Re: SMTP/SPF HELL
- From: "BSUMelissa" <BSUMelissa@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 1 Aug 2005 13:51:01 -0700
I don't know where to start. First, thank you!
I looked at the SMTP log for the day of the "event". I found the following
entries, there may be more but I thought this may provide enough info. --It
doesn't mean much to me other than it looks like something didn't happen by
virture of the 0 in comparison to other entries.
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 EHLO - 0
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 MAIL - 0
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 RCPT - 0
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 DATA - 0
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 - - 0
13:29:30 209.86.93.238 QUIT - 0
13:29:30 209.86.93.238 - - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 EHLO - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 MAIL - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 RCPT - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 DATA - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 - - 0
16:09:46 209.86.93.238 QUIT - 0
16:09:46 209.86.93.238 - - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 EHLO - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 MAIL - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 RCPT - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 DATA - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 - - 0
19:22:49 209.86.93.227 QUIT - 0
19:22:49 209.86.93.227 - - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
20:13:15 209.86.93.201 RCPT - 0
The bottom section of addresses I don't know who it belongs to. Nothing
surfaced when I did a lookup on dnsstuff.com's website. The other entries are
on the MX list you provided.
Then my brain when to mush when you referenced RCF2821 and 2822 numbers.
I'm intimidated by the thought of reading a highly technical, non plain
english RCF I admit. I don't understand what you asked. The NDR for the
Earthlink messages was forwarded to me so I cannot view any header info.
Skipping to the new zone, yes, I did that on our internal DNS but quickly
"undid"
it. In my limited knowlegde of DNS I messed us up in the sense once I put
that in we could no longer get to our BSU.us website. I need a "special"
entry in DNS for that. I haven't gone back to that yet, don't know if I with
either since mail.bsu.us is good.
As for the XEXCH50 thing, I suppose I'm only seeing the rejection and the
message is not being bounced. So I'm assuming this is a non issue, correct?
So, if I'm following you correctly, and don't be surprised if I'm not, at
this time I need to send a message to the Earthlink accounts that rejected.
Then I can get the ip address of we're sending to and verify the address
we're sending from. Once we have that info, assuming it fails, then what?
I started this message much earlier in the day. We've sent out another
"mass" mailing, and while we're still sorting through the NDR's one thing is
clear. Not all the NDR's are the kind that have header info. The NDR's that
look like a postage mark do not have header info whereas the ones with an
envelope do. --I'm sure you know that. So, now what? Here are some
examples, they aren't any different than what I've already posted, they are
just new.
Your message did not reach some or all of the intended recipients.
Subject: BSU Web Site
Sent: 8/1/2005 3:29 PM
The following recipient(s) could not be reached:
farrarb@xxxxxxxxx on 8/1/2005 3:30 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.
<mail.bsu.us #5.5.0 smtp;551 User not local>
This is a good one because it's Earthlink:
Your message did not reach some or all of the intended recipients.
Subject: BSU Web Site
Sent: 8/1/2005 3:29 PM
The following recipient(s) could not be reached:
millerstime@xxxxxxxxxxxxxx on 8/1/2005 3:30 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.
<mail.bsu.us #5.5.0 smtp;550-EarthLink does not recognize your
computer (209.26.232.187) as connecting from an EarthLink connection. If
this is in error, please contact technical support.>
This is the closest timestamp in the SMTP log that came up when searching
for an Earthlink IP.
15:40:11 209.86.93.230 - - 0
15:40:11 209.86.93.230 EHLO - 0
15:40:11 209.86.93.230 - - 0
15:40:11 209.86.93.230 MAIL - 0
15:40:11 209.86.93.230 - - 0
15:40:11 209.86.93.230 RCPT - 0
15:40:11 209.86.93.230 - - 0
15:40:11 209.86.93.230 DATA - 0
15:40:11 209.86.93.230 - - 0
15:40:11 209.86.93.230 - - 0
Your message did not reach some or all of the intended recipients.
Subject: BSU Web Site
Sent: 8/1/2005 3:29 PM
The following recipient(s) could not be reached:
Brad@xxxxxxxxxxxxxxxx on 8/1/2005 3:30 PM
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
<mail.bsu.us #5.7.1 smtp;550 5.7.1 Unable to relay for
Brad@xxxxxxxxxxxxxxxx>
None of these have header info to look at. Am I sending the right
information? Am I doing this right? Thanks again for taking the time to
help me.
"Rich Matheisen [MVP]" wrote:
> "BSUMelissa" <BSUMelissa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> >Wow, there is a lot here, thanks! This is what the EHLO looks like now after
> >I changed the virtual smtp to mail.bsu.us:
> >
> >Received: from 209.26.232.187 (EHLO mail.bsu.us) (209.26.232.187) by
> >mta124.mail.re2.yahoo.com with SMTP; Fri, 29 Jul 2005 05:11:07 -0700
>
> Well, now both the forward and reverse lookups work, and the server
> announces itself by its right name. :)
>
> >That change was done before your post and before the message was sent to
> >Cogsdale. Is that what you meant by xxx.bsu.us?
>
> Yep. the "xxx" just meant whatever the host name was.
>
> >If you do a reverse lookup
> >for the IP 209.26.232.187 mail.bsu.us is what comes up. Or did you mean the
> >virtual smtp should be syssb0007.bsu.us?
>
> The name syssb0007.bsu.us doesn't appear to be resolvable outside your
> internal DNS, so using it to announce your server's name in a HELO
> command would just cause trouble.
>
> >You are also correct the DHR owns the IP address 209.26.232.187, I know you
> >know that. That is why I don't understand why Earthlink gave the response it
> >did. We tried multiple times to send and each time the result error was the
> >same.
>
> Well, let's start by asking what was the IP address you sent the
> message to, and the one that returned the error (they're probably the
> same). You can find that info in the SMTP protocol log.
>
> Let's also get the contents of the RFC2821 "MAIL FROM" command and the
> RFC2822 "From:", "Sender:", "Resent-From:", etc. headers in the
> message that was rejected.
>
> >On the other hand, I CAN send to two individual Earthlink accounts.
> >One is a mindspring address. Also, keep in mind that we've sent to these
> >addresses successfully many times before in the past, with us being
> >"misconfigured" and all.
>
> That doesn't mean that Earthlink hasn't tightened its security. :)
>
> But we'll need all the information about the message and the server
> you're sending it to.
>
> Earthlink's MX's are:
>
> mx9.earthlink.net internet address = 209.86.93.234
> mxa.earthlink.net internet address = 209.86.93.235
> mxb.earthlink.net internet address = 209.86.93.236
> mxc.earthlink.net internet address = 209.86.93.237
> mxd.earthlink.net internet address = 209.86.93.238
> mxe.earthlink.net internet address = 209.86.93.239
> mx1.earthlink.net internet address = 209.86.93.226
> mx2.earthlink.net internet address = 209.86.93.227
> mx3.earthlink.net internet address = 209.86.93.228
> mx4.earthlink.net internet address = 209.86.93.229
> mx5.earthlink.net internet address = 209.86.93.230
>
> And you should be sending mail to one of those IP addresses, not
> somewhere else.
>
> >Now for the sticky part. BSU.com was in place before this company even had
> >an IT department. When I got here the company that had set everything up, a
> >local networking/support company, gave me a long complicated explaination as
> >to why it could not be changed. Now, he could have been baffleing me with BS
> >I don't know, I just took his word for it. In any case, just to make sure
> >we're on the same page, when I say we use bsu.com internally I mean that is
> >how our internal dns is set up.
>
> That's okay. You can be microsoft.com or ibm.com oy yahoo,=.com within
> the confines of your own network -- provided you understand that none
> of that information can be used outside your own network. That means
> using "split dns", and it also means you'll never communicate with the
> purloined domain (which belongs to Sagebrush Software Products).
>
> >All entries have bsu.com appended
> >automatically. So, I created a new bsu.us zone in our DNS. I added a record
> >for syssb0007, which is the server name, and mail.
>
> And you did that on your internal DNS, or your external DNS? As I
> said, your internal DNS can pose as anything you like as long as you
> understand the consequences.
>
> >Both records point to the
> >internal IP address and have bsu.us appended. Is that OK?
>
> Sure. The mail.bsu.us is a requirement since your SMTP VS is now
> calling itself by that name. :) The syssb0007 host name appears to be
> something internal (the server name?) and unless you changed the DNS
> name of the server youprobably don't need it.
>
> >I haven't changed
> >bsu.com because I'm CHICKEN.
>
> Unless you start doing business with bsu.com, or sending mailspoofing
> that domain, you shouldn't have to do that.
>
> >I'm afraid it will send our whole network into
> >a frenzy. It hasn't been a problem so far in the 3.5 years I've been here so
> >I've left it alone. It seems any time I make one minor change to right a
> >wrong it has a domino affect.
>
> Sometimes that just the way things are, especially if someones build a
> house of cards and then departed without leaving a trail of
> breadcrumbs to follow.
>
> >Yes, it's good to make things right but at the
> >same time I pick my battles carefully. I'll have to look into what all is
> >involved with changing the domain name. --It can't possibly be as simple as
> >it sounds.
>
> Changing the AD Domain name is a lot harder than change a DNS domain
> name. The two don't have to be the same (ours aren't).
>
> >I haven't looked at kb 818222 yet, but I still don't understand why mail to
> >Cogsdale was rejected, especially since now the header states mail.bsu.us
> >from 209.26.232.187.
>
> Is the message actually being bounced, or are you just seeing the
> rejection of the XEXCH50 command? Usually, the connection will work
> because your server will try sending some other command in its place
> (usually a DATA or DBAT command) and the transaction proceeds
> normally. The KB article tels you how to turn off the sending of the
> XEXCH50 command if the target domain ins't one you manage.
>
> >I don't understand why Earthlink thinks we're using one
> >of their ip addresses, and how the heck do we fix that?
>
> You find out what IP address you were sending to and the SMTP
> addresses used as the originator (see all that above). Then you work
> from there. Right now you don't know which machine rejected your mai,
> just that it wasn't accepted.
>
> >As for SMTP connectors, we do not have any.
>
> Depending on what you find in the SMTP protocol logs, you might need a
> couple if for nothing else than directing mail for some domains to a
> smarthost.
>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
>
.
- Follow-Ups:
- Re: SMTP/SPF HELL
- From: Rich Matheisen [MVP]
- Re: SMTP/SPF HELL
- References:
- Re: SMTP/SPF HELL
- From: Rich Matheisen [MVP]
- Re: SMTP/SPF HELL
- Prev by Date: Re: Missing Recipients
- Next by Date: LDAP name for information store
- Previous by thread: Re: SMTP/SPF HELL
- Next by thread: Re: SMTP/SPF HELL
- Index(es):
Relevant Pages
|
