451 4.4.0 Errors
- I think Transport is the right place for this question. I've recently setup and Exchange 2007 server which we will be migrating to from Exchange 2003. The Exchange 2007 is one server, and has the Mailbox, Client Access, and Hub Transport roles installed. Everything seems to be working fine for outbound mail to 95% of all domains. For the other 5% I get 451 4.4.0 Errors, saying either "Primary target IP address responded with 421 4.2.1 Unable to connect," or "DNS query failed." I've tried everything I could find with various Google and Live searches, to no avail. Things I've tried:
1. Changing DNS servers from internal ones to external. No help.
2. Manually doing an nslookup and telnet connection to the smtp servers listed in the MX record for the affected domains. This has been successful in all cases.
3. Setting -IgnoreStartTLS to true on the send connector. This did not help.
Any other advice on why this might be occuring?
Regards, Josh Erquiaga
Respuestas
Yes, after reviewed the trace, I also found the info below:
=========
Standard query MX ExternalDomain
Standard query response MX ...
Standard query AAAA ExternalDomain
Standard query response, Server failure
Standard query AAAA ExternalDomain
Standard query AAAA ExternalDomain
Standard query response, Server failure
=========
After spent more time on the issue, I found that the issue is still caused by IPv6. IPv6 cannot be completely disabled in Windows 2008 even by adding the registry
Here’s a similar case as yours
Explanation: The registry entry will only disable the IPv6 but does not uninstall it completely from the windows 2008 server, exchange will still querying for remote domain’s AAAA record (QuadA – IPV6) for delivering. And if exchange server were asking the AAAA record to a remote domain that doesn’t have one, same symptom will occur, and it won’t continue to seek for remote domain’s A record for delivering
Current workarounds:
· Add target IP in the host file (Just like you did)
· Set up send connector for specify correct remote server IP address (A record) on them
· If there is lots of target domains (without AAAA record) encountered the error, suggest setting up non-Windows 2008 IIS SMTP Server and forward all outgoing messages to the smart host for externally delivering
Notes: If the ISP (hosting remote domain’s MX records) can publish AAAA records for the remote domain’s MX Record FQDN, then this issue won’t be seen even as Exchange 2007 gets a successful response for its queries
- Propuesto como respuestaJames-LuoMSFT, Moderadorlunes, 11 de mayo de 2009 1:32
- Marcado como respuestaJosh Erquiaga lunes, 11 de mayo de 2009 13:14
Todas las respuestas
- One additional note. I added the IP and host name of the affected domains to the hosts file, and the mail went through. I'm running Exchange 2007 SP1 on Windows Server 2008, and have disabled IPv6, per a number of Technet articles. Is there something else I am missing that would cause these to not work? Adding domains to the hosts file on the mail server doesn't seem to be the best solution out there.
Regards, Josh Erquiaga Issue description: Outbound mails to certain domains getting blocked
Last error: “Primary target IP address responded with 421 4.2.1 Unable to connect”; “DNS query failed”
1. How many NICs does the exchange server have?
2. You can enable the protocol logging on the send connector, Connectivity Logging on the exchange server and then reproduce the issue, which can give us more error info to isolate the root cause
- The server only has one NIC. I enabled protocol logging, and found that a couple of the other servers that were dropping connections were actively refusing connections. I'm guessing that we must be on some blacklist that I can't find. I'm going to try contacting the admin at one of the problem domains and see if they can shed any light for me on what spam services they may be using.
One of the other domains dropping connections is online.microsoft.com. Anyone know what blacklists Microsoft uses? Maybe we got on that one somehow.
I haven't seen another DNS error, but if I do I'll check the protocol logs and see if that helps.
Regards, Josh Erquiaga Yes, please do that. Meanwhile, can you post the error info (with context) in the log file, see if we can find more clue about it?
- Here is the error information from the protocol log when attempting to send to online.microsoft.com:
2009-05-05T18:13:15.031Z,Default,08CB97D581460B5F,0,,207.46.197.32:25,*,,attempting to connect
2009-05-05T18:13:17.452Z,Default,08CB97D581460B5F,1,,207.46.197.32:25,*,,"Failed to connect. Error Code: 10061, Error Message: No connection could be made because the target machine actively refused it 207.46.197.32:25"
2009-05-05T18:13:17.452Z,Default,08CB97D581460B5F,0,,207.46.232.182:25,*,,attempting to connect
2009-05-05T18:13:38.453Z,Default,08CB97D581460B5F,1,,207.46.232.182:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 207.46.232.182:25"
I tried to get information on the DNS query error (took the problem domain out of the hosts file and tried sending it) and I got the error again (451 4.4.0 DNS query failed) in the Queue Viewer but didn't see anything in the protocol logs. Is there somewhere else I should be looking for info on that error?
Regards, Josh Erquiaga Please describe the exchange topology, does there have only one exchange 2007 server as you said in the first post? And is the exchange 2007 server the one that faces the internet?
Can you send me the network trace on the exchange server?
a. Please start Network Monitor on exchange server to capture the network trace
b. Send test mail and reproduce the issue
c. Stop the network monitor, and save the trace
d. Add the affected domain’s info to host file
e. Start the network monitor and send the second test mail
f. Stop the network monitor, and save the trace
Notes: Please define the name for all relevant stuff in the trace package, like machine name, IP address and etc
Resources:
How to capture network traffic with Network Monitor
- Complete Exchange topology consists of two servers currently, our legacy Exchange 2003 Server which still holds most of our mailboxes, and an Exchange 2007 server with the Mailbox, CAS, and Hub Transport roles. The Exchange 2007 server is Internet facing.
The network traces are on the way.
Regards, Josh Erquiaga Yes, after reviewed the trace, I also found the info below:
=========
Standard query MX ExternalDomain
Standard query response MX ...
Standard query AAAA ExternalDomain
Standard query response, Server failure
Standard query AAAA ExternalDomain
Standard query AAAA ExternalDomain
Standard query response, Server failure
=========
After spent more time on the issue, I found that the issue is still caused by IPv6. IPv6 cannot be completely disabled in Windows 2008 even by adding the registry
Here’s a similar case as yours
Explanation: The registry entry will only disable the IPv6 but does not uninstall it completely from the windows 2008 server, exchange will still querying for remote domain’s AAAA record (QuadA – IPV6) for delivering. And if exchange server were asking the AAAA record to a remote domain that doesn’t have one, same symptom will occur, and it won’t continue to seek for remote domain’s A record for delivering
Current workarounds:
· Add target IP in the host file (Just like you did)
· Set up send connector for specify correct remote server IP address (A record) on them
· If there is lots of target domains (without AAAA record) encountered the error, suggest setting up non-Windows 2008 IIS SMTP Server and forward all outgoing messages to the smart host for externally delivering
Notes: If the ISP (hosting remote domain’s MX records) can publish AAAA records for the remote domain’s MX Record FQDN, then this issue won’t be seen even as Exchange 2007 gets a successful response for its queries
- Propuesto como respuestaJames-LuoMSFT, Moderadorlunes, 11 de mayo de 2009 1:32
- Marcado como respuestaJosh Erquiaga lunes, 11 de mayo de 2009 13:14
- So, two questions come to mind. The first (and I would guess most obvious) is when will this issue be fixed. I can't imagine that I'm the only one with this issue, and I would bet that there are a lot of other people killing themselves because this isn't working right. That issue aside...
If I were to setup an Edge Transport server (which means additional hardware for my topology, but maybe is not the end of the world) that was running Server 2003, I wouldn't have this issue anymore, correct? That seems like a better solution than trying to keep the hosts file on our Exchange server constantly updated.
Regards, Josh Erquiaga The issue has been reported, and I’ll post at here if there’s any new update
Yes, edge on windows 2003 will work since the issue is about IPv6
Hi James,
are there any news regarding this topic as I'm struggling with the same?
Regards,
Carsten- Hi All,I am having the same problem in my smtp - I can not send emails to this domain/s, I have done some checking and I saw that Josh is having the same problem as mine!I would like to know what is his status? Is it solved? If do so how?Thanks in advance!
Oren,
No, the issue (as far as I know) has not been resolved, and to be honest I can't for the life of me figure out why not. Microsoft's two flagship products when used together in a 64-bit environment (as required by Microsoft) have a critical failure, and nothing has been done about it. I'm extremely disappointed.
Hoepfully it will be fixed sometime soon, but I wouldn't count on it I suppose.
--
Josh
Regards, Josh Erquiaga- Hi All,
I've opened a ticket at MS and it turned out that this is an already known issue:
"... This problem has been fixed for Exchange 2010 and now Exchange Team will try to fix it as soon as possible for Exchange 2007.They think the build target for this hotfix will be E2K7 SP1 RU10 but they need to change the source code and test these changes in order to have the possibility to have an interim hotfix. After this process we can go for the interim hotfix if you can't wait for RU10 to be released. "
Regards,
Carsten - I have a related question on this issue - we are on the OTHER end of what appears to be this issue. One of our customers is not able to send mail our domain with the exact same beavior is listed above.
Does anyone know what it is about the domains that Exchange Servers running on machines with IPV6 enabled that prevent mail delivery? There has to be some attribute of the DNS entries for the domains it's not able to send mail to given that mail is properly delivered to other domains.
I'm trying to work with them to get IPV6 disabled on their server to see if that resolves the problem, but if I can make a change in our DNS configuration that will resolve it I'm happy to do so.
jon - Hi.
I noticed this has been marked as answered already, but i was having the same issue.
I had no problems for weeks, then we added another mailscreen/antispam and i tighten security a little, and boom, same issue as described by far to many...
I can also mention, IPV6 is ENABLED (I had issues both installing without and after, so I let it be..)
I didnt google much (solved it within 2-3 hours) so missed the host file fixes etc.
But i went with it being DNS errors (Since exchange was complaining, 451 4.4.0 DNS query failed)
From the server all mx-records etc looked totally screwed. (Outside, no problem)
Also not using any smarthost.
All i did to fix it, was create a reverse lookup zone and specify the server.
And no more problems :P
Edit: read up a little, and my problem was like Jon R's, i had no trouble reciving mail, only sending mail(to any domain whatsoever)
Maybe this helps someone :P
/D. - I had this same issue today and it was all addresses to MSN.com and Live.com. After a lot of troubleshooting I found that our DNS servers were unable to query the mx records for these and only these domains. Doing an nslookup -type=mx msn.com would totally fail. So I thought it might be an upstream DNS issue. Our server were not configured with DNS forwarders so I added a couple of public ones I often use to test which are easy to remember 4.2.2.1, 4.2.2.2. and low and behold I could now resolve MSN.com mx records and mail started flowing. I hope this someone in some way. Cheers.
