Messages not being to delivered to certain domains

[hbgpensfan]

We have a brand new exchange server that recently has been put online. Email works to a majority of domains, however there are 15-20 that we do not get through to. What happens is when we send mail, we first get a message from the postmaster saying that delivery has been delayed. Then after about 48 hours we get a message stating that it could not be delivered. I've look over our settings and I don't see anything that should be blocking out these domains. I'm having trouble finding any information on what to do or check. Any help would be appreciated.

Thanks-
Bill Swanson, MCP

 

[SteveTheGeek]

Are you using an SMTP proxy of any sort in your firewall? Exchange2000 uses Enhanced SMTP by default, and I recently had a problem whereby my (Watchguard) firewall was allowing the Exchange server to autonegotiate to ESMTP (with other Exchange2000 servers, for example), but then ripping out non-SMTP commands, really goofing up the works.

See if this helps (it shouldn't hurt):
Under Administrative Groups, <sitename folder>, Routing Groups, <sitename>, Connectors, <servername> - Properties, Advanced tab, check &quot;Send HELO instead of EHLO&quot;.

Also, make sure you're not on any RBL &quot;blackhole&quot; lists.

-Steve

 

[hbgpensfan]

How do I find out I'm on black lists. I went to mail-abuse.org and we're not on that one. What are others that I need to check.

Thanks-
Bill

 

[SteveTheGeek]

Bill,
Google has a pretty good assortment listed here:

http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/?tc=1

If you're not on any of the first half-dozen, I wouldn't worry about the rest, pursuing other possibilities instead.

-Steve

 

[hbgpensfan]

Thanks, I'm not on any of the list. I'm really confused why I'm not getting through to certain domains. We are a small site so I don't have a smtp connector set up. So the other part of your advice isn't helping. Can you think of anything else to check?

I appreciate your help.

 

[SteveTheGeek]

Do you get email from those sites? Can you do an nslookup to get their mx addresses and tracert (from the Exchange server) those mx addresses(by IP and by FQDN)? Are the unable-to-deliver-to sites all one type of server or mail service?

Also, have you looked at your logs? And perhaps you should set up an SMTP connector, my understanding is that it is essential for internet mail from Exchange, but I've been wrong before.

-Steve

 

[hbgpensfan]

NSlookup and Tracert failed when I tried it on the domains we're having trouble with. I had previously read on technet that a SMTP connector was not necessary for single Exchange server sights. However, I set one up and now I can resolve both FQDN and IP addresses using NSlookup. The problem I run into now is I can't send any internet mail(to anyone), internal works fine. I also can receive internet mail.

When I trace the message one of two things is happening. One it says its been submitted to the categorizer and sits there.

Or, Message transferred out to ESMTP through SMTP and then log file \\ESMTP\tracking.log\&quot;date.log&quot; is unavailable.

I've double checked the configuration and I can't find anything that looks incorrect.

Any ideas?
Thanks

Bill

 

[SteveTheGeek]

Implementing the SMTP Connector should not have had any effect on nslookup or tracert results. What are you doing for DNS services?
-Steve

 

[hbgpensfan]

DNS is setup through our domain controller internally, externally we pick up our ISP's DNS server.

 

[SteveTheGeek]

I'm just about out of ideas, then. You may want to open up a case with MS tech support, if no one else here chimes in. In the meantime, you might try removing the SMTP connector to see if you can get back to only 15-20 domains being unreachable.

When you figure out what the solution is, could you post it in this thread?
-Steve

 

[brontosaurus]

I agree with Steve, you should remove that SMTP connector. Your issue is DNS, as you said, you can't do an NSLOOKUP to those domains in question. Did you try that NSLOOKUP only from the Exchange box? Try it out on your nameserver as well, and check your Cached Lookups zone for those domain names. It's possible that there's a negative cached entry that needs to be cleared out...

 

[ashleym]

I think the problem could be with reverse DNS lookups. Perhaps you are not using one to one NAT on your firewall and reverse lookups are resolving to your firewall rather then your mail server. Look into it.

AM

 

[hbgpensfan]

I was wrong about the SMTP connector, With it set up I have the exact same functionality as before (the few domains causing problems). But, the good thing is now NSLookup can resolve the ip addresses and FQDN names. I've tried with sent ehlo/helo option both ways.

The messages to these domains hang in the categorizer. I looked on TechNet and haven't found much of use. If there are any ideas out there...please let me know.

Thank you one and all for your help!

 

[hbgpensfan]

I don't know if this could be anything. Since I've been able to resolve IP addresses, I've noticed all the domains I can't email are Class 1. I know it's a longshot, but if we are a non-profit, so I don't have a huge support budget that I can spend 245 through Microsoft.

By the way, when I figure out whats going on I'll definately post the resolution.

Bill

 

[SteveTheGeek]

You mean Class A (1.x.x.x through 126.x.x.x)? Hmmm, what's your Exchange server's (internal) IP address and subnet mask?
-Steve

 

[hbgpensfan]

Yes the IP of the mail server I'm trying to mail is 64.65.219.195. My network is pretty basic so the IP internal IP is 192.168.1.X and then subnet of 255.255.255.0.

 

[SteveTheGeek]

Does the subnet mask of your Exchange server have something funky in the first octet like 254 or 128 or something?

 

[hbgpensfan]

Well it turns out I did have a problem in my subnet, unfortunately it wasn't causing this problem. It's strange I can telnet these servers on port 25 fine. As I said before when I track the message it is in the categorizer.

It finally kicked back this NDR.
Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 5/21/2002 11:13 AM

The following recipient(s) could not be reached:

rosemary@ghf.org on 5/23/2002 11:27 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<uwcr-xchange.uwcr.org #4.4.7>

Its hard to tell but it seems like this message my be not even routed correctly out of my server for some reason.

 

[brontosaurus]

Well, if that domain you listed is the actual one you're sending to (ghf.org), you'd have to have a VERY forgiving query engine to get mail to them, as they've listed their MX record as an IP ADDRESS. This is an illegal DNS configuration. MX records must point to host names...

 

[Silv3rfish]

Hi, yeh I had several domains that exhibited this problem last year. Basically, the fault is not with exchange but with the way they've set up their DNS. If they've set it up incorrectly, most mail servers will still deliver to it, but not exch2000. It would be good if exchange would handle it, but then again they might have with the latest service packs. Are you fully patched up on exchange?

Anyhow, the work-around that I found is:
1) Figure out what IP the mail is supposed to be going to, by checking the MX records for the domain.
2) set up a connector (in routing groups) that forwards all mail for that domain directly to that IP address. This is however a temporary fix, as it bypasses the MX lookup, which means if they change mailserver IP then your setup stops working.