none
550 Authentication is required for relay

    Question

  • Hi all

    I'm having problem with sending email to some domains. when I send email , It immediately failed with this error "550 Authentication is required for relay "

    I use Exchange Server 2007 as my mailbox server and there is an Edge Transport Server which is used for send/receive emails to/from external.

    I have no problem with sending email to other domains like yahoo or gmail

     

    There is 2 send connector which have the following settings

    1. EdgeSync - Default-First-Site-Name to Internet

    2. EdgeSync - Inbound to Default-First-Site-Name

     


    AddressSpaces                : {smtp:*;100}
    AuthenticationCredential     :
    Comment                      :
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    DNSRoutingEnabled            : True
    DomainSecureEnabled          : True
    Enabled                      : True
    ForceHELO                    : False
    Fqdn                         :
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : itorbit-a75bb78
    Identity                     : EdgeSync - Default-First-Site-Name to Internet
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    LinkedReceiveConnector       :
    MaxMessageSize               : 10MB
    Name                         : EdgeSync - Default-First-Site-Name to Internet
    Port                         : 25
    ProtocolLoggingLevel         : None
    RequireTLS                   : False
    SmartHostAuthMechanism       : None
    SmartHosts                   : {}
    SmartHostsString             :
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {itorbit-a75bb78}
    UseExternalDNSServersEnabled : False

    AddressSpaces                : {smtp:--;100}
    AuthenticationCredential     :
    Comment                      :
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    DNSRoutingEnabled            : False
    DomainSecureEnabled          : False
    Enabled                      : True
    ForceHELO                    : False
    Fqdn                         :
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : itorbit-a75bb78
    Identity                     : EdgeSync - Inbound to Default-First-Site-Name
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    LinkedReceiveConnector       :
    MaxMessageSize               : 10MB
    Name                         : EdgeSync - Inbound to Default-First-Site-Name
    Port                         : 25
    ProtocolLoggingLevel         : None
    RequireTLS                   : False
    SmartHostAuthMechanism       : ExchangeServer
    SmartHosts                   : {--}
    SmartHostsString             : --
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {itorbit-a75bb78}
    UseExternalDNSServersEnabled : False

    any Idea?

    Thursday, October 14, 2010 1:05 PM

All replies

  • On Thu, 14 Oct 2010 13:05:16 +0000, Haniet wrote:
     
    >I'm having problem with sending email to some domains. when I send email , It immediately failed with this error "550 Authentication is required for relay "
    >
    >I use Exchange Server 2007 as my mailbox server and there is an Edge Transport Server which is used for send/receive emails to/from external.
    >
    >I have no problem with sending email to other domains like yahoo or gmail
     
    That sounds like either an incorrect MX or A record for the target
    domain, or the receiving MTA is misconfigured.
     
    If the MX record is found it should direct you to servers that accept
    e-mail for the domain. However, if there's a problem retreiving the MX
    then the "A" record for the domain will be used. The "A" record
    usually points to a web site, not a SMTP server. If there's a SMTP
    server at the IP address it's probably not the one the admins want to
    be used for general purpose email so they probably require
    authentication before they'll accept e-mail for the domain.
     
    Not knowing which domain(s) you're having a problem sending to, or the
    IP address to which you're sending the mail, makes all of this just
    speculation.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, October 14, 2010 2:26 PM
  • Thanks for your reply

    I don't think that there is a problem with target domain.

    For example I cannot send email to the domain a.com form my domain which is mydomain.com

    but I can send email to the a.com domain from other domains like b.com and so on.

     

    Saturday, October 16, 2010 4:57 AM
  • Hi,

    Can you try by doing the following changes on your send connectors.

    Connector :1 (EdgeSync - Default-First-Site-Name to Internet)

    --------------------------------------------------------------------------

    can you take the properties of the "EdgeSync - Default-First-Site-Name to Internet" send connector from the hub server. Then go to the 'Network' tab and enable the following options

    • "Use domain name system (DNS) "MX" records to route mail automatically".
    • "Enable Domain Security (Mutual Auth TLS)".
    • "Use External Lookup seetings on the local transport server".
    • "Change the smart host authentication to: None"

    Then logon to the edge server and take the properties of the server. From the 'External DNS Lookups' tab select "Use these DNS servers:" button and add your public dns ip address there.

    After that do an edge synchronization from hub server.

    Connector :2 (EdgeSync - Inbound to Default-First-Site-Name)

    -------------------------------------------------------------------------

    Take the properites of the connector from the hub server and go to the network tab. Then select "Route the mails through the following smart hosts" and your HUB servers IP addess as smart hosts. Then select the authentication as "exchange server authentication".

    Do edge synchronization.

    I hope it may help you out.

    Thanks,

    santhosh

     

     


    Santhosh Sivaraman MCITP: Microsoft Exchange Server 2007/2010 | MCSE/MCSA
    Saturday, October 16, 2010 2:03 PM
  • On Sat, 16 Oct 2010 04:57:40 +0000, Haniet wrote:
     
    >I don't think that there is a problem with target domain.
     
    So what's the domain name? And to what IP address are you sending the
    e-mail to?
     
    >For example I cannot send email to the domain a.com form my domain which is mydomain.com
    >but I can send email to the a.com domain from other domains like b.com and so on.
     
    That doesn't tell me anything except that perhaps you have a bad DNS
    query cached in your server.
     
    If you want answers you'll have to provide details.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, October 16, 2010 3:08 PM
  • My domain name is itorbit.net

    I have an A record in my DNS server for mail.itorbit.net , MX record which is pointed to that A record

    and I have an SPF record which is "v=spf1 mx ip4:81.91.159.131 ~all"

     

    I cannto send email to any domain which is end with .ac.ir (for example sbmu.ac.ir) and some other domains like nafisholding.com

     

    Saturday, October 16, 2010 5:26 PM
  • On Sat, 16 Oct 2010 17:26:26 +0000, Haniet wrote:
     
    >My domain name is itorbit.net
    >
    >I have an A record in my DNS server for mail.itorbit.net , MX record which is pointed to that A record
    >
    >and I have an SPF record which is "v=spf1 mx ip4:81.91.159.131 ~all"
     
    I wasn't so much asking for your domain as I was for the domain to
    which you had difficulty sending e-mail. But, since you offered that
    information . . .
     
    I don't find a PTR record for the IP address 81.91.159.131. That may
    account for a lot of problems. Add one to your DNS or have the ISP do
    it of you don't manage the network.
     
    The other problem you have is the poor reputation your IP address has
    in some reputation servers:
     
    http://www.trustedsource.org/query/81.91.159.131
     
    That IP address hasn't been used to send mail for very long (only
    ablout a month), but it sure got someone ticked off. :-)
     
    Another problem may be that your server uses a name that's different
    to "mail.itorbit.net" in the 220 banner, and it probably also uses
    that name in the HELO\EHLO command it sends. Here's the 220 banner
    info:
     
    220 itorbit-a75bb78.itorbitall.com
     
    Fix that so it uses the name "mail.itorbit.net".
     
    >I cannto send email to any domain which is end with .ac.ir (for example sbmu.ac.ir) and some other domains like nafisholding.com
     
    From your Exchange server, start a command prompt and run nslookup.
     
    Then enter:
    set q=mx
    sbmu.ac.ir
     
    What is the name of the server that accepts mail for that domain, and
    what's its IP address?
     
    If you have the IP address, from that same command prompt:
     
    telnet <ip-addr> 25
     
    You should see:
    220 **************************0***0**************20*0 02*20*****0**0
     
    Which probably means they're using a Cisco firewall with that
    dastardly "MailGard" feature enabled. Enter "quit" and end the
    session.
     
    Now, go have a look at your DMTP send protocol log and see what
    happens when you try to send a message to that domain. Do you see the
    SMTP conversation? Where does it end? What status codes are returned
    to the commands your server sends?
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, October 16, 2010 11:13 PM
  • As I changed my SPF record the problem of sending email to *.ac.ir had been solved

    but still I have problem sending email to the domain  Nafisholding.com

    here is the SMTP Send log :


    2010-10-18T13:08:34.368Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,1,192.168.0.50:15834,38.117.105.236:25,+,,
    2010-10-18T13:08:34.634Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,2,192.168.0.50:15834,38.117.105.236:25,<,220 mail.netsups.com ,
    2010-10-18T13:08:34.634Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,3,192.168.0.50:15834,38.117.105.236:25,>,EHLO itorbit-a75bb78.itorbitall.com,
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,4,192.168.0.50:15834,38.117.105.236:25,<,250-mail.netsups.com Hello [81.91.159.130],
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,5,192.168.0.50:15834,38.117.105.236:25,<,250-SIZE 31457280,
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,6,192.168.0.50:15834,38.117.105.236:25,<,250-AUTH LOGIN CRAM-MD5,
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,7,192.168.0.50:15834,38.117.105.236:25,<,250 OK,
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,8,192.168.0.50:15834,38.117.105.236:25,*,439,sending message
    2010-10-18T13:08:34.915Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,9,192.168.0.50:15834,38.117.105.236:25,>,MAIL FROM:<test@itorbit.net> SIZE=20743,
    2010-10-18T13:08:35.196Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,10,192.168.0.50:15834,38.117.105.236:25,<,550 Authentication is required for relay,
    2010-10-18T13:08:35.196Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,11,192.168.0.50:15834,38.117.105.236:25,>,QUIT,
    2010-10-18T13:08:35.462Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,12,192.168.0.50:15834,38.117.105.236:25,<,221 Service closing transmission channel,
    2010-10-18T13:08:35.462Z,edgesync - default-first-site-name to internet,08CD39ABF2402E80,13,192.168.0.50:15834,38.117.105.236:25,-,,Local

    Monday, October 18, 2010 1:18 PM
  • On Mon, 18 Oct 2010 13:18:56 +0000, Haniet wrote:
     
    >
    >
    >As I changed my SPF record the problem of sending email to *.ac.ir had been solved
    >
    >but still I have problem sending email to the domain Nafisholding.com
     
    You'll have to take this up with their admin. My guess is that they
    have your domain in some connection/spam filter they manage locally.
     
    As you can see, it's the MAIL FROM command that's rejected. The
    conversation doesn't get far enough to know whether I'm trying to send
    to their domain (i.e. no relay) or some other domain (which would
    require a relay):
     
    220 mail.netsups.com
    ehlo mydomain.com
    250-mail.netsups.com Hello [66.XX.YY.ZZ]
    250-SIZE 31457280
    250-AUTH LOGIN CRAM-MD5
    250 OK
    mail from:<me@mydomain.com>
    250 OK <me@mydomain.com> Sender ok
    rset
    250 OK
    mail from:<test@itorbit.net>
    550 Authentication is required for relay
    quit
    221 Closing connection. Good bye.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, October 18, 2010 1:31 PM
  • Dear Rich Matheisen

    really thanks for your answers

    This means that I have to contact with the administrator of every domain that I cannot send email to?!

    I think that problem is with my domain not them , because they can receive email from all other domain except us

    Tuesday, October 19, 2010 3:20 AM
  • On Tue, 19 Oct 2010 03:20:40 +0000, Haniet wrote:
     
    >
    >
    >Dear Rich Matheisen
    >
    >really thanks for your answers
    >
    >This means that I have to contact with the administrator of every domain that I cannot send email to?!
     
    If you want to discover why they won't accept e-mail from you, yes,
    you do.
     
    >I think that problem is with my domain not them , because they can receive email from all other domain except us
     
    It certainly is associated with your domain name. If I try using your
    domain to send e-mail to them I get the same rejection. If that's
    happening at lots of other companies then they may be using the same
    anti-spam software or service. If that's the case you only have to
    convince the people that manage the service to remove you from
    whatever list you domain is in. But until you discover ehat that is,
    you'll have to contact the other domains and ask them why they reject
    you domain.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Alan.Gim Thursday, October 21, 2010 8:00 AM
    Tuesday, October 19, 2010 4:02 AM
  • I have checked the IP address of mail server in mxtoolbox.com and spamhaus

    Blocklist Lookup Results

    81.91.159.131 is not listed in the SBL

    81.91.159.131 is not listed in the PBL

    81.91.159.131 is not listed in the XBL

     

    and the domain which I cannot send email to it , says that they don't have specific spam checker

     

    Thursday, October 21, 2010 8:09 AM
  • On Thu, 21 Oct 2010 08:09:27 +0000, Haniet wrote:
     
    >
    >
    >I have checked the IP address of mail server in mxtoolbox.com and spamhaus
    >
    >Blocklist Lookup Results 81.91.159.131 is not listed in the SBL
    >
    >81.91.159.131 is not listed in the PBL
    >
    >81.91.159.131 is not listed in the XBL
    >
    >
    >
    >and the domain which I cannot send email to it , says that they don't have specific spam checker
     
    .. . . and yet they refuse to accept e-mail from your domain????
    Perhaps they simply have your domain in a local block list?
     
    Either way, they're refusing the MAIL FROM command. They should be
    able to tell you why they're doing that, or at least to put your
    domain in a local "white list" if they have no reason to refuse your
    mail.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, October 21, 2010 9:15 PM
  • they say that our domain is not in their local black list

    and really I don't know what the problem is!!!

    I'm working on my dns configuration

    Friday, October 22, 2010 1:34 PM
  • On Fri, 22 Oct 2010 13:34:51 +0000, Haniet wrote:
     
    >
    >
    >they say that our domain is not in their local black list
    >
    >and really I don't know what the problem is!!!
     
    Their SMTP protocol log (and yours) will provide the evidence to them
    that they need to work on their problem.
     
    There's nothing you can do, short of changing your domain, to get
    their system to accept your e-mail. This is especially true if they
    don't know how their own systmes work.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, October 22, 2010 11:56 PM
  • Here is the result form mxtoolbox site checking my smtp IP address

    smtp:81.91.159.131    smtp   
    220 mail.itorbit.net Microsoft ESMTP MAIL Service ready at Sat, 23 Oct 2010 07:38:29 +0330


    Not an open relay.
     0 seconds - Good on Connection time
     6.864 seconds - Warning on Transaction time
     Reverse DNS FAILED! This is a problem.
     OK - Reverse DNS matches SMTP Banner

    Session Transcript :
    HELO please-read-policy.mxtoolbox.com
    250 mail.itorbit.net Hello [64.20.227.133] [312 ms]
    MAIL FROM: <supertool@mxtoolbox.com>
    250 2.1.0 Sender OK [312 ms]
    RCPT TO: <test@example.com>
    550 5.7.1 Unable to relay [5320 ms]
    QUIT
    221 2.0.0 Service closing transmission channel [312 ms]
    Saturday, October 23, 2010 4:18 AM
  • On Sat, 23 Oct 2010 04:18:46 +0000, Haniet wrote:
     
    >Here is the result form mxtoolbox site checking my smtp IP address smtp:81.91.159.131 smtp
     
    >Reverse DNS FAILED! This is a problem.
     
    So have your DNS folk (or your ISP if you don't manage your part of
    the network by yourself) add the missing PTR record.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, October 23, 2010 5:38 PM
  • How's the issue currently?
    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    Wednesday, October 27, 2010 3:11 AM
  • Still I cannot send email to those special domains

    And also my dns hosting said that they are not allowed to create PTR Record for my record!!!

    I'm trying to change it

    Wednesday, October 27, 2010 4:13 AM