This post is the follow-up to a very long post here: http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/2435620d-4bf1-4029-b478-be0b0a7a4691 At this point, having googled for reviews about Name Secure customer support, I realize that I'm fighting a losing battle (on behalf of the recipient in question) with a company that obviously thinks canned and evasive responses are sufficient. So I'm mostly interested in how I should follow up to comment number 3 (below). They will not tell me what security feature is preventing our mail server from contacting theirs. If it has to do with using Smart Hosts rather than simple DNS, I explained in the discussion cited above that our ISP stopped offering this option (without warning on top of it). Otherwise, it looks like they think I should contact the "server manufacturer" which would be IBM, but I think they really mean Microsoft (maker of Exchange). This is the response from name secure to our inquiry - followed by my comments (not yet sent) I am sorry to hear that you were experiencing issues with sending to Name Secure mailbox from exchange server. 1. The traceroute and other tests failed to the domain hoffmanrileyarchitects.com because that is the website and not email. You would need to traceroute mail.hoffmanrileyarchitects.com 2. I am able to send to address from Gmail without issue. 3. Our server have a security feature that the sending server is not responding appropriately to. The sender needs to contact server manufacturer to further troubleshoot how to configure their server to respond to a secure server. Due to security restrictions we are not able to disclose how this feature works. It is the responsibility of the server administrator to configure the sending server accordingly. This issue only occurs when sending from an Exchange server using the default configurations. 1. Tracert with mail.hoffmanrileyarchitects.com C:\>tracert mail.hoffmanrileyarchitects.com Tracing route to mail.hoffmanrileyarchitects.com.namesecuremail.net [205.178.146.249] over a maximum of 30 hops: 1 29 ms 11 ms 12 ms cable-mac1.albynyyf-ar4004.nyroc.rr.com [24.25.128.1] 2 12 ms 12 ms 9 ms gig2-1-5.albynywav-rtr01.nyroc.rr.com [24.29.38.233] 3 11 ms 8 ms 15 ms ge-1-0-0.albynywav-rtr03.nyroc.rr.com [24.24.7.21] 4 20 ms 42 ms 12 ms ae10-0.albynyyf-rtr000.nyroc.rr.com [24.24.21.218] 5 21 ms 21 ms 21 ms ae-5-0.cr0.nyc30.tbone.rr.com [66.109.6.74] 6 23 ms 21 ms 21 ms ae-1-0.pr0.nyc30.tbone.rr.com [66.109.6.161] 7 19 ms 18 ms 22 ms xe-4-3-0.edge2.Newark1.Level3.net [4.59.20.161] 8 28 ms 21 ms 31 ms ae-31-51.ebr1.Newark1.Level3.net [4.68.99.30] 9 21 ms 21 ms 21 ms ae-2-2.ebr1.NewYork1.Level3.net [4.69.132.97] 10 26 ms 22 ms 21 ms ae-4-4.ebr1.NewYork2.Level3.net [4.69.141.18] 11 23 ms 37 ms 21 ms ae-1-51.edge1.NewYork2.Level3.net [4.69.138.194] 12 22 ms 21 ms 22 ms er1-tengig-8-3.NewYork.savvis.net [208.174.224.133] 13 22 ms 52 ms 23 ms cr2-tengig-0-15-4-0.NewYork.savvis.net [204.70.198.17] 14 29 ms 28 ms 27 ms cr1-pos-0-0-0-0.Washington.savvis.net [204.70.192.1] 15 49 ms 51 ms 52 ms hr1-tengig-2-0-0.sterling2dc2.savvis.net [204.70.197.74] 16 59 ms 56 ms 56 ms 64.58.94.114 17 159 ms 197 ms 204 ms edg-r-01-vlan11.net.dc2.netsol.com [205.178.191.10] 18 57 ms 50 ms 64 ms 205.178.182.9 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 * * * Request timed out. 27 * * * Request timed out. 28 * * * Request timed out. 29 * * * Request timed out. 30 * * * Request timed out. Trace complete. 2. OK - sending from Gmail has both worked and not worked for us. First tests did not arrive but recipient did receive the ones sent yesterday. One Road Runner user claims he was not able to send mail to the recipient but I have not been able to confirm this yet. 3. What kind of response is this? We can't tell you, go figure it out yourself?

Obviously they are being pretty evasive, which doesn't help. One option would be to tell the person you are trying to email this, and ask them to ask "Name Secure" to whitelist your IP. If it comes from their customer, it may have more weight. Second option based on reading that long thread is to check your config and make sure you have changed bits from the defaults. For example, you could ensure that your internet send connector (in org config, hub transport) sends the same HELO/EHLO as it's reverse DNS shows from outside. That's a common one that is tested for and is generic enough to not bother telling you about. SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

On Sat, 11 Dec 2010 18:30:26 +0000, Le Pivert wrote: > > >This post is the follow-up to a very long post here: > >http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/2435620d-4bf1-4029-b478-be0b0a7a4691 > >At this point, having googled for reviews about Name Secure customer support, I realize that I'm fighting a losing battle (on behalf of the recipient in question) with a company that obviously thinks canned and evasive responses are sufficient. > >So I'm mostly interested in how I should follow up to comment number 3 (below). Start with the SMTP protocol log from your server. That was suggested at least one in the thread you referred to but no log information was ever posted by you. >They will not tell me what security feature is preventing our mail server from contacting theirs. You haven't provided a whole lot of information yourself. A "ping" just tests connectivity between two point. A traceroute just shows you the path between two endpoints. Neither of them use TCP. Use telnet (especially the telnet client from Microsoft) isn't always conclusive. The MS telnet sends each character you type in its own packet, and lots of places want to see the whole command you send arrive in one piece. Telnet is also slow. It doesn't run faster than you can type, which is a lot slower than computers send data. Lots of places will simply timeout the connection before you get a chance to hit the enter key after you start to type the command. Here's what your SMTP protocol log should look like. It's taken from my edge server sending an e-mail to the hoffmanrileyarchitects.com domain. They don't have a postmaster mailbox (not a good thing) so the RCPT TO command is rejected. <,"220 cm-mr15 ESMTP ecelerity 2.2.2.41 r(31179/31189) Sat, 11 Dec 2010 22:07:05 -0500", >,EHLO edge.domain.com, ,<,250-cm-mr15 says EHLO to 99.99.99.99:21585, <,250-8BITMIME, <,250-PIPELINING, <,250 ENHANCEDSTATUSCODES, >,MAIL FROM:<prvs=09628F26E3=rich@domain.com>, >,RCPT TO:<postmaster@hoffmanrileyarchitects.com>, <,250 MAIL FROM accepted, <,550 User Unknown, >,QUIT, What does YOUR SMTP protocol log revela when you send them an e-mail? >If it has to do with using Smart Hosts rather than simple DNS, I explained in the discussion cited above that our ISP stopped offering this option (without warning on top of it). It may be your IP address that's the problem. What is it? It may be the data in the HELO\EHLO command your server sends. What is it? [ snip ] >3. What kind of response is this? We can't tell you, go figure it out yourself? They gave you a pretty big hint when they metioned "default configuration". The SMTP protocol log would show you the interaction. Maybe they figured that someone running an e-mail server on the Internet would know where to find the information? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Since the only tool that seems to count is the SMTP log, I enabled it just before 12:58 (EST) and sent an email to the recipient at exactly 12:58. However... I cannot find any reference to the sender - myself - (searching last name) or the recipient (searching by last name once again). But I know the log is working (and growing) because I see known users sending mail. When I search for these users, EDIT | FIND highlights them. What's more, if I send a test message to my Gmail account, it appears in the log, as cited below. Rich: What I see in the log differs from what you posted above. I have a lot more data so I'm not sure if you edited out some data for readability. But this is what I have: -------------------------------------------------------------------------------------------------------- Munge alert ! (just in case you want to try something like you did before) 10.99.99.99 has been modified 24.x.x.x has (obviously) been modified. My email addresses are modified too - as you can see. Rich: If you would like the real IP of our external firewall, please send me an email to this address: lepivert1357 ATSIGN gmail.com (No, it's not the one munged below) -------------------------------------------------------------------------------------------------------- 2010-12-12T18:39:45.482Z,OUTBOUND,08CD40B801ADDA44,0,,74.125.93.27:25,*,,attempting to connect 2010-12-12T18:39:45.529Z,OUTBOUND,08CD40B801ADDA44,1,10.99.99.99:25966,74.125.93.27:25,+,, 2010-12-12T18:39:45.575Z,OUTBOUND,08CD40B801ADDA44,2,10.99.99.99:25966,74.125.93.27:25,<,220 mx.google.com ESMTP s2si11142183qcp.67, 2010-12-12T18:39:45.575Z,OUTBOUND,08CD40B801ADDA44,3,10.99.99.99:25966,74.125.93.27:25,>,EHLO mail.myDomain.org, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,4,10.99.99.99:25966,74.125.93.27:25,<,"250-mx.google.com at your service, [24.x.x.x]", 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,5,10.99.99.99:25966,74.125.93.27:25,<,250-SIZE 35651584, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,6,10.99.99.99:25966,74.125.93.27:25,<,250-8BITMIME, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,7,10.99.99.99:25966,74.125.93.27:25,<,250-ENHANCEDSTATUSCODES, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,8,10.99.99.99:25966,74.125.93.27:25,<,250 PIPELINING, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,9,10.99.99.99:25966,74.125.93.27:25,*,1457942,sending message 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,10,10.99.99.99:25966,74.125.93.27:25,>,MAIL FROM:<meAtWork@myDomain.org> SIZE=2252, 2010-12-12T18:39:45.653Z,OUTBOUND,08CD40B801ADDA44,11,10.99.99.99:25966,74.125.93.27:25,>,RCPT TO:<meAtGoogle@gmail.com>, 2010-12-12T18:39:45.700Z,OUTBOUND,08CD40B801ADDA44,12,10.99.99.99:25966,74.125.93.27:25,<,250 2.1.0 OK s2si11142183qcp.67, 2010-12-12T18:39:47.089Z,OUTBOUND,08CD40B801ADDA44,13,10.99.99.99:25966,74.125.93.27:25,<,250 2.1.5 OK s2si11142183qcp.67, 2010-12-12T18:39:47.089Z,OUTBOUND,08CD40B801ADDA44,14,10.99.99.99:25966,74.125.93.27:25,>,DATA, 2010-12-12T18:39:47.135Z,OUTBOUND,08CD40B801ADDA44,15,10.99.99.99:25966,74.125.93.27:25,<,354 Go ahead s2si11142183qcp.67, 2010-12-12T18:39:47.276Z,OUTBOUND,08CD40B801ADDA44,16,10.99.99.99:25966,74.125.93.27:25,<,250 2.0.0 OK 1292179187 s2si11142183qcp.67, 2010-12-12T18:39:47.276Z,OUTBOUND,08CD40B801ADDA44,17,10.99.99.99:25966,74.125.93.27:25,>,QUIT, 2010-12-12T18:39:47.338Z,OUTBOUND,08CD40B801ADDA44,18,10.99.99.99:25966,74.125.93.27:25,<,221 2.0.0 closing connection s2si11142183qcp.67, 2010-12-12T18:39:47.338Z,OUTBOUND,08CD40B801ADDA44,19,10.99.99.99:25966,74.125.93.27:25,-,,Local -------------------------------------------------------------------------------------------------------- It's now 14:14 - more than an hour later - and nothing appears in the log concerning "hoffmanrileyarchitects" (Of course, log time is "off" because Exchange must use UTC-GMT internally, like, or because of, Active Directory). I've also tried "hoffman" I've tried "riley"again. So that's my much sought after SMTP protocol log. I'm going to try to send another test message and see if it appears this time. If it does, I'll let you know, if not I'll maintain radio silence.

OK. I sent several emails to the recipient in quick succession, hoping to find a pattern among all the other outbound mail. I think I found one: -------------------------------------------------------------------------------- 10.1.1.1 is munged, as is 24.x.x.x Everything else is "as is" --------------------------------------------------------------------------------- 2010-12-12T19:19:58.770Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.27:25,*,,attempting to connect 2010-12-12T19:19:59.020Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42382,62.142.5.27:25,+,, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42382,62.142.5.27:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.28:25,*,,attempting to connect 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42382,62.142.5.27:25,>,QUIT, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42383,62.142.5.28:25,+,, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42382,62.142.5.27:25,<,221 2.0.0 Bye, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42382,62.142.5.27:25,-,,Local 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42383,62.142.5.28:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.93:25,*,,attempting to connect 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42383,62.142.5.28:25,>,QUIT, 2010-12-12T19:19:59.972Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42384,62.142.5.93:25,+,, 2010-12-12T19:20:00.003Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42383,62.142.5.28:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.003Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42383,62.142.5.28:25,-,,Local 2010-12-12T19:20:00.034Z,OUTBOUND,08CD40B801ADDD13,0,,194.9.24.129:25,*,,attempting to connect 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42384,62.142.5.93:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.25:25,*,,attempting to connect 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42384,62.142.5.93:25,>,QUIT, 2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42386,62.142.5.25:25,+,, 2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42384,62.142.5.93:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42384,62.142.5.93:25,-,,Local 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42386,62.142.5.25:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.26:25,*,,attempting to connect 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42386,62.142.5.25:25,>,QUIT, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42387,62.142.5.26:25,+,, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42386,62.142.5.25:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42386,62.142.5.25:25,-,,Local 2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42387,62.142.5.26:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,0,,195.197.172.98:25,*,,attempting to connect 2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42387,62.142.5.26:25,>,QUIT, 2010-12-12T19:20:01.344Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42388,195.197.172.98:25,+,, 2010-12-12T19:20:01.360Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42387,62.142.5.26:25,<,221 2.0.0 Bye, 2010-12-12T19:20:01.360Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42387,62.142.5.26:25,-,,Local 2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD14,0,,196.35.73.114:25,*,,attempting to connect 2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42388,195.197.172.98:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42388,195.197.172.98:25,>,QUIT, 2010-12-12T19:20:01.797Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42388,195.197.172.98:25,<,221 2.0.0 Bye, 2010-12-12T19:20:01.797Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42388,195.197.172.98:25,-,,Local 2010-12-12T19:20:04.854Z,OUTBOUND,08CD40B801ADDD15,0,,77.232.69.238:25,*,,attempting to connect 2010-12-12T19:20:06.134Z,OUTBOUND,08CD40B801ADDD16,0,,77.232.69.238:25,*,,attempting to connect ---------------------------------------------------------------------- So... we never make it to the HELO / EHLO business. Communication between servers stops dead in its tracks.

On Sun, 12 Dec 2010 19:14:21 +0000, Le Pivert wrote: >Since the only tool that seems to count is the SMTP log, I enabled it just before 12:58 (EST) and sent an email to the recipient at exactly 12:58. It's the one to start with of you think you're having connectivity problems. The message tracking log record lots of other useful details but it doesn't show you the SMTP transaction's conversation between the sender and recipient. >However... > >I cannot find any reference to the sender - myself - (searching last name) or the recipient (searching by last name once again). > >But I know the log is working (and growing) because I see known users sending mail. > >When I search for these users, EDIT | FIND highlights them. > >What's more, if I send a test message to my Gmail account, it appears in the log, as cited below. > >Rich: > >What I see in the log differs from what you posted above. I have a lot more data so I'm not sure if you edited out some data for readability. Yes, I did. The timestamps, ip addresses, etc. would just clutter the example. I wanted to show you what you'd see in the data. [ snip ] >It's now 14:14 - more than an hour later - and nothing appears in the log concerning "hoffmanrileyarchitects" What about the IP address 205.178.149.7? The IP address of the receiving server might show up in the log if you received a 4xx or 5xx status when you tried to connect. It that's happening you won't see any othe SMTP commands in the log. >(Of course, log time is "off" because Exchange must use UTC-GMT internally, like, or because of, Active Directory). It does. I couldn't imaging trying to coordinate multiple log files from several different time zones if they all used local times. >I've also tried "hoffman" > >I've tried "riley"again. > >So that's my much sought after SMTP protocol log. Believe it or not, that provded a lot more information than ping and tracert. :-) > >I'm going to try to send another test message and see if it appears this time. > >If it does, I'll let you know, if not I'll maintain radio silence. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Sun, 12 Dec 2010 19:28:07 +0000, Le Pivert wrote: > > >OK. I sent several emails to the recipient in quick succession, hoping to find a pattern among all the other outbound mail. > >I think I found one: > >-------------------------------------------------------------------------------- > >10.1.1.1 is munged, as is 24.x.x.x > >Everything else is "as is" The IP addresses 62.142.5.93 and 62.142.5.28 and 62.142.5.27 are all in the domain mail.saunalahti.fi. The nys.biz.rr.com servers use the 24.28.199.0 network, I think. So . . . how about describing yout topology a bit? Are you in Finland? Do you use that 62.142.5.0 network? Do you use a smart host to deliver your e-mail? >--------------------------------------------------------------------------------- I don't see the IP address 205.178.149.7 in this bit of log file. The Road Runner servers are pretty clear: "Client host rejected: No mail accepted from you". > >2010-12-12T19:19:58.770Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.27:25,*,,attempting to connect 2010-12-12T19:19:59.020Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42382,62.142.5.27:25,+,, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42382,62.142.5.27:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.28:25,*,,attempting to connect 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42382,62.142.5.27:25,>,QUIT, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42383,62.142.5.28:25,+,, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42382,62.142.5.27:25,<,221 2.0.0 Bye, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42382,62.142.5.27:25,-,,Local 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42383,62.142.5.28:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail >accepted from you, 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.93:25,*,,attempting to connect 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42383,62.142.5.28:25,>,QUIT, 2010-12-12T19:19:59.972Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42384,62.142.5.93:25,+,, 2010-12-12T19:20:00.003Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42383,62.142.5.28:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.003Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42383,62.142.5.28:25,-,,Local 2010-12-12T19:20:00.034Z,OUTBOUND,08CD40B801ADDD13,0,,194.9.24.129:25,*,,attempting to connect 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42384,62.142.5.93:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.25:25,*,,attempting to connect 2010-12-12T19:20:00.206Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42384,62.142.5.93:25,>,QUIT, >2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42386,62.142.5.25:25,+,, 2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42384,62.142.5.93:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.424Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42384,62.142.5.93:25,-,,Local 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42386,62.142.5.25:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.26:25,*,,attempting to connect 2010-12-12T19:20:00.658Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42386,62.142.5.25:25,>,QUIT, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42387,62.142.5.26:25,+,, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42386,62.142.5.25:25,<,221 2.0.0 Bye, 2010-12-12T19:20:00.892Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42386,62.142.5.25:25,-,,Local >2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42387,62.142.5.26:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,0,,195.197.172.98:25,*,,attempting to connect 2010-12-12T19:20:01.126Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42387,62.142.5.26:25,>,QUIT, 2010-12-12T19:20:01.344Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42388,195.197.172.98:25,+,, 2010-12-12T19:20:01.360Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42387,62.142.5.26:25,<,221 2.0.0 Bye, 2010-12-12T19:20:01.360Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42387,62.142.5.26:25,-,,Local 2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD14,0,,196.35.73.114:25,*,,attempting to connect 2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42388,195.197.172.98:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, >2010-12-12T19:20:01.578Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42388,195.197.172.98:25,>,QUIT, 2010-12-12T19:20:01.797Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42388,195.197.172.98:25,<,221 2.0.0 Bye, 2010-12-12T19:20:01.797Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42388,195.197.172.98:25,-,,Local 2010-12-12T19:20:04.854Z,OUTBOUND,08CD40B801ADDD15,0,,77.232.69.238:25,*,,attempting to connect 2010-12-12T19:20:06.134Z,OUTBOUND,08CD40B801ADDD16,0,,77.232.69.238:25,*,,attempting to connect > > > >---------------------------------------------------------------------- > >So... we never make it to the HELO / EHLO business. Communication between servers stops dead in its tracks. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

OK. I sent several emails to the recipient in quick succession, hoping to find a pattern among all the other outbound mail. I think I found one: -------------------------------------------------------------------------------- 10.1.1.1 is munged, as is 24.x.x.x Everything else is "as is" --------------------------------------------------------------------------------- 2010-12-12T19:19:58.770Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.27:25,*,,attempting to connect 2010-12-12T19:19:59.020Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42382,62.142.5.27:25,+,, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42382,62.142.5.27:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,0,,62.142.5.28:25,*,,attempting to connect 2010-12-12T19:19:59.270Z,OUTBOUND,08CD40B801ADDD12,3,10.1.1.1:42382,62.142.5.27:25,>,QUIT, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,1,10.1.1.1:42383,62.142.5.28:25,+,, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,4,10.1.1.1:42382,62.142.5.27:25,<,221 2.0.0 Bye, 2010-12-12T19:19:59.504Z,OUTBOUND,08CD40B801ADDD12,5,10.1.1.1:42382,62.142.5.27:25,-,,Local 2010-12-12T19:19:59.753Z,OUTBOUND,08CD40B801ADDD12,2,10.1.1.1:42383,62.142.5.28:25,<,554 5.7.1 <rrcs-24-x-x-x.nys.biz.rr.com[24.x.x.x]>: Client host rejected: No mail accepted from you, ---------------------------------------------------------------------- So... we never make it to the HELO / EHLO business. Communication between servers stops dead in its tracks.

Topology (and geography): We are in New York. Road Runner (Time Warner) is our ISP. Road Runner delivers everything else we send. For example, I can send an email to lepivert1357 ATSIGN gmail.com and it arrives in that inbox seconds later. The recipient lives and works in New York as well. It looks like he uses Namesecure email (that's the company we have been corresponding with anyway). I do not know where their mail servers are located. Our organization does not use any IP starting with 62. We are in the 24.x.x.x range. Our IP address is in that range. Not in any range starting with 62. All the Road Runner DNS servers (for our region at least) use that range. Our DNS servers are configured to use those servers as forwarders. Our Send Connector is not configured to use Smart Hosts. So, currently: no Smart Host, just DNS for the Send Connector (we only have one - besides those "hidden" connectors). The Road Runner servers are pretty clear: "Client host rejected: No mail accepted from you". Do you mean Road Runner, our ISP, is rejecting mail sent from us? All our outgoing mail, for nearly two years, has been transiting through Road Runner. We are sending and receiving email to/from hundreds of people on a daily basis. If that were not the case, I would have heard about it. What about the IP address 205.178.149.7? The IP address of the receiving server might show up in the log if you received a 4xx or 5xx status when you tried to connect. It that's happening you won't see any othe SMTP commands in the log. There are currently two log files in the SMTPSEND folder (default location). I searched for 205.178.149.7 in both (opened them in Notepad). Nothing was retrieved. Just to make sure it WOULD HAVE found that IP, I searched for IPs that I could see in the log, and sure enough, they were highlighted when I did EDIT | FIND Just tried again. This time I pasted " 205.178.149.7 " (without parens of course) from your post above, to rule out my typing it incorrectly. Nothing turns up: "Cannot find 205.178.149.7"

Short update. In the response, Namesecure said traceroute failed because I used hoffmanrileyarchitects.com when I should have used mail.hoffmanrileyarchitects.com. So I tried NSLOOKUP with "mail.hoffmanrileyarchitects.com" Which resolves to: Non-authoritative answer: Name: mail.hoffmanrileyarchitects.com.namesecuremail.net Address: 205.178.146.249 Aliases: mail.hoffmanrileyarchitects.com I searched the logs (there are 3 now) for 205.178.146.249 I searched for "205.178" No results.

And how is this entire conversation being echoed in the Network Steve forum? http://www.networksteve.com/exchange/topic.php/Unable_to_send_mail_to_a_particular_recipient/?TopicId=21213&Posts=7

Steve (Goodman) By the way, I haven't forget your suggestion to ask Namesecure to whitelist our IP. I sent our external IP to the recipient so he can pass that on to Namesecure. I'll look at our reverse DNS as opposed to what is configured in the Send Connector next (I work on all kinds of things, Exchange being only one of them, so I'm constantly juggling this, and everything else). Having said that, it doesn't even look like I can initiate a conversation with the recipient's ISP mail servers (???).

No Probs, let us know how it goes. Regardless of the problem you should make sure the EHLO/HELO your server provides matches the external IP's reverse DNS, which will probably by the rrcs-24-x-x-x.nys.biz.rr.com name. Course, if it's a dynamic IP it won't help you much. Another thought with the RR IPs - they are often on DNS blacklists - have you double checked your IP on http://www.mxtoolbox.com/blacklists.aspx ? If you are having a lot of prolems with this area perhaps another option is to pay a little money for a smarthost service that can take care of this for you? SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

On Mon, 13 Dec 2010 19:11:26 +0000, Le Pivert wrote: > > >Short update. > >In the response, Namesecure said traceroute failed because I used hoffmanrileyarchitects.com when I should have used mail.hoffmanrileyarchitects.com. > >So I tried NSLOOKUP with "mail.hoffmanrileyarchitects.com" > >Which resolves to: > >Non-authoritative answer: Name: mail.hoffmanrileyarchitects.com.namesecuremail.net Address: 205.178.146.249 Aliases: mail.hoffmanrileyarchitects.com > >I searched the logs (there are 3 now) for 205.178.146.249 > >I searched for "205.178" It's true that the IP address for the name "mail.hoffmanrileyarchitects.com" resolves to the IP address 205.178.146.249; however, the MX for the domain "hoffmanrileyarchitects.com" uses the "A" record "inbound.hoffmanrileyarchitects.com.namesecuremail.net", and that has an IP address of 205.178.149.7. The above information was got from the authoritative DNS for the domain which was retrieved from the SOA record for the domain. The CNAME record for mail.hoffmanrileyarchitects.com is an alias for the name mail.hoffmanrileyarchitects.com.namesecuremail.net. The "A" record for that name returns the IP address 205.178.146.249. The IP address used by my edge server to send mail to the domain hoffmanrileyarchitects.com was 205.178.149.7. So, try using nslookup to find the MX record for the domain. Do you get the same answers I do? Another possible IP address to look for is 205.178.190.116. That's the IP address used by the A record for the domain. Perhaps you have a bad DNS lookup cached on your Exchange or DNS server, or the MX record query is returning no A records so Exchange is falling back to using the A record for the domain. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Steve, I am OK for all blacklists except these: CYBERLOGIC TIMEOUT ERROR, Reponse code=2 0 EMAILBASURA TIMEOUT 0 REDHAWK TIMEOUT ERROR, Reponse code=2 0 SPAMRBL TIMEOUT ERROR, Reponse code=2 I tried with both our "main" external IP address and also the one we use for 1-to-1 NAT with the mail server's internal IP. Same result. ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ When we say reverse DNS, I would think we are talking about a PTR record. So, if my external IP was (assuming /24): 24.30.20.10 The PTR would be 10.20.30.24.in-addr.arpa It looks like you are saying it would be more like this: rrcs-24-30-20-10.nys.biz.rr.com ??? In the Send Connector properties, the MS suggestion for EHLO/HELO is "mail.myDomain.org" but that's probably very generic. ------------------------------------------------ Smart Hosts might be the way to go, but for the time being we have one problem out of 400-500 recipients.

Well, I edit that with spacing (above) and it REFUSES to display correctly. Just about had it. Rich, It looks like I get the same results: set type=MX hoffmanrileyarchitects.com Non-authoritative answer: hoffmanrileyarchitects.com MX preference = 10, mail exchanger = inbound.hoffmanrileyarchitects. com.namesecuremail.net inbound.hoffmanrileyarchitects.com.namesecuremail.net internet address = 205.178.149.7 I cannot find hoffman with EDIT | FIND I have searched six log files covering 2 days, copying and pasting the IP from your post (so I cannot have mistyped it, searched Direction "Up" and Direction "Down" OK, I finally found this, but it is probably a NDR to a spammer (?): 2010-12-13T22:47:55.565Z,OUTBOUND,08CD40B801AE4FF4,0,,205.178.149.7:25,*,,attempting to connect 2010-12-13T22:47:55.627Z,OUTBOUND,08CD40B801AE4FF4,1,10.1.1.1:58259,205.178.149.7:25,+,, 2010-12-13T22:47:55.690Z,OUTBOUND,08CD40B801AE4FF4,2,10.1.1.1:58259,205.178.149.7:25,<,"220 cm-mr11 ESMTP ecelerity 2.2.2.41 r(31179/31189) Mon, 13 Dec 2010 17:47:55 -0500", 2010-12-13T22:47:55.690Z,OUTBOUND,08CD40B801AE4FF4,3,10.1.1.1:58259,205.178.149.7:25,>,EHLO mail.myDomain.org, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,4,10.1.1.1:58259,205.178.149.7:25,<,250-cm-mr11 says EHLO to 24.x.x.x:26934, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,5,10.1.1.1:58259,205.178.149.7:25,<,250-PIPELINING, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,6,10.1.1.1:58259,205.178.149.7:25,<,250-ENHANCEDSTATUSCODES, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,7,10.1.1.1:58259,205.178.149.7:25,<,250 8BITMIME, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,8,10.1.1.1:58259,205.178.149.7:25,*,1461125,sending message 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,9,10.1.1.1:58259,205.178.149.7:25,>,MAIL FROM:<>, 2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,10,10.1.1.1:58259,205.178.149.7:25,>,RCPT TO:<kanishaloan_xi@arteitaly.com>, 2010-12-13T22:47:55.799Z,OUTBOUND,08CD40B801AE4FF4,11,10.1.1.1:58259,205.178.149.7:25,<,250 MAIL FROM accepted, 2010-12-13T22:47:55.799Z,OUTBOUND,08CD40B801AE4FF4,12,10.1.1.1:58259,205.178.149.7:25,<,550 User Unknown, 2010-12-13T22:47:55.799Z,OUTBOUND,08CD40B801AE4FF4,13,10.1.1.1:58259,205.178.149.7:25,>,QUIT, 2010-12-13T22:47:55.799Z,OUTBOUND,08CD40B801AE4FF4,14,10.1.1.1:58259,205.178.149.7:25,-,,Remote So, we CAN communicate with 205.178.149.7 As for my pattern from the other day, I think it might have been a simple coincidence, despite the numerous entries logged right about the time I sent 4-5 test messages. As far as this recipient is concerned, there's no reason we would be talking with servers in Finland.

It looks like you are saying it would be more like this: rrcs-24-30-20-10.nys.biz.rr.com ??? In the Send Connector properties, the MS suggestion for EHLO/HELO is "mail.myDomain.org" but that's probably very generic. Hiya, Yep rrcs-24-30-20-10.nys.biz.rr.com sounds like it would be the correct value to put in the Send connector. The MS suggestion assumes you can change the A and PTR records to whatever you like. From your results with the RBLs, it doesn't sound like that the issue. It was worth being sure. SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

Guys, This just doesn't make sense. I was about to ask if installing Wireshark on the Exchange server would be a good idea, and see if we are not being blocked even before the SMTP communications begin. First, I'm not sure if that would show anything (???) Second, I was going to ask the recipient if he has indeed asked Namesecure to whitelist our IP. Well, we were communicating with 205.178.149.7 as shown in the log above (my preceding post). So we can't be blocked, could we? So why doesn't it work for this one guy? Bad DNS data in cache? I ran the command "dnscmd /clearcache" on both domain controllers (which are also our internal DNS servers) and then ipconfig /flushdns on the mailserver. (Of course, if the DNS info is bad at the ISP level or elsewhere, we'd probably just get that bad info again.) I then sent another serie of test messages. But it's midday now and even in a rather small organization like ours, there's a ton of email being sent and I can't see any pattern. And the logs show no EHLO/HELO data pertaining to the recipient (EDIT | FIND once again).

Whitelisting may not affect you connecting - what it will do is ensure you aren't subject to all their tests. So, if you are not whitelisted you could be blocked on initial connection, you could be blocked by RFC compliance tests, you could be blocked by non matching A/PTR records, incorrect HELO/EHLO, sender address, sender domain, then after the DATA command you could be blocked by content within the message. Even after message acceptance you might still get your message blocked by in depth content scanning along the way. Whitelisting you would exclude you from all of these tests (assuming that's what they do). SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

Steve, Going through your list, I'm trying to cover these points as best I can. Matching A/PTR records. Using NSLOOKUP, the lookup of the A record produces the correct IP address but I'm not sure about the inverse. > mail.mydomain.org Non-authoritative answer: Name: mail.mydomain.org Address: 24.30.20.10 MUNGE ALERT! Although I've modified the domain name and IP, the expected results do appear in NSLOOKUP. However, if I do this: > set type=PTR > 24.30.20.10 Non-authoritative answer: 10.20.30.24.in-addr.arpa name = mydomain.org 1. That does not produce mail.mydomain.org - perhaps because you have to go to the server with mydomain.org first and that's just what appears at this level. 2. In my notes, I see that the PTR query used to produce a list of ISP DNS servers as well. This is from my notes when I set up the Exchange 2K7 server not quite two years ago: > set type=PTR > 24.30.20.10 Non-authoritative answer: 10.20.30.24.in-addr.arpa name = myDomain.org 20.30.24.in-addr.arpa name server = ns2.biz.rr.com 20.30.24.in-addr.arpa nameserver = dns4.rr.com 20.30.24.in-addr.arpa nameserver = ns1.biz.rr.com ns1.biz.rr.com internet address = 24.30.200.19 ns2.biz.rr.com internet address = 24.30.201.19 dns4.rr.com internet address = 65.24.0.172 This last part no longer appears when I run NSLOOKUP. Now, our ISP is normally responsible for our PTR record, correct? (Well, we had ours configure a PTR record for us). So, the end result is what is was about two years ago, long before we had problems. On the other hand, the query produces less information now, for some reason. (Will look at the other elements later, have to run, thank for your help!

Here's something else. Our ISP holds our PTR record (for external DNS). The company hosting our website holds our A records (autodiscover.mydomain.org, mail.mydomain.org, mydomain.org) These are two different companies. Could that have an effect when comparing A records to PTR records, or would it not matter, as long as both can be resolved? What's more, our MX records point to Google/Positini mail hygiene servers.

I am failing this test if I enter the external 1 to 1 NAT external IP address that translates to the internal IP of our mail server. http://ipadmin.junkemailfilter.com/rdns.php First, why did we set it up that way? It looks like we had to according to the firewall documentation and tech support. That was two years ago and except for this person (RileyHoffman) there have been no problems called to my attention. Anyway, this is the test run against the 1 to 1 external NAT IP address of the firewall: RDNS for 24.30.20.11 is: [mydomain.org] - (PTR record - 11.20.30.24.in-addr.arpa) ERROR - Lookup Failed for [mydomain.org] ERROR - Reverse Lookup Failed IP [24.30.20.11] does not match [] This is the test run against the "primary" external IP address of the firewall: RDNS for 24.30.20.10 is: [rrcs-24-30-20-10.nys.biz.rr.com] - (PTR record - 10.20.30.24.in-addr.arpa) IP Address for rrcs-24-30-20-10.nys.biz.rr.com is: [24.30.20.10] SUCCESS! - Forward Confirmed Reverse DNS is CORRECT! The IP address for the reverse lookup name matches the original IP We had our ISP create a PTR that matches 24.30.20.11 to mydomain.org What do we have to do to resolve this issue (if this is indeed the problem)? Should that point to mail.mydomain.org?

It sounds like we are on the right track but the 1 to 1 NAT IP you mention and it's PTR don't seem to correspond to the log segments you show. Can you ping an email to s.p.goodman@aston.ac.uk so I can see what gets logged in our system and I should be able to tell you exactly what to add as the HELO. SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

It sounds like we are on the right track but the 1 to 1 NAT IP you mention and it's PTR don't seem to correspond to the log segments you show. Can you ping an email to <removed> so I can see what gets logged in our system and I should be able to tell you exactly what to add as the HELO. Steve Steve Goodman Check out my Blog for more Exchange info or find me on Twitter

On Tue, 14 Dec 2010 16:36:22 +0000, Le Pivert wrote: >This just doesn't make sense. > >I was about to ask if installing Wireshark on the Exchange server would be a good idea, and see if we are not being blocked even before the SMTP communications begin. It's not a *bad* idea. It's an excellent troubleshooting tool. >First, I'm not sure if that would show anything (???) Sometimes what it _doesn't_ show you is very revealing. >Second, I was going to ask the recipient if he has indeed asked Namesecure to whitelist our IP. > >Well, we were communicating with 205.178.149.7 as shown in the log above (my preceding post). You said you couldn't find that address in any of the SMPT protocol logs. >So we can't be blocked, could we? That depends on you definition of "blocked". A typical mode of operation for using a DNSBL is to reject the connection. That's a bad idea because you have no choice but to whitelist the IP address, even if you want to receive e-mail from just one address. The less evil way to use the DNSBL is to wait until the MAIL FROM address has been received and THEN reject the MAIL FROM command. That give you the ability to whitelist senders. >So why doesn't it work for this one guy? Maybe it's just his address that's refused? >Bad DNS data in cache? That was based on your statements about not seeing the IP address you now say you see in the SMTP protocol logs. >I ran the command "dnscmd /clearcache" on both domain controllers (which are also our internal DNS servers) and then ipconfig /flushdns on the mailserver. > >(Of course, if the DNS info is bad at the ISP level or elsewhere, we'd probably just get that bad info again.) True. >I then sent another serie of test messages. > >But it's midday now and even in a rather small organization like ours, there's a ton of email being sent and I can't see any pattern. > >And the logs show no EHLO/HELO data pertaining to the recipient (EDIT | FIND once again). You'd only see that if they were sending e-mail to you. You won't see their HELO\EHLO if you're sending to them because its the sender to issues those commands. What you want to see is RCPT TO commands that contain the string "@hoffmanrileyarchitects.com". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Tue, 14 Dec 2010 20:57:57 +0000, Le Pivert wrote: >Here's something else. Our ISP holds our PTR record (for external DNS). The company hosting our website holds our A records (autodiscover.mydomain.org, mail.mydomain.org, mydomain.org) > >These are two different companies. > >Could that have an effect when comparing A records to PTR records, or would it not matter, as long as both can be resolved? It doesn't matter. The situation you describe is quite common. >What's more, our MX records point to Google/Positini mail hygiene servers. That's not a problem, either. But do you not send your outbound e-mail through those same servers? If you do then you'd be using a smart host in your send connecotr(s) and the IP address you'd see in the SMTP protocol logs when you send e-mail would be the IP address of the smart host, not the IP address of the target domain's MX. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Tue, 14 Dec 2010 16:17:31 +0000, Le Pivert wrote: > > >Well, I edit that with spacing (above) and it REFUSES to display correctly. > >Just about had it. > > > >Rich, It looks like I get the same results: > >set type=MX > >hoffmanrileyarchitects.com Non-authoritative answer: hoffmanrileyarchitects.com MX preference = 10, mail exchanger = inbound.hoffmanrileyarchitects. com.namesecuremail.net inbound.hoffmanrileyarchitects.com.namesecuremail.net internet address = 205.178.149.7 > >I cannot find hoffman with EDIT | FIND Open the log file with notepad.exe and try finding it that way. Or find a grep that works on Windows (MS has one name qgrep.exe -- it's in the 2003 resource kit). >I have searched six log files covering 2 days, copying and pasting the IP from your post (so I cannot have mistyped it, searched Direction "Up" and Direction "Down" > >OK, I finally found this, but it is probably a NDR to a spammer (?): It's a NDR and it's sent to the IP address you've been looking for. Whether it's a spammer or not I don't know. [ snip ] >2010-12-13T22:47:55.752Z,OUTBOUND,08CD40B801AE4FF4,9,10.1.1.1:58259,205.178.149.7:25,>,MAIL FROM:<>, [ snip ] >So, we CAN communicate with 205.178.149.7 > >As for my pattern from the other day, I think it might have been a simple coincidence, despite the numerous entries logged right about the time I sent 4-5 test messages. > >As far as this recipient is concerned, there's no reason we would be talking with servers in Finland. Have you installed the anti-spam agents on your HT server? Do you reject mail sent to addresses that aren't in your directory? I suspect that you don't. If that's correct then those connections may be your server sending (or trying to send) NDRs for e-mail it never should have accepted. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Steve, I just went ahead and sent you an email to the address you indicated. It was sent at exactly 9:00 Eastern Standard Time (East Coast - US) and is from: "testsenderwxyz" Top level domain will be .org Or did you just want me to ping your email address? Please let me know if I should proceed otherwise. Thank you.

Steve, I just went ahead and sent you an email to the address you indicated. It was sent at exactly 9:00 Eastern Standard Time (East Coast - US) and is from: "testsenderwxyz" Top level domain will be .org Or did you just want me to ping your email address? Please let me know if I should proceed otherwise. Thank you. Hiya, OK received fine. The IP that sent it ended in .19 - this appears to have a forward/reverse of rrcs-<removed>-19.nys.biz.rr.com and that's what I would set as the send connector's HELO response, at least until you get your ISP to change it to something you prefer. Your mail server SAID in it's HELO it was mail.<yourdomain>. That resolves to an IP ending in .20; the PTR resolves to just your domain, and the domain itself resolves to something else entirely. You mentioned this above but from what I can see you think that the IP ending in .20 is sending the mail, which it is not (at least as far as a remote host knows). So - your HELO is definitely incorrect, by claiming to be a different host than it actually appears on the internet. That is further confused by mismatched PTRs on that other IP ending in .20. I would change the send connector to say it's HELO is rrcs-<removed>-19.nys.biz.rr.com and give it a try. At least then from a configuration point of view it won't be incorrect. But just to add to what Rich said, - you said you're using Postini for inbound mail. Why don't you use them for outbound and avoid this hassle? You may already be paying for it - look at the Outbound config guide . It looks like it's pretty much as simple as registering your outbound IP (the .19 one) and then setting up a send connector. If that worries you, you could just make only mail to this problem destination go through Postini so it doesn't affect what you're already doing. Steve Steve Goodman Check out my Blog for more Exchange info or find me on Twitter

Thanks Steve. I'll look into that. You've been very helpful. I'll keep you posted. Update: OK - HELO is now what you suggested: rrcs-24-x-x-x.nys.biz.rr.com Instead of: mail.mydomain.org So far, so good. I can still send test messages to my Gmail accounts.

Thanks Steve. I'll look into that. You've been very helpful. I'll keep you posted. (Hey, looks like you're getting as much snow this year in the UK as we do in New England / Quebec?)

Rich, You said you couldn't find that address in any of the SMPT protocol logs. Not the first three, but as more files were created, I found it in one of the following logs. You'd only see that if they were sending e-mail to you. You won't see their HELO\EHLO if you're sending to them because its the sender to issues those commands. What you want to see is RCPT TO commands that contain the string "hoffmanrileyarchitects.com". OK, now I know. This is the first time in 20 + months working with Exchange that I've had to troubleshoot a send and receive problem this complex, so I'm not used to reading this kind of log. But do you not send your outbound e-mail through those same servers? (Postini) No, Postini just filters our inbound mail. Originally, our ISP offered a Smart Host option but stopped this and told us to select the DNS option in the Send Connector instead. But that was well before this problem started in late September-early October. Have you installed the anti-spam agents on your HT server? No, since our MX records point to the Postini servers, and since the only inbound access on our firewall is 443 (for OWA and Outlook Anywhere) and 25 (Postini address range only) I don't grasp how any of this traffic is even making it to the Receive Connector ? As for 443 open, I'm trying to replace our current firewall with ISA/TMG so we can publish OWA according to best practices. Maybe next fiscal year. Do you reject mail sent to addresses that aren't in your directory? Honestly, I thought the "Accepted Domains" settings would take care of this. We have OurOrganization.local (exists by default) and OurOrganization.org. I would have thought the Receive Connector would have dropped everything else... Or maybe it does, but it's diligently sending NDRs all the same? Well, since sending NDRs might be a good thing in some cases, it looks like I should install the anti-spam filters? Initially, I thought there was no reason to do this, since Postini was filtering spam and malware for us.

Steve, Update: OK - HELO is now what you suggested: rrcs-24-x-x-x.nys.biz.rr.com Instead of: mail.mydomain.org So far, so good. I can still send test messages to my Gmail accounts.

On Wed, 15 Dec 2010 14:48:08 +0000, Le Pivert wrote: [ snip ] >>But do you not send your outbound e-mail >through those same servers? (Postini) >No, Postini just filters our inbound mail. Small businesses are usually better off using a SMTP relay service that isn't as apt to be added to any DNS BLs as some lonely IP address -- especially if they aren't able to keep up with the latest trends and zealotry in perimeter protection. >Originally, our ISP offered a Smart Host option but stopped this and told us to select the DNS option in the Send Connector instead. Did they reduce your monthy fees accordingly? :-) [ snip ] >>Have you installed the anti-spam agents on your HT server? >No, since our MX records point to the Postini servers, and since the only inbound access on our firewall is 443 (for OWA and Outlook Anywhere) and 25 (Postini address range only) I don't grasp how any of this traffic is even making it to the Receive Connector ? How have you restricted access to your receive connector? Do you accept connections only from the IP address(es) Postini uses to send e-mail to you? Have you told Postini to accept messages send only to certain e-mail addresses in your domain? >As for 443 open, I'm trying to replace our current firewall with ISA/TMG so we can publish OWA according to best practices. Maybe next fiscal year. >>Do you reject mail sent to addresses that aren't in your directory? >Honestly, I thought the "Accepted Domains" settings would take care of this. That limits the domain part of the address, but it does nothing for the "user" part of the address. >We have OurOrganization.local (exists by default) and OurOrganization.org. > >I would have thought the Receive Connector would have dropped everything else... >Or maybe it does, but it's diligently sending NDRs all the same? You only send NDRs for e-mail you've accepted the responsibility of delivering. >Well, since sending NDRs might be a good thing in some cases, it looks like I should install the anti-spam filters? Yes, you should. You needn't enable all of them, but the "Recipient Filtering" agent should be enabled, and the "Block messages sent to recipients not listed..." should be checked on the property page of the agent. >Initially, I thought there was no reason to do this, since Postini was filtering spam and malware for us. That's content filtering. Not accepting e-mail you can't deliver is another thing. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Rich, How have you restricted access to your receive connector? Do you accept connections only from the IP address(es) Postini uses to send e-mail to you? Yes, exactly. When we signed up, they indicated the range in question. So the only "pinhole" (open to the general public) in the firewall is 443. And that is 1 to 1 NATed to the religiously patched mail server (with MS security updates).

Bad news from Namesecure: they will not whitelist our IP. More bad news: changing the EHLO/HELO string in the Send Connector to rrcs-24-x-x-x.nys.biz.rr.com has filled the Event Viewer App log with the following type of entry: Microsoft Exchange could not find a certificate that contains the domain name rrcs-24-x-x-x.nys.biz.rr.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector OUTBOUND with a FQDN parameter of rrcs-24-x-x-x.nys.biz.rr.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key. Perhaps more importantly, changing that resolved nothing, since none of the messages sent to the recipient were received. Looks like I'll have to concentrate on setting up a Smart Host with someone, probably Postini.

OK don't forget the instructions to enable the SmartHost with Postini are fairly straightforward Outbound config guide SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

On Thu, 16 Dec 2010 13:48:05 +0000, Le Pivert wrote: >Rich, >>How have you restricted access to your receive connector? Do you accept connections only from the IP address(es) Postini uses to send e-mail to you? >Yes, exactly. When we signed up, they indicated the range in question. Okay, so the message you receive that aren't in your AD haven't been detected as spam by Postini. That's not unusual since no spam filter is 100% effective. Enabling recipient filtering should take care of those few that elude Postini's filters. >So the only "pinhole" (open to the general public) in the firewall is 443. And that is 1 to 1 NATed to the religiously patched mail server (with MS security updates). --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Thu, 16 Dec 2010 13:56:47 +0000, Le Pivert wrote: >Bad news from Namesecure: they will not whitelist our IP. So now you just need to make things right w/r/t names and IP addresses used by your outbound connections. >More bad news: changing the EHLO/HELO string in the Send Connector to rrcs-24-x-x-x.nys.biz.rr.com has filled the Event Viewer App log with the following type of entry: Get yourself a $29 certificate with the right name. Or a more expensive SAN/UCC cert with all the names you'll need. [ snip ] >Perhaps more importantly, changing that resolved nothing, since none of the messages sent to the recipient were received. Unless the receiving domain insists on inbound connections using TLS (which is unlikely, but not unheard of) this shouldn't make any difference in your ability to send e-mail. >Looks like I'll have to concentrate on setting up a Smart Host with someone, probably Postini. That's one way to avoid the problem of a badly maintained DNS. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Rich, In fact, we are using a more expensive SAN/UCC cert with several varations on our domain name. None of the documentation I consulted ever suggested that I could add a domain name that is not ours to the cert. ([...]nys.biz.rr.com is not the domain name of our organization, it's our ISP) The cert authority would allow that?

Rich, In fact, we are using a more expensive SAN/UCC cert with several varations on our domain name. None of the documentation I consulted ever suggested that I could add a domain name that is not ours to the cert. ([...]nys.biz.rr.com is not the domain name of our organization, it's our ISP) The cert authority would allow that? No they won't allow that, you'd have to get the forward and reverse DNS sorted, really to match your SAN cert. SteveSteve Goodman Check out my Blog for more Exchange info or find me on Twitter

Thanks Steve. Yes, we have a couple problems, one being, I think, that because the way our 1 to 1 NAT is set up, we have A records "out there" pointing to the IP ending in 20 while we are sending from the IP ending in 19. Another question that came up in my mind is this: Let's pretend my domain is called contoso.com. A web hoster that is not my ISP hosts the contoso.com website. Therefore, the A record for contoso.com points to 1.2.3.4 (pretend IP address). (Badly maintained) DNS records for our mail services are configured as follows: MX records point to the FQDNs of the Postini mail hygiene servers (and they take care of their own DNS) OWA, Outlook Anywhere and ActiveSync clients use "mail.contoso.com" The web hoster at IP 1.2.3.4 (just mentioned above) redirects those clients to the 1 to 1 NATed IP address of our firewall, let's say 20.30.40.50 (Once again, the A record for contoso.com points to our web site hoster). So, let's say the A record for mail.contoso.com points to 20.30.40.50, the other ("real") external IP of the firewall being 20.30.40.49. Should I tell our ISP to make the PTR (rDNS - they are equivalent terms, right?) records for (both?) those IP addresses point to: contoso.com or mail.contoso.com ??? And then put either contoso.com, or mail.contoso.com, in the EHLO/HELO box of the Send Connector? I think I'll probably still have to use a Smart Host, at least for the problem user, because even with the info you suggested, the mail would still not make it to the recipient. Who knows, they may require TLS or something like Rich noted earlier. HAve to run, thanks again.

On Fri, 17 Dec 2010 16:28:52 +0000, Le Pivert wrote: > > >Rich, > >In fact, we are using a more expensive SAN/UCC cert with several varations on our domain name. > >None of the documentation I consulted ever suggested that I could add a domain name that is not ours to the cert. > >([...]nys.biz.rr.com is not the domain name of our organization, it's our ISP) > >The cert authority would allow that? None of them will. You need to change the name of your A record and the name returned by PTR record for its IP address. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 17 Dec 2010 17:00:43 +0000, Le Pivert wrote: > > >Thanks Steve. > >Yes, we have a couple problems, one being, I think, that because the way our 1 to 1 NAT is set up, we have A records "out there" pointing to the IP ending in 20 while we are sending from the IP ending in 19. > >Another question that came up in my mind is this: > >Let's pretend my domain is called contoso.com. > >A web hoster that is not my ISP hosts the contoso.com website. > >Therefore, the A record for contoso.com points to 1.2.3.4 (pretend IP address). > >(Badly maintained) DNS records for our mail services are configured as follows: >MX records point to the FQDNs of the Postini mail hygiene servers (and they take care of their own DNS) Where your MX records direct inbound mail shouldn't matter. There are plenty of places that use different IP addresses for e-mail inflow and outflow. >OWA, Outlook Anywhere and ActiveSync clients use "mail.contoso.com" >The web hoster at IP 1.2.3.4 (just mentioned above) redirects those clients to the 1 to 1 NATed IP address of our firewall, let's say 20.30.40.50 (Once again, the A record for contoso.com points to our web site hoster). OWA, OA, and ActiveSync can also use a completely different IP address. >So, let's say the A record for mail.contoso.com points to 20.30.40.50, the other ("real") external IP of the firewall being 20.30.40.49. Change this around a bit and use, say, "osmtp.contoso.com" as your e-mail outflow FQDN (this is what you put on the send connector), and that it uses 20.30.40.49 when it sends e-mail (i.e. 20.30.40.49 is the IP address the receiving system sees). contoso.com. IN MX 5 psmtp.postini.com. osmtp.contoso.com. IN A 20.30.40.49 40.40.30.20.in-addr.arpa. IN PTR osmtp.contoso.com And then add a TXT record to your external DNS zone for the contoso.com domain: v=spf1 ip4:20.30.40.49 ~all and another for the server (osmtp.contoso.com) so HELO\EHLO checks work: v=spf1 ip4:20.30.40.49 ~all That should get you what you're after. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks Rich. I'll work on that solution and come back with followup questions if I run into problems..