none
451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."

    Question

  • cont'd: Attempted failover to alternate host, but that did not succeed.  Either there are no alternate hosts, or delivery failed to all alternate hosts.

    Hi all

    Began receiving a few of these messages today on my Exchange 2010 box.

    Have been troubleshooting a bit now and I think I have all the pieces to find the problem, just not 100% sure on the fix.

    I ran the Exchange Mail Flow Troubleshooter and here are the error results:

     

    "Pointer record does not match SMTP Instance Server: EXCHANGESERVER

    #1 The Pointer (PTR) record webmail.DOMAIN.ca;webmail.DOMAIN.local;EXCHANGESERVER.connex.local does not match any fully-qualified domain name of the SMTP instances on server EXCHANGESERVER. This may cause routing problems when remote servers have a filter to map an IP address to a server name.

    #2 Port 25 did not respond  Name: mail.jbgh.org AND mercury.senecac.ca

    So I attempted to telnet...same result for both remote domains

    Connecting To mail.jbgh.org...Could not open connection to the host, on port 25:  Connect failed

    #3 Mail acceptance failure   Name: mail.jbgh.org, mercury.secencac.ca, and mx.fakemx.net

    Remote server mx.fakemx.net failed the mail acceptance test when trying to open the remote socket: Respond = Remote socket is not available.

     

     

    So if I am correct, seems that these places are being picky about my rDNS record.  Ok cool.  So go I go into my EMC on Exchange 2010 and look at my SMTP Send connector and yup, no FQDN.

    In there I put mail.DOMAIN.ca, applied the change and then retried the messages - still no avail.

    I thought listing the FQDN would solve the issue.  Now, I do have an Exchange 2003 server as well because we are midway through migration.  If I check the Default SMTP Virtual Server on this guy it lists OLDEXCHANGE.DOMAIN.local, not a mail.DOMAIN.ca.

    Do I need to list the equivalent of this on my Exchange 2010 server?  And use EXCHANGE.DOMAIN.local instead of mail.DOMAIN.ca?  I figured beings it was the SMTP Send, not Receive, that they'd need the public address.

    Maybe I am impatient and these things take time to take effect but I've tried both and neither resolves the issue.

    Confused!  Help!  And thanks in advance.

     

     

     

     

     


    Monday, April 11, 2011 7:59 PM

Answers

  • Hello,

     

    The possible causes for the “451 4.4.0 Primary target ip address responded with: "421 4.2.1 Unable to connect." are:

     

    1. Your hub transport server or edge server are unable to resolve the external domain names. It can be caused by the incorrect DNS sever settings.

    2. Your firewall or ISP block the outbound traffics on port 25.

    3. The IP address of your hub transport server or edge server are blocked by the target domain or other issues on the target domain.

     

    Thanks,

    Simon

    Thursday, April 14, 2011 3:01 AM
    Moderator
  • I had a similar problem and it was resolved by a small change to the DNS parameters in the registry. There's a Microsoft KB article to follow.

    'Windows Server 2008 and Windows Server 2008 R2 DNS Servers may fail to resolve queries for some top-level domains'

    Fix was...

    1.    Start Registry Editor (regedit.exe). 
    2.    Locate the following registry key: 
    3.    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
    4.    On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:

    Value: MaxCacheTTL
    Data Type: DWORD
    Data value: 0x2A300 (172800 seconds in decimal, or 2 days)
    5.    Click OK. 
    6.    Quit Registry Editor. 
    7.    Restart the DNS Server service. 

    http://support.microsoft.com/kb/968372

    Thursday, June 28, 2012 12:16 PM

All replies

  • If they are being picky about the Reverse DNS / PTR then you need to ensure that is set correctly with your ISP. They set that on the IP address for you.

    The FQDN on the Receive Connector doesn't matter, that is inbound email only. It is only the FQDN on the send connector that is an issue. Ideally the FQDN on the send connector should match the PTR your ISP has set on your external IP address.

    Ignore the fakemx.net MX record. That is working on their theory of spam being sent to lower value MX records. http://fakemx.net/ 
    As that doesn't work, it would tend to indicate that they are using other dubious methods to try and deal with spam, which might be why that domain isn't accepting your email.

    Simon .


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Monday, April 11, 2011 11:09 PM
  • Thanks for your response Sembee.

    Just out of curiosity I did a telnet to my Exchange server (probably shoulda done this a while ago) and after my helo I was met with "emailFilter.DOMAIN.ca"

    Making sure I follow this all properly, this is the address that I should make sure my ISP has listed in rDNS, correct?

    And even if I put this address into my SMTP Send Connector FQDN on Exchange, this won't matter until the ISP matches but is still important?

    Thank you again!

    Tuesday, April 12, 2011 12:49 PM
  • Until the PTR is set by the ISP, what you put on the connector is completely irrelevant.
    That is something you can control - so can a spammer on their product. PTR is being used by most sites as an antispam measure, so you have to get everything correct.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Wednesday, April 13, 2011 12:56 AM
  • Hello,

     

    The possible causes for the “451 4.4.0 Primary target ip address responded with: "421 4.2.1 Unable to connect." are:

     

    1. Your hub transport server or edge server are unable to resolve the external domain names. It can be caused by the incorrect DNS sever settings.

    2. Your firewall or ISP block the outbound traffics on port 25.

    3. The IP address of your hub transport server or edge server are blocked by the target domain or other issues on the target domain.

     

    Thanks,

    Simon

    Thursday, April 14, 2011 3:01 AM
    Moderator
  • I had a similar problem and it was resolved by a small change to the DNS parameters in the registry. There's a Microsoft KB article to follow.

    'Windows Server 2008 and Windows Server 2008 R2 DNS Servers may fail to resolve queries for some top-level domains'

    Fix was...

    1.    Start Registry Editor (regedit.exe). 
    2.    Locate the following registry key: 
    3.    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 
    4.    On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:

    Value: MaxCacheTTL
    Data Type: DWORD
    Data value: 0x2A300 (172800 seconds in decimal, or 2 days)
    5.    Click OK. 
    6.    Quit Registry Editor. 
    7.    Restart the DNS Server service. 

    http://support.microsoft.com/kb/968372

    Thursday, June 28, 2012 12:16 PM