Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Relay Denied
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Relay Denied - 14.May2008 1:21:25 PM
|
|
|
tbone2k
Posts: 33
Joined: 17.Oct.2005
From: Cambridge, Ontario
Status: offline
|
We've had this happen two or three times now. All of a sudden, users will report to me that they are getting messages to some domains returned with "5.7.1 Relay Denied". Even if I try and do a basic telnet to port 25 of one of the reported domains, I get the same problem once I enter the "mail from" and "rcpt to" lines.
Now this doesn't sound like something that would have to do with ISA, but the problem goes away once I restart the ISA 2004 server. Rather than rebooting, I did try just restarting the firewall service, but it didn't help. I also tried restarting the ISA services, but they wouldn't start again because a dependant service had not started.
A couple of other unique things that may or may not be the cause of our problem:
1. This ISA server used to be running DNS. The internal DNS servers pointed to the DNS on ISA and that DNS service then had a forwarder to external. I have since disabled DNS on the ISA server, set the internal DNS to forward to our ISP and made a rule on ISA to allow DNS.
2. We are switching to a new ISP. The new connection is active, but there is no physical connection yet. I also checked our MX and A records and they are still pointing to the correct IP. So my problem may just be a coincidence, but the problem started on the same day our new connection became live.
3. Our MX record points to our ISP (as they filter our spam). However we send our email directly from our own IP. So the sending IP doesn't match our MX. Again, shouldn't be a problem, but you never know.
I've spoken to some of the ISPs who are rejecting our mail, but none of them can offer any explanation as to why their servers think we are relaying, other than they can't see the association between our IP and our domain. Again, it doesn't explain why rebooting the ISA server fixes the problem. So any other ideas would be appreciated.
Thanks!
|
|
|
|
|
RE: Relay Denied - 14.May2008 1:50:36 PM
|
|
|
Rotorblade
Posts: 899
Joined: 27.Feb.2007
Status: offline
|
[
quote:
3. Our MX record points to our ISP (as they filter our spam). However we send our email directly from our own IP. So the sending IP doesn't match our MX. Again, shouldn't be a problem, but you never know.
Actually that is probably part of the issue. With the MX and sending server being different, receiving e-mail systems most often will do a reverse lookup on the sending server’s IP. With the MX being different and since there are probably no A zone DNS record for your server’s IP, the connection is going to be refused. Many ISP’s (AOL, RR, etc…) have this in place. In your case, you should be forwarding your e-mail using a smart host through your ISP.
Why things seem to work after a reboot of ISA is a bit strange. Sounds like you possibly have some DNS issues with your setup.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Relay Denied - 14.May2008 2:04:01 PM
|
|
|
tbone2k
Posts: 33
Joined: 17.Oct.2005
From: Cambridge, Ontario
Status: offline
|
Thanks for the reply.
What your answer doesn't explain is why we only have sporadic failures . If the rejection was originating from the receiver's end, I would think it would happen all the time.
For that matter, why companies would consider you to be relaying if you sending and MX (receiving) IPs aren't the same is a bit strange. Most large ISPs have separate servers for handling incoming and outgoing email.
|
|
|
|
|
RE: Relay Denied - 14.May2008 6:10:32 PM
|
|
|
Rotorblade
Posts: 899
Joined: 27.Feb.2007
Status: offline
|
quote:
What your answer doesn't explain is why we only have sporadic failures . If the rejection was originating from the receiver's end, I would think it would happen all the time.
One would think so but sometimes that is not the case. If the receiving server is rejecting, it sounds like the communication path is ok through ISA.
quote:
For that matter, why companies would consider you to be relaying if you sending and MX (receiving) IPs aren't the same is a bit strange.
The 550 5.7.1 verb is non-specific and can be returned if the reverse lookup fails.
quote:
Most large ISPs have separate servers for handling incoming and outgoing email.
Yes, and they have the necessary DNS zones records to support them. (SPF, MX, A and Reverse-Lookup zones established)
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Relay Denied - 22.May2008 10:00:17 AM
|
|
|
tbone2k
Posts: 33
Joined: 17.Oct.2005
From: Cambridge, Ontario
Status: offline
|
Update... we actually stopped having our ISP filter our email. So now we receive and send email through our ISA server at the same IP. However we still have the same problem. Just happened this morning, in fact. Again, rebooting the ISA server fixed the problem.
If anyone wants to check the details, our domain is Holstein.ca and our IP is 206.130.238.93. Some DNS servers may still show our MX as the old barracuda.kwic.com because we just updated it yesterday. However, even kwic.com was giving us these relay errors until I rebooted the ISA server.
Thanks
Brian
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
