#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0

    Emails to/from server always bounce from some domains


    Sorry if I'm posting this in the wrong place. I've wasted 2 full days and sporadic time throughout the last 3 weeks on this.

    I recently migrated a site from Server 2003 to a new Windows Server 2008 server. Ever since the move, my emails to and from my email address bounce from the server. I've spent 3 weeks with tech support on both ends getting nowhere.

    Here's a rundown of the problem and what I've done about it:

    Problem 1: Email from my domain (call it mydomain .tld) sent to the new server (call it serverdomain .tld) always bounces
    Emails sent from mydomain .tld to serverdomain .tld get bounced back INSTANTLY with the error "550-The mail server could not deliver mail to "user@ serverdomain .tld". The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."

    Problem 2: Email from serverdomain .tld sent to mydomain .tld always bounces
    Emails sent from serverdomain .tld directly to mydomain .tld always bounce back after a 5-10 second delay with the error "550 Sender verify failed."

    All emails were sent directly from server to server using webmail interfaces.

    Possible problems/solutions I've explored:

    Spam Filtering:
    The new server's mail server (SmarterMail 2010) has spam filter bouncing disabled. No blacklists or greylists are defined.
    The server hosting my email account is a shared hosted server, so I don't have access to its spam settings, but I have been assured by their technical support that the server's IP address is not blacklisted or blocked in any way.
    Blacklist tests at MXToolBox.org all come up clean.

    SPF Records:
    I have defined an SPF (TXT) record for the domain "v=spf1 ip4:xxx.xxx.xxx.xxx -all", which points to the IP address of the mail server / web server. I do not have a type (SPF) record as Windows Server doesn't have an option for this type of record.
    SPF test passes without errors at www . kitterman.com/spf/validate.html. Test email through spf-test@ openspf.net returns no errors.

    Reverse Lookup:
    I have a working reverse IP set up and is confirmed by checking it at ipadmin.junkemailfilter.com/rdns.php that points back to serverdomain .tld.

    Testing through Telnet actually works:
    I followed the steps at technet.microsoft.com/en-us/library/bb123686.aspx to log into the SMTP server on the new server's end and was able to successfully send an email manually to the new server, even using the same email address that keeps failing to send directly to the server.

    Some observations from the logs:
    When sending email from mydomain .tld to serverdomain .tld, NO LOG ENTRIES are created at serverdomain .tld. This leads me to believe something is blocking it before it ever connects to the server.

    When sending email from serverdomain .tld to mydomain .tld, the following log entries are created:

    13:02:50 [60055] Delivery started for user@ serverdomain .tld at 1:02:50 PM
    13:02:53 [60055] Skipping spam checks: No local recipients
    13:02:56 [60055] Sending remote mail for user@ serverdomain .tld
    13:02:56 [60055] Initiating connection to xxx.xxx.xxx.xxx
    13:02:56 [60055] Connecting to xxx.xxx.xxx.xxx:25 (Id: 1)
    13:02:56 [60055] Connection to xxx.xxx.xxx.xxx:25 from xxx.xxx.xxx.xxx:65260 succeeded (Id: 1)
    13:02:56 [60055] RSP: 220-mydomain-host.tld ESMTP Exim 4.77 #2 Wed, 24 Oct 2012 13:02:58 -0700
    13:02:56 [60055] RSP: 220-We do not authorize the use of this system to transport unsolicited,
    13:02:56 [60055] RSP: 220 and/or bulk e-mail.
    13:02:56 [60055] CMD: EHLO serverdomain .tld
    13:02:56 [60055] RSP: 250-mydomain-host.tld Hello serverdomain .tld [xxx.xxx.xxx.xxx]
    13:02:56 [60055] RSP: 250-SIZE 52428800
    13:02:56 [60055] RSP: 250-AUTH PLAIN LOGIN
    13:02:56 [60055] RSP: 250-STARTTLS
    13:02:56 [60055] RSP: 250 HELP
    13:02:56 [60055] CMD: MAIL FROM:<user@ serverdomain .tld> SIZE=951
    13:02:56 [60055] RSP: 250 OK
    13:02:56 [60055] CMD: RCPT TO:<user@ mydomain .tld>
    13:02:57 [60055] RSP: 550-Verification failed for <user@ serverdomain .tld>
    13:02:57 [60055] RSP: 550-The mail server could not deliver mail to user@ serverdomain .tld. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
    13:02:57 [60055] RSP: 550 Sender verify failed
    13:02:57 [60055] CMD: QUIT
    13:02:57 [60055] RSP: 221 mydomain-host.tld closing connection
    13:02:57 [60055] Bounce email written to 851023860056.eml
    13:02:57 [60055] Delivery for user@ serverdomain .tld to user@ mydomain .tld has completed (Bounced)
    13:02:59 [60056] Delivery started for at 1:02:59 PM
    13:02:59 [60055] Delivery finished for user@ serverdomain .tld at 1:02:59 PM [id:851023860055]
    13:03:02 [60056] Skipping spam checks: Internally Generated Message
    13:03:05 [60056] Starting local delivery to user@ serverdomain .tld
    13:03:05 [60056] Delivery for to user@ serverdomain .tld has completed (Delivered) Filter: None
    13:03:05 [60056] End delivery to user@ serverdomain .tld
    13:03:05 [60056] Delivery finished for at 1:03:05 PM [id:851023860056]

    Configuration:
    The new server uses Windows Server 2008 for DNS.
    The mail server is also hosted at the same IP as the DNS server.

    DNS Records for Serverdomain .tld:
    [All xxx.xxx.xxx.xxx IP addresses point to the server's IP address]
    ----------------------------------
    Forward Lookup Zone: Serverdomain .tld
    (same as parent folder) (SOA) 57, servername., hostmaster.
    (same as parent folder) (NS) servername
    (same as parent folder) (MX) [10] xxx.xxx.xxx.xxx
    (same as parent folder) (TXT) v=spf1 ip4:xxx.xxx.xxx.xxx -all
    * (A) xxx.xxx.xxx.xxx
    mail (A) xxx.xxx.xxx.xxx
    mail (MX) [10] xxx.xxx.xxx.xxx
    mail (TXT) v=spf1 ip4:xxx.xxx.xxx.xxx -all
    ns1 (A) xxx.xxx.xxx.xxx
    ns2 (A) xxx.xxx.xxx.xxx
    www (A) xxx.xxx.xxx.xxx

    Reverse Lookup Zone: xxx.xxx.xxx.in-addr.arpa (syntax of IP is backwards, does not include last 3 digits)
    (same as parent folder) (SOA) 10, servername., hostmaster.
    (same as parent folder) (NS) servername
    xxx.xxx.xxx.xxx (PTR) Serverdomain .tld

    I'm totally at a loss. This is not just blocking email to/from me, but it has blocked email to at least one other domain name as well. I can get no useful help from tech support on either end.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    I assume the spaces are not really there, because if they are it will not work. For example, "user@ serverdomain .tld" should really read "user@serverdomain.tld".

    J.A. Coutts
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Originally Posted by couttsj
    I assume the spaces are not really there, because if they are it will not work. For example, "user@ serverdomain .tld" should really read "user@serverdomain.tld".
    Yeah. The forum wouldn't let me post anything with a link in it because my account is too new so I had to put those spaces in to get around that. I guess I didn't have to put the space on the email addresses, but I just put them on both them and URLs so it would stop bugging me about it and let me post.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    It is hard to tell what the problem is because you have changed all the names, but if the Telnet connection commands are identical to the server commands, the problem should be identical as well. So that tells me that they are not the same.

    Some servers don't like it if there is no PTR record, and a few require the PTR record to match the forward lookup. Some also require the PTR record to match the Host name used in the HELO/EHLO. There are even some others that don't like the the Host name to match the Primary Nameserver. Like I said, you should be able to match the Telnet commands to what the server is putting out in order to troubleshoot it.

    J.A. Coutts
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Oh my god I'm getting frustrated. I have been trying to post this message for 20 minutes and it keeps telling me "1.We are sorry, new user accounts are not permitted to create posts containing E-Mails. Please review our forum rules for more information." when there's not a single email address in my message....

    I'm going to have to post this in chunks because I can't find where the offending part is... Sorry about this.
    ----------------------------------------

    Thanks for the help! I really appreciated it.

    Originally Posted by couttsj
    It is hard to tell what the problem is because you have changed all the names
    I didn't really want all these domains and IPs posted publicly, but if you think it would help, I could PM the proper domains, email addresses, and IPs.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Originally Posted by couttsj
    Some servers don't like it if there is no PTR record, and a few require the PTR record to match the forward lookup. Some also require the PTR record to match the Host name used in the HELO/EHLO.
    Well, I currently have a PTR record in the reverse lookup zone. (This is Windows Server DNS.) From all the information I can find, it doesn't do any good to put a PTR record in the forward lookup zone. Doing a reverse lookup check at ipadmin .junkemailfilter .com / rdns.php shows that the ip address resolves to the correct domain name. Also, the host name in the EHLO is exactly the same.

    Originally Posted by couttsj
    There are even some others that don't like the the Host name to match the Primary Nameserver.
    Host name being which? The computer name is 03288-1-1339999, which is listed in the SOA and NS entries. It's not necessary to set the computer name to a tld domain name is it? The other NS1 and NS2 records just point back to the server IP. All Host(A) entries also just point to that same server IP.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Originally Posted by couttsj
    Like I said, you should be able to match the Telnet commands to what the server is putting out in order to troubleshoot it.
    Since I have two problems, emails from/to, that only works for the emails going from serverdomain .tld to mydomain .tld. I have a SMTP log to try against in that direction.

    As for the opposite route, I don't have Telnet access to try connecting through that IP address, nor do I have any sample logs from its connection attempts to serverdomain .tld (nothing is logged at all when I try to send an email from mydomain .tld to serverdomain .tld) so I have nothing to compare to.

    Anyway, for scenario 1, serverdomain .tld to mydomain .tld, I tried Telnet and copied exactly everything that the email server was sending to the SMTP server and I get the same error. As long as the SEND FROM: comes from any user @ serverdomain .tld, once I put in a RCPT TO:, I get the error "RSP: 550-Verification failed for <user @ serverdomain .tld> 550-The mail server could not deliver mail to user @ serverdomain .tld. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries. RSP: 550 Sender verify failed". So it's definitely blocking the sending email server by domain name. I just don't know what else could block it besides a blacklist or improper PTR.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    I have sent you a PM with contact info.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Originally Posted by couttsj
    I have sent you a PM with contact info.
    Thanks couttsj. After a ton more tinkering, I finally got it working. I honestly don't know what the ultimate problem was, but one thing I did end up doing just before it started working was upgrade from SmarterMail 10.3 to 10.5. Otherwise, I shifted some DNS stuff around a tiny bit. These super finicky email servers are an abomination. (98% of sending/receiving servers had no problem with my setup.)

    Anyway, thanks a ton for your help!
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    7
    Rep Power
    0
    Originally Posted by Guavaman
    (same as parent folder) (MX) [10] xxx.xxx.xxx.xxx
    If anyone else out there has this problem, I believe this may have been the source of the problem:

    I had used an IP address in my MX record instead of a FQDN. After using an FQDN in the MX record, it started working. I'm not 100% sure this was the only issue, but it was probably the primary one.

    None of the popular DNS checking sites out there flagged this as an issue except www.dnssy.com. IMO, DNSsy is more informative than dnsstuff.com, mxtoolbox.com, or dnscheck.com. It gave much more verbose and descriptive warnings/errors and included some links and suggestions.

    I hope this helps someone out there save themselves a month of frustration. :P

IMN logo majestic logo threadwatch logo seochat tools logo