's start all over then.
I'm going to run NSLOOKUP against the domain of the recipient in question (the recipient, not what I
imagine his mailserver might be).
-----------------------------------------------------------
nslookup
[...]
> set type=MX
> architects.com
Server: DC1.myDomain.loc
Address: 10.0.0.10
Non-authoritative answer:
architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
-----------------------------------------------------------
That's right.
That's all.
I don't even get an IP address. Strange... Because when I tried several days ago, I obtained this:
architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
inbound.architects.com.namesecuremail.net internet address = 205.178.x.x
What is underlined is now missing. And since my first post, I did not change ANYTHING on my server - other than installing and running the Telnet client as Simon suggested earlier. No MS updates, and no more outbound filtering than before (none), and no
customized Transport Rules concerning this address (ever).
So I have no IP to enter here:
telnet <ip-address> 25
Otherwise, in the meantime, I am going to try to connect via TELNET using the FQDN above and see what happens.
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 4:07pm
OK, this is what happened (and here I typed as fast as I could but session timed out before I could continue the "conversation").
---------------------------------------------------------------------------
220 cm-mr3 ESMTP ecelerity 2.2.2.41 r(31179/31189) Mon, 01 Nov 2010 16:06:30 -0400
HELO mail.mydomain.tld
250 cm-mr3 says HELO to 24.90.10.10:5260
421 4.4.2 service timed out.
Connection to host lost.
-------------------------------------------------------------------------
That took no more than 5 seconds. I only modified
MY IP address and my domain name.
EVERYTHING ELSE is simply copy and past from the cmd shell.
-------------------------------------------------------------------------
Note that you should NOT receive any status codes in the 4xx or 5xx
range.
Well, as you can see, I did.
First, am I proceeding correctly this time? If not, I'll make whatever corrections I need to so my posts are informative enough to resolve the issue.
Second, any ideas?
November 1st, 2010 4:16pm
Now I am going to attempt NSLOOKUP from outside our network - since the recepient claims that he does not have trouble receiving email from anyone anywhere else.
That's right. A physically distinct line where my laptop will obtain an IP address from a dymanic range, distinct, here too, from the static range assigned to us by our ISP. Yes, the ISP is the same though in both cases.
Note: we do not have trouble sending to anyone else. The person is a member of a committee and
everyone else on the committee
DOES receive the emails, attachments and all.
Be back in a second!
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 4:24pm
Now I am going to attempt NSLOOKUP from outside our network - since the recepient claims that he does not have trouble receiving email from anyone anywhere else.
That's right. A physically distinct line where my laptop will obtain an IP address from a dymanic range, distinct, here too, from the static range assigned to us by our ISP. Yes, the ISP is the same though in both cases.
Note: we do not have trouble sending to anyone else. The person is a member of a committee and
everyone else on the committee
DOES receive the emails, attachments and all.
Be back in a second!
Just thought of something I want to clarify before moving to the other location: ALL the tests above have been performed from the mail server itself (albeit via Remote Desktop from my laptop).
November 1st, 2010 4:24pm
Different location. Different IP. Same I-S-P (ISP). Same results.
------------------------------------------------------------------------
C:\>nslookup
Default Server: dns-comm-cac-lb-01.nyroc.rr.com
Address: 24.92.226.11
> set type=MX
> architects.com
Server: dns-comm-cac-lb-01.nyroc.rr.com
Address: 24.92.226.11
Non-authoritative answer:
architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 5:02pm
On Mon, 1 Nov 2010 20:02:58 +0000, Le Pivert wrote:
>Hello Rich, Thanks for the advice.
>>Well, you'd have to more certain than "I imagine".
>OK, let's start all over then. I'm going to run NSLOOKUP against the domain of the recipient in question (the recipient, not what I imagine his mailserver might be).
>-----------------------------------------------------------
>nslookup [...]
> set type=MX
> architects.com
>Server: DC1.myDomain.loc
>Address: 10.0.0.10
>Non-authoritative answer:
>architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
>-----------------------------------------------------------
>That's right. That's all. I don't even get an IP address. Strange... Because when I tried several days ago, I obtained this:
>architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
So "architects.com" is the real domain? If it is, I can see why they
can't receive any e-mail --- from anyone!
Non-authoritative answer:
architects.com MX preference = 100, mail exchanger =
mx1.architects.com
mx1.architects.com internet address = 10.42.23.11
The 10.0.0.0/8 network isn't routable on the Internet.
Here's the results of "dig", using bitsy.mit.edu as the DNS server:
11/01/10 22:01:17 dig architects.com @ bitsy.mit.edu
Dig architects.com@b.ns.anything.com (66.114.124.148) ...
failed, couldn't connect to nameserver
Dig architects.com@a.ns.anything.com (66.114.124.147) ...
failed, couldn't connect to nameserver
Dig architects.com@bitsy.mit.edu (18.72.0.3) ...
Non-authoritative answer
Recursive queries supported by this server
Query for architects.com type=255 class=1
architects.com A (Address) 66.114.124.140
architects.com MX (Mail Exchanger) Priority: 100 mx1.architects.com
architects.com TXT (Text Field)
Powered by http://cr.yp.to/djbdns.html
architects.com SOA (Zone of Authority)
Primary NS: a.ns.anything.com
Responsible person: hostmaster@architects.com
serial:1279842250
refresh:16384s (40 hours)
retry:2048s (340 minutes)
expire:1048576s (120 days)
minimum-ttl:2560s (420 minutes)
architects.com NS (Nameserver) a.ns.anything.com
architects.com NS (Nameserver) b.ns.anything.com
architects.com NS (Nameserver) a.ns.anything.com
architects.com NS (Nameserver) b.ns.anything.com
mx1.architects.com A (Address) 10.42.23.11
Again -- the "A" record for the mail exchanger in on the 10.0.0.0/8
networks.
>inbound.architects.com.namesecuremail.net internet address = 205.178.x.x
>
>What is underlined is now missing. And since my first post, I did not change ANYTHING on my server - other than installing and running the Telnet client as Simon suggested earlier. No MS updates, and no more outbound filtering than before (none), and
no customized Transport Rules concerning this address (ever).
>
>So I have no IP to enter here: telnet <ip-address> 25
>
>Otherwise, in the meantime, I am going to try to connect via TELNET using the FQDN above and see what happens.
The problem isn't yours to solve. They need to fix their DNS before
doing anything else.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
November 1st, 2010 10:10pm
On Mon, 1 Nov 2010 20:58:29 +0000, Le Pivert wrote:
>Different location. Different IP. Same I-S-P (ISP). Same results.
>
>------------------------------------------------------------------------
>
>C:\>nslookup Default Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11
>
>> set type=MX > architects.com Server: dns-comm-cac-lb-01.nyroc.rr.com Address: 24.92.226.11
>
>Non-authoritative answer: architects.com MX preference = 10, mail exchanger = inbound.architects.com.namesecuremail.net
I don't know where the DNS server 24.92.226.11 got its information.
Here's what I see, using the primary NS for the architects.com domain.
First, get the name server records for the domain:
> set q=ns
> architects.com.
Server: srvr005
Address: 192.168.1.25
Non-authoritative answer:
architects.com nameserver = a.ns.anything.com
architects.com nameserver = b.ns.anything.com
a.ns.anything.com internet address = 66.114.124.147
b.ns.anything.com internet address = 66.114.124.148
Next, tell nslookup to use their DNS to do the lookups (they are,
after all, authoritative for their own DNS zone -- notice that none of
the answers below are "Non-authoritative", they come right from the
source):
> server 66.114.124.147
Default Server: [66.114.124.147]
Address: 66.114.124.147
Verify the SOA agrees with the NS record for the primary DNS:
> set q=soa
> architects.com.
Server: [66.114.124.147]
Address: 66.114.124.147
architects.com
primary name server = a.ns.anything.com
responsible mail addr = hostmaster.architects.com
serial = 1279842250
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)
architects.com nameserver = a.ns.anything.com
architects.com nameserver = b.ns.anything.com
a.ns.anything.com internet address = 66.114.124.147
a.ns.anything.com internet address = 66.114.124.147
b.ns.anything.com internet address = 66.114.124.148
b.ns.anything.com internet address = 66.114.124.148
And now ask for their MX record:
> set q=mx
> architects.com.
Server: [66.114.124.147]
Address: 66.114.124.147
architects.com MX preference = 100, mail exchanger =
mx1.architects.com
architects.com nameserver = a.ns.anything.com
architects.com nameserver = b.ns.anything.com
mx1.architects.com internet address = 10.42.23.11
a.ns.anything.com internet address = 66.114.124.147
a.ns.anything.com internet address = 66.114.124.147
b.ns.anything.com internet address = 66.114.124.148
b.ns.anything.com internet address = 66.114.124.148
So, it's still 10.42.23.11. You're not going to send them any e-mail
using that IP address unless you have a means to route to that private
network (and they have a route back to your LAN).
This isn't a problem you can fix. They (architects.com) need to get
their DNS squared away.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 10:22pm
So "architects.com" is the real domain? If it is, I can see why they
can't receive any e-mail --- from anyone!
No.
I was trying to be discrete with respect to the recipient and not posting their exact domain and IP address on a public forum.
So much for my good intentions. You know where those get us.
I had originally posted xxxxxxarchitects to mask the domain name, then simply shortened it to "architects".
I had NO idea that you would try all kinds of tests on your end and now I'm just floored. I HATE to waste other people's time.
Purely and simply horrified - You went to all that trouble...
I don't see a PM option on this forum, so if I have to, I'll post the real domain.
November 3rd, 2010 10:43am
I don't know where the DNS server 24.92.226.11 got its information.
Here's what I see, using the primary NS for the architects.com domain.
[...]
Please see my post above...
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2010 10:44am
If you are going to post munged information then you need to make it very clear that it is munged information. Otherwise people will presume it is the real domain. The most common cause of these kinds of issues are DNS related, and that means the information
is public.
Personally, given it is Network Solutions involved, and the recipient claims they can get email from everyone else, I think they are blocking you. That will be out of the control of the original recipient because they don't manage their own mail servers.
It is a poor show from Network Solutions not to send back a decent NDR, but it doesn't surprise me based on previous experience with that company.
Setup a second Send Connector for that domain and send it through your ISPs SMTP server as a smart host. Single domain issues are rarely worth spending much time on.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
November 3rd, 2010 11:26am
The most common cause of these kinds of issues are DNS related, and that means the information is public.
OK, the real domain is:
hoffmanrileyarchitects.com
Anyone want to try now? (said I somewhat sheepishly).
Setup a second Send Connector for that domain and send it through your ISPs SMTP server as a smart host.
We used Smart Hosts from the very beginning, until one day, several months ago, our outgoing email would... not go out.
Our ISP told us to use simple DNS (first option on the pertinent tab - "Network" of the Send Connector properties) because they would not support the Smart Host option.
Not sure if that makes sense, technically or otherwise, but that's what we were told.
And when we changed the setting to DNS, the mail started flowing again. Those are the facts.
So I doubt the Smart Hosts option would work for one domain if it had stopped working for any domain at one point in time.
Now, if I could indicate another Smart Host than my ISP, that might work - but I doubt someone else it going to let me use them as a Smart Host just like that (???).
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2010 4:05pm
I see nothing wrong with that domain, so my previous comment about them blocking you is probably the case.
It is unfortuante that the ISP has washed their hands of providing what I consider to be a basic service. There are third parties who offer the same service, but I notice above that you said that you are using Postini - any reason why you aren't routing
email OUT through them as well?
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources
November 3rd, 2010 5:05pm
[...] but I notice above that you said that you are using Postini - any reason why you aren't routing email OUT through them as well?
There was an additional cost for filtering outbound email and our budget was very tight (even back then, before more recent economic turmoil).
Unless... as a Postini customer, we could simply route our outbound email through them as well (without the filtering option)?
We have a very basic plan with them so I do not have a rep I could call. I think the best we could do is ask on a Google forum.
Unless someone knows for a fact that this is an option?
Free Windows Admin Tool Kit Click here and download it now
November 3rd, 2010 5:37pm
On Wed, 3 Nov 2010 20:01:17 +0000, Le Pivert wrote:
>
>
>The most common cause of these kinds of issues are DNS related, and that means the information is public.
>
>OK, the real domain is:
>
>hoffmanrileyarchitects.com
>
>Anyone want to try now? (said I somewhat sheepishly).
Well, let's just say that the MTA for that domain is probably not
waiting long enough for the EHLO\HELO command before it sends the 421
status.
Check your outbound SMTP protcol log and see what's going on and how
long it is between the connection and the HELO\EHLO being sent. If you
can't figure that out, use a network monitor (WireShark is good) and
you can alter the time display and filter on the connection to see the
chronology of the connection. I don't think I've ever seen a 421
status sent that quickly after the 220 banner is sent.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
November 3rd, 2010 10:14pm
Rich,
I believe SMTP Send Protocol logging (the one I'd be interested in) is disabled by default.
Poster MJOLINOR (above) sent me a link on how to configure it.
My idea: enable logging and attempt to send a message to the recipient in question.
That should capture the communication between the two parties.
But how long afterwards should I let it run? 1 hour should do, right?
I do see it uses circular logging, so if I use the default size settings I should not have a disk space problem.
Otherwise, I have used Wireshark a bit, so I could try that too/instead.
Thank you once again for your expert assistance!
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2010 4:29pm
On Thu, 4 Nov 2010 20:25:08 +0000, Le Pivert wrote:
>I believe SMTP Send Protocol logging (the one I'd be interested in) is disabled by default.
It is. It's not enabled on the receive connectors, either.
>Poster MJOLINOR (above) sent me a link on how to configure it.
>
>My idea: enable logging and attempt to send a message to the recipient in question.
Okay.
>That should capture the communication between the two parties.
Yes, it will.
>But how long afterwards should I let it run? 1 hour should do, right?
The answer is "forever". Why not capture the information all the time
you'll need to find problems?
>I do see it uses circular logging, so if I use the default size settings I should not have a disk space problem.
You can adjust the log file size and the directory size and the
retention period for the log files. See the "set-transportserver"
cmdlet.
>Otherwise, I have used Wireshark a bit, so I could try that too/instead.
If you're down to needing to see the time between data packets you'll
need a tool to capture packets. Wireshark is free and pretty easy to
use.
>Thank you once again for your expert assistance!
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
November 4th, 2010 5:50pm
This is the response from name secure to our inquiry.
We have failed to get email to this guy using a GMAIL account - namesecure just responds (truthfully or not) that they have no problem.
And what is the nonsense about configuring our server to communicate properly with theirs. They won't tell us what ot do because it's a secret.
I am sorry to hear that you were experiencing issues with sending to Name Secure mailbox from exchange server.
1. The traceroute and other tests failed to the domain hoffmanrileyarchitects.com because that is the website and not email. You would need to traceroute
mail.hoffmanrileyarchitects.com
2. I am able to send to address from Gmail without issue.
3. Our server have a security feature that the sending server is not responding appropriately to. The sender needs to contact server manufacturer
to further troubleshoot how to configure their server to respond to a secure server. Due to security restrictions we are not able to disclose how this feature works. It is the responsibility of the server administrator to configure the sending
server accordingly. This issue only occurs when sending from an Exchange server using the default configurations.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2010 6:02pm