none
You do not have permission to send to this recipient: #4.7.1 smtp;451 4.7.1 Please try again later RRS feed

  • Question

  • Exchange 2003 SP2, SBS 2003 R2

    Apologies if this has been asked before, but I'm getting complaints about the following NDR:

    Your message did not reach some or all of the intended recipients.

    Subject:     FW: Sites
    Sent:     11/03/2011 15:40

    The following recipient(s) could not be reached:

     email_address@domain.com on 11/03/2011 15:40
     You do not have permission to send to this recipient. For assistance, contact your system administrator.
     <mydomain.com #4.7.1 smtp;451 4.7.1 Please try again later>


    Could anybody tell me whether this is my Exchange server or the recipient's server that is causing this error?

    Googling the issue seems to suggest that it's a combination of both: i.e. the recipient server has some kind of greylisting in place that returns the email to us. Then our Exchange server is supposed to retry sending it, but is not...
    Can anyone shed any light please?

    Many thanks.
    • Edited by James Hurrell Friday, March 11, 2011 4:43 PM Edited for rubbish formatting
    Friday, March 11, 2011 4:41 PM

Answers

  • It could be either yours or theirs. You will have to take a look at your SMTP logs to see if their mail server reported the error. Or what you can do is telnet directly to their server and try to send this recipient email. If their is a policy that prevents their mail server will tell you right away.

    telnet theirmailserver.com 25

    helo

    mail from:originalsender@yourdomain.com

    rcpt to:user@theirdomain.com (Their server will kick back a notice at this stage if it's an issue with their server)

    data

    subject:test

    .

    .

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Friday, March 11, 2011 7:14 PM
  • Your analyses seems right, the attempt went to the bad server and got the NDR, the second attempt probably went to the good server. Never assume the issue is your end. Alot of times other orgs are having issues, or they've tinkered with their system.

    You can do a telnet test to each individual MX IP and see if one of them is having an issue. One of their mail servers could be running into some LDAP validation with their users.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Friday, March 11, 2011 9:10 PM
  • It won't retry the next server, if the server does respond which in this case it does. The bad server responds but tells your server that you don't have rights to send so it wont' try the next server.

    What you can do in the meantime until they fix the issue is you can create a connector for this domains address space and route it to the working IP. I've done temporarily in the past when other orgs have had issues.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Saturday, March 12, 2011 12:40 AM

All replies

  • It could be either yours or theirs. You will have to take a look at your SMTP logs to see if their mail server reported the error. Or what you can do is telnet directly to their server and try to send this recipient email. If their is a policy that prevents their mail server will tell you right away.

    telnet theirmailserver.com 25

    helo

    mail from:originalsender@yourdomain.com

    rcpt to:user@theirdomain.com (Their server will kick back a notice at this stage if it's an issue with their server)

    data

    subject:test

    .

    .

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Friday, March 11, 2011 7:14 PM
  • Hi James,

    Thanks for the tips.

    First of all I checked the MX records for the "problem" domain - there are two. I then enabled SMTP logging on the SMTP Virtual Server (it wasn't enabled) and emailed the problem address.

    This is what the log says:

    20:16:20 217.72.168... - - 0
    20:16:20 217.72.168... EHLO - 0
    20:16:20 217.72.168... - - 0
    20:16:20 217.72.168... MAIL - 0
    20:16:22 217.72.168... - - 0
    20:16:22 217.72.168... RCPT - 0
    20:16:22 217.72.168... - - 0
    20:16:22 217.72.168... RSET - 0
    20:16:22 217.72.168... - - 0
    20:16:22 212.95.234... - - 0
    20:16:22 212.95.234... EHLO - 0
    20:16:22 212.95.234... - - 0
    20:16:22 212.95.234... MAIL - 0
    20:16:25 212.95.234... - - 0
    20:16:25 212.95.234... RCPT - 0
    20:16:29 212.95.234... - - 0
    20:16:29 212.95.234... DATA - 0
    20:16:29 212.95.234... - - 0
    20:16:39 212.95.234... - - 0
    20:16:39 212.95.234... QUIT - 0
    20:16:39 212.95.234... - - 0

    I received the same NDR back.

    The IP addresses in the log correspond to the two MX records for the problem domain in question - Am I right in thinking that the first server rejected the mail (shown by the RSET status), so my Exchange server moved on to the next MX record and successfully delivered the email?

    I then enabled all the options for the log and re-emailed the same address. This time, the first server in the list (that sent the RSET command the first time around), responded with 250s and accepted the mail. There was no attempt to contact the second server. No NDR either...

    I've come to the conclusion that the problem server had some sort of policy in place, but that now mail seems to be being accepted...

    Edit- if that is correct, then it begs the question why my Exchange returned an NDR if it actually sent it via the second server?

    Friday, March 11, 2011 8:45 PM
  • Your analyses seems right, the attempt went to the bad server and got the NDR, the second attempt probably went to the good server. Never assume the issue is your end. Alot of times other orgs are having issues, or they've tinkered with their system.

    You can do a telnet test to each individual MX IP and see if one of them is having an issue. One of their mail servers could be running into some LDAP validation with their users.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Friday, March 11, 2011 9:10 PM
  • Thanks for the confirmation.

    Any idea why the NDR was seemingly sent before my Exchange server moved on to the next server and apparently delivered the mail successfully? Surely my Exchange server should attempt to deliver to the second server before it sends out an NDR?

    Confused!?

    Friday, March 11, 2011 9:28 PM
  • It won't retry the next server, if the server does respond which in this case it does. The bad server responds but tells your server that you don't have rights to send so it wont' try the next server.

    What you can do in the meantime until they fix the issue is you can create a connector for this domains address space and route it to the working IP. I've done temporarily in the past when other orgs have had issues.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by James Hurrell Sunday, March 13, 2011 8:16 PM
    Saturday, March 12, 2011 12:40 AM
  • Many thanks James, that has cleared everything up for me. Much obliged indeed for your help!

    Sunday, March 13, 2011 8:15 PM