E.g for fourgerpratt.com, we are able to receive mails from them; but if we reply an NDR is generated as follows:
"The following organization rejected your message: [188.8.131.52]." An IronPort mail log shows: "Bounced: DCID 1088007 MID 8598048 to RID 0 - 5.1.0 - Unknown address error ('550', ['Denied by policy.'])"
However, the firstname.lastname@example.org does exist because we are replying to it.
by doing an nslookup we found: C:\>nslookup Default Server: resolver.hp.net Address: 184.108.40.206
or looking for MX records: > set type=mx > foulgerpratt.com Server: resolver.hp.net Address: 220.127.116.11
Non-authoritative answer: foulgerpratt.com MX preference = 5, mail exchanger = mail.foulgerpratt.co m
mail.foulgerpratt.com internet address = 18.104.22.168 > set type=ptr > 22.214.171.124 Server: resolver.hp.net Address: 126.96.36.199
Non-authoritative answer: 188.8.131.52.in-addr.arpa name = bids.foulgerpratt.com 184.108.40.206.in-addr.arpa name = mail.foulgerpratt.com 220.127.116.11.in-addr.arpa name = xmweb.foulgerpratt.com 18.104.22.168.in-addr.arpa name = ems.foulgerpratt.com
22.214.171.124.in-addr.arpa nameserver = auth1.dns.cogentco.com 126.96.36.199.in-addr.arpa nameserver = auth2.dns.cogentco.com auth1.dns.cogentco.com internet address = 188.8.131.52 auth2.dns.cogentco.com internet address = 184.108.40.206
Look at the strange name which is the inverse of their IP. Would this be the reason of why we can not send them emails?
On the other hand, our domain "customer.com" has 3 MX records, if you do an nslookup for each of them, you will have both A record as well as PTR record; however, if you do the nslookup directly for "customer.com", there is no A record associated, and neither a PTR, would this be also a problem to send mails out to certain domains?
Below are result of nslookup for other domains with problems to receive our mails:
Non-authoritative answer: 220.127.116.11.in-addr.arpa name = smtp4.cesco.com
127.21.12.in-addr.arpa nameserver = cmtu.mt.ns.els-gms.att.net 127.21.12.in-addr.arpa nameserver = cbru.br.ns.els-gms.att.net cbru.br.ns.els-gms.att.net internet address = 18.104.22.168 cmtu.mt.ns.els-gms.att.net internet address = 22.214.171.124
One time a user received this NDR: > Te Non delivery notification received says: > unable to deliver to email@example.com > Unable to deliver the message due to a communication failure > The MTS-ID of the original message is........ > ironport.domain.com 5.0.0 smtp 5.4.7 - Delivery expired (message too > old) 'timeout' (delivery attempts: 0).
and mail logs show: Thu Feb 28 20:00:47 2008 Info: New SMTP ICID 38970663 interface Data 1 (10.32.2.35) address 126.96.36.199 reverse dns host unknown verified no
Currently the bounceconfig is not configured in our cluster. Which values would you recommend for maximum number of retries and the maximum number of seconds a message may stay in the queue before being hard bounced. At the GUI level, in Bounce Profile we have the following settings:
Initial Period to Wait Before Retrying an Unreachable Host: 60 (between 60 and 86400) Maximum Interval Allowed Between Retries to an Unreachable Host: 3600 (between 60 and 86400) Wait Before Timing out Reverse DNS Lookups: 20
Errors like "550 Denied by Policy" are usually an indicator that you have been blacklisted. This could either be a in-house list that the reciever maintains, or a third-party RBL.
The same goes for cesco.com. I can reach both of their MX hosts from my system without a problem. The fact that you are getting repeat timeouts could indicate either a routing problem, or they are not accepting your connections because of a blacklist.
I apologize in advance if any of this is redundant.
There are several sites that attempt to query several blacklists so you can check quickly. Here's one that I have had good luck with:
Just enter the IP that your mail is delivered from.
I would start from there. If you don't find anything, then a check of whois may be in order. The first two domains appear to be registered with Network Solution's anonymizing registration, so you can try sending an email to what is listed in the whois entry and it will be forwarded to whatever the user has on record.
The last domain, CEELECTRONICS.COM, appears to have a couple of phone numbers that you could call.
Getting off of a blacklist can be a daunting task, but I find that letting the reciever know that you are serious about correcting any issues can go a long way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...