451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that
Question
All replies
-
Not yet
-
I am currently having the same issue as described here where we are able to send email to some external domains, but not others. Users sending to affected domains are receiving delay reports and eventually NDR reports when the message timeout expires. In the message queue status flips between active (but not doing anything) and retry with a error of “451 4.4.0 primary target IP address responded with "421.4.4.2 unable to connect."attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts”
Below is information on our environment as well as what I have tried so far. Called Microsoft this morning, details regarding that are also below.
Our Enviroment
3 Domain controllers, 2 of which are GCs. (10.2,10.9, 10.19) (GC 10.2, 10.9) All DCs are 2003 SP2 or 2003R2 SP2.
Active directory is 2003
Original Exchange Server (MAIL1) was decommissioned 2 weekends ago. This was running Exchange 2003 SP2 on Server 2003R2 (10.8)
MAIL2 was created on VMWare as a temporary holding area and all roles and mailboxes were moved before the original was taken down. This server is Server 2003R2 SP2 running Exchange 2003 SP2. (10.221)
The new mail server, the one I’m having the issues with is named MAIL1 and is sitting on 10.8, same as the original server. This is a newly built Server 2008 machine fully patched running Exchange 2007 SP1. Contains 2x quad core 2.0ghz with 4gb of memory and 2 73gb 15k rpm SAS drives.
Cisco PIX 515e between internal network and the internet, however no issues were experienced under Exchange 2003.
Our Issue
We are receiving delayed reports when sending to certain domains. After 2 days, the messages expire and users receive a NDR report. We are able to receive mail in from at least one of the affected domains, but I haven’t really been able to confirm this. (user said they have received 1 message in).
The affected domains are
Erie.gov
Univerahealthcare.org
Univerahealthcare.com
Ticketmaster.com
Twcny.rr.com
Rochester.rr.com
After verifying as many settings as I could, and researching any articles I could find on the internet and making sure my event logs were clean I called in Microsoft this morning. The Support Rep checked all the settings on both servers. Found one issue on the send connector|properties|network where she unchecked “use external dns lookup settings on the transport server”. Also I did not have revere lookup zones set up in DNS. Configured these, however they did not correct my issue. She ran the Best practice analyzer which did not come up with any related issues. Then ran the mail flow analyzer (both tools available in the Toolbox in the management console) to troubleshoot the messages. The analyzer reported that it could not connect to the destination server on port 25. She then tried to manually create a session.
First performed a NSLOOKUP on a “bad” domain. And got MX Records for the site
1.) NSLOOKUP
2.) Set q=mx
3.) --enter domain here—
4.) Quit
Next with the IP in hand for the SMTP server,
1.) Telnet (IP ADDRESS) 25
All that was returned was a black screen with a cursor. When you try to type anything in, nothing is displayed, as well as nothing is returned.
Below is an example of a working domain and what you SHOULD get back.
C:\Users\dwilde>nslookup
Default Server: dc1.REMOVED.local
Address: 192.168.10.2
> set q=mx
> microsoft.com
Server: dc1.REMOVED.local
Address: 192.168.10.2
Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = mail.global.frontbridge.com
mail.global.frontbridge.com internet address = 213.199.154.22
>
C:\ telnet 213.199.154.22 25
220 mail56-dub.bigfish.com ESMTP Postfix EGGS and Butter
ehlo domain.com
250-mail56-dub.bigfish.com
250-PIPELINING
250-SIZE 150000000
250-ETRN
250-STARTTLS
250 8BITMIME
mail from
wilde@test.com250 Ok
rcpt to:test@microsoft.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
message
.
250 Ok: queued as AACA443005D
quit
221 Bye
Connection to host lost.
We then tried to make the connection from the 2003 virtual exchange server, it connected and displayed banners as it should. No problem. She then informed me that I needed to get in touch with the receivers IT Department and verify that my external IP I was sending mail through was not blocked. As I did not have any contacts over there, I moved the virtual 2003 exchange server to 10.8, where the exchange 2007 server was having issues. Attempted the connection again and it succeeded. Then switched IPs back. Now if a different server on the same IP is not having any issues, then the trouble (in theory) should be with the original server itself (the 2007 one), and not the firewall or on the receivers end. After playing with that for a while, she had me install Network Monitor v3.1 on the exchange 2007 server, waited til the messages stuck in the out queue went to retry, started the monitor, told them to retry and waited for it to time out. The 5.5mb log file was then emailed. And after 4 hours on the phone she needed to analyze the log and was going to call me back with one of their network engineers on the line.
An hour later I got a call back from the same rep with a network engineer on the line. He went through the network settings on my exchange server and domain controllers and also verified all DNS settings. Found that my mail server did not have a ptr record, so forced that to register. No change with the issue. Next after some debate as to why I was not able to get a network monitor on the receiving end of where the email was going, he settled for running a capture on the exchange server end. 3 captures were performed.
The first was on the Exchange 2007 server with one of the known “Bad” addresses. The connection failed.
The second was also on the exchange 2007 server with a known good address (Microsoft.com). The connection succeeded.
The third and final test was on an XP SP3 laptop to a known “Bad” address. The connection succeeded.
Log files were sent over to MS to be analyzed. They are calling me back 6/25 at 8:00am EST.
With everything we did today I’m thinking the issue has to be with Server 2008 or Exchange 2007 (ok, d’uh, but let me explain). It doesn’t seem to be a DNS issue, it doenst seem to be a Firewall issue, etc. I’m wondering if MS made some sort of modification like they love to do when they release new versions of software that just doesn’t happen to play nice with something else out there. (Like that time they released SP1 for Server 2003 that changed a bunch of stuff in TS that Citrix didn’t seem to really like)
If you attempt to do this process to a domain for which you have messages stuck in the queue that will not send, then you are having the same issue that I am. I would be more than happy to share what I know and my findings from Microsoft to anyone experiencing this issue. Feel free to email me at dwilde@lake-shore.org.
If anyone wants to post/email their domains they can’t send mail to I would be interested to see if we are all having the same problem with the same domains, or if it’s a per case type of thing.
Dave Wilde -MCSE, CCNA. CCA
-
Seeing as how a solution was never proposed, and I JUST had this EXACT issue not even 2 hours ago, I'll tell you what we found that fixed it.
Just last night, we installed McAffee AntiVirus on this Exchange server. Don't ask, it was the customer's insistance they used software they had already purchased! ;) Anyway, once it was installed, mail flowed for a while, but then they started getting the error the Original Poster referred to.
McAfee has a feature which watches for Mass Mailing worms, exactly the same as what TimKoenig suggests. Once it decides too much mail has been flowing, it locks down Port 25, not allowing any more outbound email.
Find this option in your McAfee settings:
Make sure the "BLOCK" option is UNCHECKED then click apply. Once you do that, you can go back in to the Queue Viewer, right click on any messages you choose, and "RETRY" - they should send instantly. Repeat until your queue is empty and all mail has been sent.
Don't forget, if you find the help you need, click the "Propose as Answer" link at the bottom of the post containing the solution!
NuAngel.net- Proposed as answer by Garrett NuAngel.net Culver Thursday, October 25, 2012 7:04 PM
