Exchange Server non-delivery report (NDR) FAQs

Get tips on enabling and disabling Exchange Server non-delivery reports (NDRs), and learn how to decipher and troubleshoot NDR messages in this collection of expert advice.

  Exchange Server non-delivery reports (NDRs) indicate email delivery issues. Causes can include non-existent, inactive or expired accounts, unresolved recipients, misspelled email addresses, SMTP problems, spam, poor spam filter configuration, a full BADMAIL folder, missing reverse DNS entries, and firewall interoperability issues -- just to name a few. Get tips on enabling and disabling NDRs, and learn how to decipher and troubleshoot...

NDR messages in this collection of expert advice.

 

Frequently Asked Questions:

EXCHANGE SERVER NON-DELIVERY REPORTS

  1. How to designate NDR recipients using Exchange System Manager
  2. How to retrieve Exchange email delivered to inactive accounts and manage NDRs
  3. NDR: 'You do not have permission to send to this recipient'
  4. SMTP error 554: Message blocked because it contains a banned word
  5. Spam email filling up BADMAIL folder in Exchange Server
  6. Generating an NDR from a user's mailbox
  7. Can I create a report or list of undeliverable email?
  8. Can I modify NDRs in Exchange Server 2003?
  9. SMTP error 550 5.7.1: User unable to relay message to a specific domain
  10. Forward unknown recipient email to a specified user
  11. Problems sending email from Exchange 2000 to Yahoo account
  12. Configuring Exchange Server to send NDRs to external users
  13. Troubleshooting 'undeliverable notifications'

  How to designate NDR recipients using Exchange System Manager

How do I configure the Exchange 2000 Administrator account to receive email messages for accounts that have been deleted? When there is a delivery attempt to an inactive account, I receive a message to the system administrator account. I need to get the actual email message so I can forward it to the appropriate person if it is business related.

To designate who is to get Exchange Server non-delivery reports (NDRs), use Exchange System Manager (ESM) to set the desired non-delivery report recipient:

 

  1. In ESM, navigate to Servers -> Protocols -> SMTP.
  2.  

  3. Right click Default SMTP Queue, select Properties.
  4.  

  5. Go to the Messages tab.
  6.  

  7. In the field titled Send Copy of Non-Delivery Report to:, enter a valid SMTP email address. For example: postmaster@your_domain.tld

Microsoft recommends that you also create a postmaster email address for NDRs that come from other servers. This can be a secondary SMTP address for a user or a mail-enabled user account. Use Active Directory Users and Computers to add the email address or mail-enabled account.

To process infrequent NDR messages, this user will not initially receive the actual message that caused the NDR until the postmaster or administrator opens the NDR itself and clicks 'Send Again.' This in turn retrieves the original message that generated the NDR, and can be forwarded if desired.

For more information, see Microsoft KB article 294757 "How to control non-delivery reports when you use Exchange 2000 or Exchange 2003."

Return to Exchange Server NDR FAQs

  How to retrieve Exchange email delivered to inactive accounts and manage NDRs

How do I configure the Exchange 2000 Administrator account to receive messages for accounts that have been deleted? I received a message to the system administrator account that an attempt was made to deliver an email to an inactive account. I need to get that email so I can forward it to the appropriate person if it is business related.

Microsoft's how-to article (Q315631), Forward mail with unresolved recipients to a single mailbox, might help you address this scenario. This approach uses the event sink features of Microsoft's SMTP virtual server. Although, you may find it somewhat complex to implement

Other software vendors sell NDR management utilities that may be more flexible and easier to configure and use -- for example, MailBasketMD from TurboGeeks or MAPILab's Mail Storage Guard. Some solutions also eliminate returning the NDR back to sender, which can help reduce spam.

A manual process, which would be inefficient in larger sites, could retrieve the original email message from the BADMAIL folder. A utility release by Microsoft archives and purges the BADMAIL folder contents with a BadMailAdmin.wsf script run through Windows Task Scheduler. Scanning through the email looking for "real email" amongst potentially lots of spam could be a hassle though. The utility supports Exchange 2000 SP2 and Exchange 2003.

Return to Exchange Server NDR FAQs

  NDR: 'You do not have permission to send to this recipient'

One of my end users is having the "You do not have permission to send to this recipient" non-delivery report (NDR) hit her intermittently when she sends email messages internally and externally. I've tried several possible solutions I found on the Internet, but with no success as of yet. Can you help?

Here is the exact NDR message end user is receiving:

Subject: Undeliverable: RSW - R/Y 6-24 & T/Y 'A" REHABILITATION - CONSTRUCTION SUPPORT SERVICES
Importance: High

Your message did not reach some or all of the intended recipients.

Subject: RSW - R/Y 6-24 & T/Y 'A" REHABILITATION - CONSTRUCTION SUPPORT SERVICES
Sent: 4/28/2005 10:47 AM

The following recipient(s) could not be reached:

[person@domain.com] on 4/28/2005 10:47 AM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
MSEXCH:MSExchangeIS:/DC=com/DC=hmeng:HMEXC5

Bob Murray on 4/28/2005 10:47 AM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
MSEXCH:MSExchangeIS:/DC=com/DC=hmeng:HMEXC5

The most common scenario in which I've seen this particular error is when companies are using a Cisco PIX firewall with xxxx configured. If you have a PIX, you'll want to ensure that the Mailguard feature is set according to the following Microsoft Knowledge Base article 320027: Cannot send or receive email messages behind a Cisco PIX firewall.
—David Sengupta, Server Administration Expert

MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

I have this exact same problem, a specific few users get:

 

 mail@somedomain.com on 08/03/2006 11:20 You do not have permission to send to this recipient. For assistance, contact your system administrator. MSEXCH:MSExchangeIS:/DC=local/DC=domainname:servername and
martin@somedomain.com on 08/03/2006 09:36 You do not have permission to send to this recipient. For assistance, contact your system administrator. for myipaddress>

We do not have a complicated setup. We have one server running Small Business Server 2003 Premium Edition. I have spent hours looking at this issue and have found nothing to solve it.

Are my users authenticating? Why can't they send through my server?
—F.T.

******************************************

Unfortunately 5.7.1 errors are, as you're finding out, one of the more troublesome errors to resolve. Given that you don't have a PIX, here are some other things to check:

  1. Launch Exchange System Manager (ESM) and navigate to the SMTP virtual server you are using to send messages to the Internet. View Properties -> Access -> Relay and ensure that the "Allow computers which successfully authenticate to relay" checkbox is not checked.
  2.  

  3. Troll through the application event log on your Exchange server for errors from source MSExchangeTransport around the time of the non-delivery report (specifically look for Event ID 1709 or 1710 or any errors/warnings from MSExchangeTransport).
  4.  

  5. Temporarily enable maximum diagnostics logging on MSExchangTransport, the Queuing Engine, and the Connection Manager for the server hosting a problematic user. Then have this user send a message to an address that typically sends non-delivery reports (NDRs) with a 5.7.1 error. Turn diagnostics logging back off, and troll the application event log on the Exchange server in question for errors or warnings specific to the message in question. (Tip: search the description field of the events for the Message-ID of the particular message). If you find specific errors or warnings, look those up on TechNet or write back if you need help resolving things further.
  6.  

  7. Check whether 5.7.1 NDRs are happening for all messages sent from any user within your organization to a specific internet SMTP domain, or whether these errors seem specific to a given sender. If the former is the case, then you may want to contact the email administrator for the target SMTP domain (i.e., send an email to postmaster@<company.com>) asking them to confirm that their MX records are pointing to the appropriate SMTP gateway .(You can actually test this by looking up the target domain's public DNS record and attempting to telnet to port 25 of any MX records listed in the DNS record. I described how to send test messages via telnet in "How to troubleshoot problems receiving external email." The receiving server may actually send you a more specific error message through SMTP commands in response to telnet than you're getting in the NDR.

Needless to say, there are many possibilities. Let us know how this works, and please write back with more details if these steps don't resolve the issues.
—David Sengupta, Server Administration Expert

******************************************

In response to item #1 (keeping the "Allow computers which successfully authenticate to relay" checkbox unchecked), it has been my understanding that you want this checked to block relaying from anyone outside of your network. Would this be correct?
—Ron Z.

******************************************

If this is of sufficient concern for you, my only other suggestion is to escalate to Microsoft PSS. There are too many possibilities for me to give a definitive response above and beyond what I have suggested in the two responses here.
—David Sengupta, Server Administration Expert

Return to Exchange Server NDR FAQs

  SMTP error 554: Message blocked because it contains a banned word

I have recently installed Windows Small Business Server 2003, which includes Exchange Server 2003. One of my users sent an email that got returned as undeliverable with the following text:

"You do not have permission to send to this recipient. For assistance, contact your system administrator. <countrysidebible.org #5.7.1 smtp;554 5.7.1 This message has been blocked because it contains a banned word.>"

I cannot find where the banned word list is maintained in Microsoft Exchange. I do not have any additional add-on packages from any source installed -- just what came from Microsoft as part of the Windows Small Business Server 2003 Premium Edition.

Can you tell me where this list is maintained, and how to change or update it?

Intelligent Message Filter for Exchange is the only Microsoft spam filtering for Windows Small Business Server 2003, and that has to be added on to Exchange. ISA Server is included with Windows Small Business Server Premium Edition, and does have an SMTP filter. This could have been enabled during the installation process.

I did a quick search on the text "This message has been blocked because it contains a banned word" phrase to try to identify the product that is generating it, but I didn't have much luck. Usually, this text string is fairly unique with the SMTP error 554 5.7.1 NDR.

There is another possibility, and that is that there is a personal spam filter running on your user's system that could be filtering mail as well.

I hope this gives you some ideas of where to start looking.
—Richard Luckett, Spam and Security Expert

Return to Exchange Server NDR FAQs

  Spam email filling up BADMAIL folder in Exchange Server

I have an Exchange 2000 client that appears to be a target of a large spammer. The Exchange server is receiving about 10,000 email messages hourly, which is filling up the BADMAIL folder weekly and causing the disk to run out of space. Currently, we have turned off non-delivery reports (NDRs); we would prefer to simply send them normally -- but not retain the messages, just delete them.

Microsoft is aware of the BADMAIL folder issue. In Exchange 2003 Service Pack 1 the default settings disable the BADMAIL folder and make it an administrative decision to utilize it.

There is a nice post-SP1 tool (BadMailAdmin.exe) that is available in Exchange 2003 that automates the maintenance of the BADMAIL folder. You can also use this tool for Exchange 2000.

BadMailAdmin.exe tool is used to automatically delete, disable or archive messages in the BADMAIL folder. You can use the Windows task scheduler to automate the tool and keep your clients BADMAIL folder below its size limit.
—Richard Luckett, Spam and Security Expert

Return to Exchange Server NDR FAQs

  Generating an NDR from a user's mailbox

How can I generate an NDR from a user's mailbox without disabling their user account or deleting the mailbox?

I'm not sure what you're trying to achieve. An NDR is a sign that something is wrong with email delivery, so things like filling the mailbox up would achieve the same result.

In theory, you could try spoofing an NDR using a carefully-worded auto-reply rule. However, this would appear as sent by the target mailbox, not by the System Administrator or Postmaster.
—David Sengupta, Exchange Administration Expert

Return to Exchange Server NDR FAQs

  Can I create a report or list of undeliverable email?

Is there a way I can create a list or report of email that was undeliverable?

Aside from setting up an administrator's mailbox to collect all undeliverable email messages (which won't give you a list or report), the only way I can think of achieving this is through a third-party solution.
—David Sengupta, Exchange Administration Expert

Return to Exchange Server NDR FAQs

  Can I modify NDRs in Exchange Server 2003?

Is there a way to modify non-delivery reports (NDRs) in Exchange Server 2003?

Unfortunately, customizing the non-delivery report (NDR) is not possible in Exchange Server 2003.
—David Sengupta, Exchange Administration Expert

Return to Exchange Server NDR FAQs

  SMTP error 550 5.7.1: User unable to relay message to a specific domain

I have a new user who is unable to send to a specific domain. She is able to send externally and internally fine, except for that domain. An account on the same Exchange server has no problems sending to that domain.

" Your message did not reach some or all of the intended recipients.

      Subject: TEST
      Sent: 8/29/2005 1:35 PM

The following recipient(s) could not be reached:

      cmills@example.com on 8/29/2005 1:35 PM
           You do not have permission to send to this recipient. For assistance, contact your system administrator.
           <My.Exchange2000.server.com #5.7.1 smtp;550 5.7.1 Requested action not taken: message refused>"

I've seen this quite a bit over the years, but I have found that with SMTP 550 5.7.1 errors it is tricky to find the root cause. Here are some things to check:

Otherwise, have a look at Microsoft Knowledge Base article 895853, How to troubleshoot mail relay issues in Exchange Server 2003 and in Exchange 2000 Server. Scroll down to the "Possible causes of NDRs that contain error code 5.0.0, 5.7.1 or 5.7.3" section.
—David Sengupta, Exchange Administration Expert

MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

Download Microsoft's Metaedit 2.2 and install it. Open Metaedit 2.2 on your Exchange server and use the search feature. In the search window, type in the domain the user can't send to (i.e., for "bobdole@gmail.com," search for "gmail"). Backup Metabase and then delete any entry for the domain in question. After that, make sure to browse through Active Directory and confirm that the domain in question isn't assigned to any email addresses for users or distribution lists. If so, delete the email addresses. This should resolve the problem.
—Chris H.

Return to Exchange Server NDR FAQs

  Forward unknown recipient email to a specified user

How do I configure an Exchange 2003 server to forward unknown recipient email to a specified user?

Let's assume an employee no longer works for the company and his email account was deleted -- but he still receives email from various people who don't know that he's no longer working at the company. The administrator gets the information from Exchange that an email was received, but the recipient no longer exists or is unknown. He doesn't get the actual email, though, only the error message (NDR). How can I get Exchange Server to forward such unknown recipient email to a specified user?

I would recommend that you add a step to your mailbox de-provisioning process (i.e., the process that your company goes through when an employee leaves your company and their mailbox is no longer required). On the day of employee termination:

  1. Disable the account of the user in question.
  2. Delete the SMTP address(es) on the mailbox itself.
  3. Recreate them on either the administrator mailbox or another mailbox created specifically for that purpose.

I have seen companies add the SMTP address of the former employee to the mailbox of the manager responsible for that person's former position, but managing this in a large dynamic environment can become unwieldy.

Setting up one mailbox dedicated to capturing this kind of email is simplest from a procedural perspective. If privacy concerns are an issue, you may want to look at using a distribution list with no members as a 'black hole' address; it accepts inbound messages but then just deletes them (you'd have to test this in a lab first to see if it meets your requirements).
—David Sengupta, Exchange Administration expert

MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

In Exchange 2003, you can no longer just delete the SMTP address for a user if you want to keep the mailbox intact. Forwarding to an empty distribution list has worked well for us. It keeps junk mail from piling up in a mailbox that's no longer in use but needs to stay online.
—Stephen G.

Return to Exchange Server NDR FAQs

  Problems sending email from Exchange 2000 to Yahoo account

I have an internal and external email address. I'm on Exchange 2000. When I send an email to the external address, a non-delivery report (NDR) error message is returned. I created an SMTP connector, but continue to get these NDRs. My DNS is OK and I don't have a domain name.

Example

My Outlook profile has two accounts:

xxxxx@domain.local (default profile)
yyyyy@hotmail.com

  1. I create a new message to yyyyy@yahoo.com.
  2.  

  3. I receive a message reply by the administrator because Exchange does not know 'yahoo.com.'

Why is this happening? What could be going on?

You are not alone in this problem. Chances are, you have a third-party spam filter running at your organization. Almost every spam filter today is blocking yahoo.com and other ISP mail domains because they do not register a reverse DNS entry (PTR) that 100% matches their customers' email addresses.

For example, I found that a reverse lookup of one of the yahoo.com mail server's IP addresses returned a domain of servername.mail.yahoo.com as opposed to just servername.yahoo.com. This is close but maybe no cigar for your filters.

In the case of some other ISPs that are being blocked, it is not even close at all. The bad news is that, if you set up an exception for the entire yahoo.com domain, a lot of spam will come through unchecked. If you leave it blocked, you will continue to have this problem.

I think the solution probably lies with yahoo.com and other ISPs.
—Richard Luckett, Spam and Security Expert

Return to Exchange Server NDR FAQs

  Configuring Exchange Server to send NDRs to external users

Is there any way of 'bouncing' email that is sent to users that don't exist?

It sounds to me like you're asking for a non-delivery report (NDR) to be generated and sent to the originator notifying them that the email address they sent to does not exist at your organization. If that's the case, then you'll want to make sure this is configured on your Default Global settings in Exchange. I'm not sure which version of Microsoft Exchange Server you're running, so I'll assume either Exchange 2000 or Exchange 2003.

You need to launch Exchange System Manager (ESM) and expand the Global Settings container. Click on the Internet Message Format node and then select the Default * domain in the right-hand panel. Double-click and switch to the Advanced tab. You'll want to make sure that "Allow non-delivery reports" is selected. This will enable all of your external users to receive an NDR whenever they send to addresses that don't exist within your organization.
—David Sengupta, Exchange Administration Expert

Return to Exchange Server NDR FAQs

  Troubleshooting 'undeliverable notifications'

I installed Exchange 2003 about two months ago and everything is working fine except when mail bound for our domain is spelled incorrectly. I can see the email sitting in the queue and I would like to notify the sender this message was undeliverable. Is there any reason why I shouldn't notify them? How can I get this notification working?

If you're trying to enable non-delivery receipts to Internet senders misspelling users in your domain, then you'll need to go to the properties of the Internet Message Format in your Global Settings within Exchange System Manager (ESM). Once there, flip to the Advanced tab and make sure the checkbox for "Allow non-delivery reports" is checked.

If, however, you are seeing inbound Internet email stuck in an inbound queue, then something else is wrong. Your server should automatically be recognizing that certain addresses (i.e., names misspelled) don't exist in your organizations and be handling these appropriately instead of attempting to deliver them. You don't give a lot of details in your question, but things I'd look at in troubleshooting this problem include message header information for the problematic messages, recipient policy settings and errors/warnings in the application event log on the server.
—David Sengupta, Exchange Administration Expert

Return to Exchange Server NDR FAQs

 

 
 
David Sengupta
David
Sengupta
Didn't find a solution to your NDR issue?
Pose a question to our
Exchange Server NDR specialists,
David Sengupta and Bharat Suneja.

You can also browse our
Non-Delivery Report Reference Center.

Bharat Suneja
Bharat
Suneja
 
 
This was first published in July 2006
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close