An Exchange server is listed in a zone file for the domain I'm trouble shooting. It has a priority of [10], meaning it should receive all incoming mail. The zone file also lists an IIS SMTP server, which is used only send out mail. It had a priority of [100] before I removed it, meaning it should never be sent mail. The problem that caused me to remove the listing for the IIS SMTP server was that mail started flowing into it, instead of Exchange and was therefore dropped. I HAVE NO IDEA WHY MAIL JUST STARTED GOING TO THE WRONG SERVER. Removing the listing kept the mail flowing inbound, but created another problem. The problem is that I receive about ten times a day, since yesterday, a notice that mail outbound from the IIS SMTP server cannot be delivered. Here's an example. I know why it's happening, but I don't know what to do about it. Please continue reading under the example. Your message did not reach some or all of the intended recipients. Subject: Your Account has been approved Sent: 2/9/2011 1:45 PM The following recipient(s) cannot be reached: HillE@their-domain.org on 2/9/2011 1:45 PM You do not have permission to send to this recipient. For assistance, contact your system administrator. <webserver1.my-domain.com #5.7.1 smtp;550 5.7.1 Client host rejected: Please see http://spf.pobox.com/why.html?sender=noreply%40eschooldata.com&ip=216.155.245.41&receiver=> The problem cropped up because when I removed the listing for the IIS SMTP server, I wrecked the Sender Policy Framework statement that lists all the valid mail servers in the domain. My line is "v=spf1 mx -all" If I don't put both mail servers in the zone, mail from the missing server will be rejected. If I put the IIS SMTP server back in the zone file, the outbound mail will start to flow from the IIS SMTP server, but at the risk that the problem with the customer servers not reaching the recipients in my-domain.com

Hmm, I don't see why outbound would be rejected if it goes out your Exchange server since your spf record contains mx -all. Are you sure you have an mx record for your Exchange server? You can still receive email even if you don't have an mx record since mail servers will fall back to looking up an A record.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

On Wed, 9 Feb 2011 23:16:27 +0000, West Coast Blues wrote: >An Exchange server is listed in a zone file for the domain I'm trouble shooting. > >It has a priority of [10], meaning it should receive all incoming mail. > >The zone file also lists an IIS SMTP server, which is used only send out mail. It had a priority of [100] before I removed it, meaning it should never be sent mail. If it's only supposed to be SENDING mail then it doesn't belong in your MX records for the domain. >The problem that caused me to remove the listing for the IIS SMTP server was that mail started flowing into it, instead of Exchange and was therefore dropped. I HAVE NO IDEA WHY MAIL JUST STARTED GOING TO THE WRONG SERVER. Removing the listing kept the mail flowing inbound, but created another problem. Spammers love sending e-mail to a secondary MX. Also, if your primary MX was busy and replied with a 421 status to a connection the sending MTA is correct in trying the secondary MX. If you don't want it to receive e-mail remove it from your MX records. >The problem is that I receive about ten times a day, since yesterday, a notice that mail outbound from the IIS SMTP server cannot be delivered. Here's an example. I know why it's happening, but I don't know what to do about it. Please continue reading under the example. [ snip ] > <webserver1.my-domain.com #5.7.1 smtp;550 5.7.1 Client host rejected: Please see http://spf.pobox.com/why.html?sender=noreply%40eschooldata.com&ip=216.155.245.41&receiver=> >The problem cropped up because when I removed the listing for the IIS SMTP server, I wrecked the Sender Policy Framework statement that lists all the valid mail servers in the domain. You didn't "wreck" anything. >My line is "v=spf1 mx -all" If I don't put both mail servers in the zone, mail from the missing server will be rejected. Your problem is that 216.155.245.41 (eskolweb1.eschooldata.com) isn't a MX for the domain eschooldata.com. The only server that's authorized to send e-mail from that domain is 216.155.241.212 (mail.eschooldata.com). BTW, the link in the NDR pretty clearly explains all this. If eskolweb1.eschooldata.com is supposed to sending e-mail for the domain eschooldata.com then just use a different SPF record: v=spf1 ip4:216.155.245.41 ip4:216.155.241.212 -all >If I put the IIS SMTP server back in the zone file, the outbound mail will start to flow from the IIS SMTP server, but at the risk that the problem with the customer servers not reaching the recipients in my-domain.com Correct your SPF record. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Wed, 9 Feb 2011 23:31:24 +0000, Jamestechman wrote: >Hmm, I don't see why outbound would be rejected if it goes out your Exchange server since your spf record contains mx -all. Are you sure you have an mx record for your Exchange server? You can still receive email even if you don't have an mx record since mail servers will fall back to looking up an A record. His IIS SMTP server is sending mail but it isn't a MX for the domain. If he makes it a MX (which it shouldn't be) the messages it receives are not delivered. It *could* be made to relay mail for his domain to the Exchange server, but it's not supposed to receive any mail in the first place. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

First, thanks for your help. I removed the MX record for IIS SMTP server because it will never accept mail. Then, I corrected my impression that the use of the 'mx' variable was the only way to designate a computer as allowed to send mail. I simply don't need to treat anything that sends mail as an 'mx.' All one needs do is designate the IP addresses of the the servers allowed to send and follow them with a 'negative all others', (-all) at the end of the line. When a customer server receiving my mail refers to my zone file and spf record for advice on whether to accept the mail it's been sent, and finds the source IP in my spf record, it will accept the mail. The source IP is all I need. Inlcluding an MX record with -all would be allowing all mail servers in my domain to send mail. Thanks very much.

On Thu, 10 Feb 2011 16:37:43 +0000, West Coast Blues wrote: >I removed the MX record for IIS SMTP server because it will never accept mail. Good. :-) >Then, I corrected my impression that the use of the 'mx' variable was the only way to designate a computer as allowed to send mail. A MX denotes a place to send mail TO, not from where it originates. If all your servers that are receiving mail also send mail then "mx" is an okay shortcut to use. >I simply don't need to treat anything that sends mail as an 'mx.' Nothing the sends mail is a MX. You may have a sending MTA on the same machine, but it's not a MX. >All one needs do is designate the IP addresses of the the servers allowed to send and follow them with a 'negative all others', (-all) at the end of the line. Using the IP4:idaddr is all you need. It also saves the receiving server, and your DNS, from multiple lookups since SPF works only with IP addresses -- the names you use all need DNS queries to get the IP addresses. >When a customer server receiving my mail refers to my zone file and spf record for advice on whether to accept the mail it's been sent, and finds the source IP in my spf record, it will accept the mail. Well, maybe. All you can say is that it won't be rejected for failing any SPF checks. >The source IP is all I need. Yes. >Inlcluding an MX record with -all would be allowing all mail servers in my domain to send mail. No, only the servers referred to by the MX records for your domain. Using the "-all" mechanism when you're unsure of the results isn't a good idea. Starting out with "~all" is a better idea. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP