Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange...
or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.
Free e-mail providers like Hotmail and Gmail have proliferated with the growth of the Web as a whole. Administrators sometimes encounter problems when sending mail to such providers from Exchange servers. Many of these issues stem from minor Exchange misconfigurations. Here's some advice to help you troubleshoot these types of problems.
- Make sure proper MX records are available through reverse DNS. This is the single most common issue. More e-mail providers are using reverse DNS lookups to confirm where messages are coming from. As this becomes used more widely, domains that don't have reverse DNS information published correctly may bounce more often. To confirm that your external DNS entries are available and listed correctly, you can use tools like the ones at www.dnsreport.com or www.dnsstuff.com.
- Provide a generous retry and timeout intervals for outgoing messages in Exchange. The servers for outfits like Hotmail are often extremely busy, so they may not respond the first time they're queried or may respond slowly.
- External DNS queries in Windows 2003 may cause problems. I discuss this problem in another tip, Firewalls and DNS query responses may not mix ); the solution is to turn off EDNS in Windows 2003.
- Problems with PIX firewalls and EDNS issues. A similar problem to #3 above; the solution here is to turn off EDNS once again until the PIX firewall can be upgraded to properly handle EDNS queries. If you're not sure if DNS is the culprit, one way to exclude DNS from the equation is to create an SMTP connector, say for Hotmail.com (or whatever other addresses are causing such issues), and use Hotmail's MX servers as smart hosts for the connector. This shouldn't be used as a permanent solution, just a temporary workaround until you can figure out why mail isn't going through.
If you're still getting rejected from such connections, you may want to consider if:
- Your IP block has been blacklisted as an open relay. This is rare, but it does happen. Check to make sure your system is not being used as an open relay. You can find one such simple test here: http://www.abuse.net/relay.html. Also, one of the most widely-used open-relay blacklists has a check that you can run yourself to remove your server from their blacklist: http://www.ordb.org/submit/.
Problems with PIX firewalls and EDNS issues. A similar problem to #3 above. Check to see if the PIX firewall has an upgrade available for it, or disable EDNS until the PIX firewall can be upgraded to properly handle EDNS queries (or replaced entirely, if you're migrating away from such a solution). If you're not sure if DNS is the culprit, one way to exclude DNS from the equation is to create an SMTP connector, say for Hotmail.com (or whatever other addresses are causing such issues), and use Hotmail's MX servers as smart hosts for the connector. This shouldn't be used as a permanent solution, just a temporary workaround until you can figure out why mail isn't going through.
About the author: Serdar Yegulalp is editor of the Windows 2000 Power Users Newsletter and a regular contributor to SearchExchange.com.
MEMBER FEEDBACK TO THIS TIP
I'm concerned about the portion regarding EDNS and the section on PIX firewalls and EDNS. The answer here is NOT to disable EDNS, but rather to update the firewall to support the longer UDP packets.
Who's to say that a hotfix, service pack, upgrade or additional service installation will not restore or require EDNS? We've all made changes to get something working that we don't remember later, and then we waste hours chasing down the problem.
Addressing the issue with PIX firewalls (or others) is the best course here, not crippling the EDNS service. Fix the problem, don't stick a band-aid on it.
Thanks for the comment -- yes, my statement was meant to imply that it is always best to upgrade/patch the firewall if that option is available, with disabling EDNS as a workaround if that isn't possible or doesn't have the desired effect.
Serdar Yegulalp, tip author
Good article except it does not explain what the reverse DNS settings should be. Should the IP address point to FQDN of the e-mail server? What if you have more then one e-mail server? Should the reverse DNS just point back to the domain name?
I had an issue which I think I resolved but was unclear on what the reverse DNS should be. Right now, I have it pointing to the FQDN of my e-mail server.
Creating reverse DNS records isn't difficult. When configuring DNS for a mail server, set up a PTR record in the in-addr.arpa domain for each MX record (as described in RFC 1912, section 2.1). If you're dealing with a multi-homed host or with multiple email servers, each IP address must have a separate PTR record as well. The IP address for the e-mail server should point back to the server's FQDN -- i.e., mail.thisdomain.net.
Serdar Yegulalp, tip author
Do you have comments on this tip? Let us know.