01-26-2016 10:11 AM
I have 1 Ironport and 2 lines for outgoing/incoming to internet. Both lines using different ISP
Ironport host configured mail.domain.com
mx record - 10 Pref - mail.domain.com - 100.100.100.100
mx record - 20 Pref - mail2.domain.com - 101.101.101.101
PTR - 100.100.100.100 - mail.domain.com
PTR - 101.101.101.101 - mail2.domain.com
email Web access outlook.domain.com
We have checked ISP NS has configured the PTR records.
Sometimes email undeliverable and sometimes email successful delivered.
What is the issue on email undeliverable?
Should we purchase 2 Ironport for 2 different ISP connections
For my opinion, one Ironport can support 2 lines connection.
How can I configure to connect 2 lines?
What is the root cause on email undeliverable?
This is the email undeliverable error message
Remote Server returned '<[xxx.xxx.xxx.xxx] #5.0.0 smtp; 5.1.0 - Unknown address error 554-'5.7.1 This message has been blocked because the HELO/EHLO domain is invalid.' (delivery attempts: 0)>'
Original message headers:
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArIEAPrZplYKZGWa/2dsb2JhbABbAxkBAQEBDwEBAQGCPoEebQaIUaIokWAefIR1AoIVAQEBAQEBgQuEQQEBAQEDBSgcPgICAQgNBAQBAQYBAQEKFQcCBQ8BDQIMFAkIAQEEAREBCAbGTAEBAQEBAQEBAQEBAQEBAQEBAQEBDggEhTJ8hG2EGxEBKwkLFRGDdAWGFoIcikKEBIRdBIEOh2AHgV6ERIMbhTyKb4NSAYJjGIFQaoYMNHwBAQE
X-IronPort-AV: E=Sophos;i="5.22,347,1449504000";
d="jpg'145?scan'145,208,217,145";a="2237622"
Received: from unknown (HELO outlook.domain.com) ([xx.xxx.xxx.xxx])
by mail.domain.com with ESMTP; DD Mon YYYY
Received: from Server2.HQ.Local.Domain (xx.xxx.xxx.xxx) by Server1.HQ.Local.Domain
(xx.xxx.xxx.xxx) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, DD MMM
Received: from Server2.HQ.Local.Domain () by Server2.HQ.Local.Domain
([]) with mapi id 15.00.1104.000; Tue, DD MMM YYYY
01-26-2016 07:44 PM
This is a key bit. It is saying the EHLO you are presenting is not a valid domain. Are you presenting a valid DNS domain name to the outside world in your EHLO?
This message has been blocked because the HELO/EHLO domain is invalid
01-26-2016 08:24 PM
Not sure which DNS domain name went wrong.
User access email https://outlook.domain.com
mx record - 10 Pref - mail.domain.com - 100.100.100.100
mx record - 20 Pref - mail2.domain.com - 101.101.101.101
PTR - 100.100.100.100 - mail.domain.com
PTR - 101.101.101.101 - mail2.domain.com
A record - outlook.domain.com - 100.100.100.100
A record - outlook.domain.com - 101.101.101.101
I'm using mxtoolbox to verify DNS.
Any idea whether DNS or IronPort causing the issue?
01-26-2016 08:28 PM
This is on the Ironport. What have you got configured to present to remote email systems in the EHLO protocol message?
This shows how to set it. Make sure its is a public resolvable DNS name and you have matching forward and reverse DNS lookups. Make sure you are looking at the external facing interface(s).
https://supportforums.cisco.com/discussion/11923911/ironport-c170-heloehlo-response
01-26-2016 08:58 PM
In Ironport hostname, we configured mail.domain.com
Sometimes email successful sent.
If the email undelivered, the sender will resend the email and successful sent.
Email undelivered message
X-IronPort-Anti-Spam-Filtered: trueX-IronPort-Anti-Spam-Result: ArIEAPrZplYKZGWa/2dsb2JhbABbAxkBAQEBDwEBAQGCPoEebQaIUaIokWAefIR1AoIVAQEBAQEBgQuEQQEBAQEDBSgcPgICAQgNBAQBAQYBAQEKFQcCBQ8BDQIMFAkIAQEEAREBCAbGTAEBAQEBAQEBAQEBAQEBAQEBAQEBDggEhTJ8hG2EGxEBKwkLFRGDdAWGFoIcikKEBIRdBIEOh2AHgV6ERIMbhTyKb4NSAYJjGIFQaoYMNHwBAQEX-IronPort-AV: E=Sophos;i="5.22,347,1449504000"; d="jpg'145?scan'145,208,217,145";a="2237622"Received: from unknown (HELO outlook.domain.com) by mail.domain.com with ESMTP; 26 Jan 2016 10:31:37 +0800
01-26-2016 09:09 PM
Unless mail.domain.com actually points to your Ironport this is not correct. You need to enter the correct DNS entry - if you expect it to work.
01-26-2016 09:25 PM
Actual DNS meaning domain.com or outlook.domain.com ?
I should configure domain.com ?
Initial setup was domain.com
Ironport support has changed the configuration to mail.domain.com
What Ironport hostname should configure?
01-26-2016 09:50 PM
What is the public IP address of your Ironport? What DNS entry exists pointing to this IP address?
That is the DNS entry you should be using.
01-27-2016 02:15 AM
Hello Shwufai,
From review of the NDR error and the headers you are providing.
I believe the EHLO error in question is referencing the EHLO your ESA is sending to the destination server.
The HELO outlook.domain.com seems to be the HELO response sent to your ESA (IronPort) from the local servers you have.
I would suggest to review what is the EHLO that your ESA is sending when connecting out.
So please check GUI > Network>IP Interfaces, pick the interface that the outbound mail is going out from, and set its Hostname field.
Ensure this file resolves to a valid DNS record to stop the destination server from dis-allowing the email.
Regards,
Matthew
01-26-2016 09:35 PM
Make sure its is a public resolvable DNS name and you have matching forward and reverse DNS lookups.
Although it doesn't harm, (E)SMTP have no such requirement. You are mixing two unrelated things.
The IP address from which the SMTP session arrive to SMTP server needs to have matching forward and reverse DNS record.
According the error message, it seems not to be the issue.
The HELO/EHLO parameter require hostname, but such hostname is not required to have a relationship to client IP address. Imagine multihomed SMTP client (more than one IP address) or client behind NAT.
HELO parameter should primary hostname of the client host or address literal. See RFC5321 for details:
The SMTP client MUST, if possible, ensure that the domain parameter to the EHLO command is a valid principal host name (not a CNAME or MX name) for its host. If this is not possible (e.g., when the client's address is dynamically assigned and the client does not have an obvious name), an address literal SHOULD be substituted for the domain name and supplemental information provided that will assist in identifying the client. An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only. |
E.g. EHLO [ 10.0.0.1 ] is valid HELO (even with private IP used) and session should not be refused because of it.
Of course, Philip is right, you can workaround the issue by providing resolvable name, but it's not your computer who's misconfigured here.
01-26-2016 10:01 PM
There are RFCs, and then there are implementations that break RFCs.
I've seen plenty of receivers that block senders if EHLO argument does not resolve. Furthermore, the SMTP RFC *does* recommend it to be set to a resolvable FQDN. Even further more, SPF RFC recommends to check the HELO identity as well (see http://www.openspf.org/RFC_4408#helo-ident).
Additionally, while we may insist on being strict to the word of the RFC, it is much easier to change our own config (and satisfy all the "MAY" clauses) than influencing a 3rd party to change their own. At the end of the day, it only ends up in disruptions in mail delivery.
So, in practice, it is best to have your hostname configured as a fully resolvable FQDN (both A and PTR records, matching), as well as added to the SPF records of all the domains you do delivery for.
01-26-2016 10:33 PM
What sentence of my comment you disagree with ?
01-26-2016 08:50 PM
Feedback forum is dedicated to other topics. Moved to Email Security where it belong to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide