0

Can not send email to some email addresses that it looks like they are using Office 365. The NDR message is coming from DnsConnectorDelivery which is:

[{LRT=11/6/2020 12:11:09 PM};{LED=451 4.4.0 Primary target IP address responded with: ""421 service not available (connection to blacklisted host (104.47.4.36 - DNSBL))."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 104.47.6.36:25};{FQDN=xxx-com.mail.protection.outlook.com};{IP=104.47.6.36}]

Neither our domain nor IP address is listed anywhere

Tarek Salah
  • 21
  • 5

3 Answers3

2

This problem we were facing were related to Microsoft Office 365 announcements of disabling the support of TLS older than 1.2 and it has no relation to blacklist or spam. Fixing this issue is by disabling TLS 1.0 AND TLS 1.1 and keep only TLS 1.2

ENABLING TLS 1.2 ON EXCHANGE SERVER 2013 & 2016 – PART 1

Tarek Salah
  • 21
  • 5
0

It doesn't seem like your server is blacklisted by the DNSBL, but some Microsoft servers from 104.40.0.0/13. Also, SMTP errors beginning with 4 (451, 421) are temporary in nature; 4yz Transient Negative Completion replies, RFC 5321, 4.2.1. Typically the SMTP client being on a DNSBL is considered a permanent error (5yz Permanent Negative Completion reply).

Community
  • 1
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Yes, but this situation is over 25 days with no luck to send to Microsoft outlook clients! I do not find any problem from our exchange server our side as it is not blacklisted, SPF, DKIM, and DMARC are correct. I can send to everywhere but no luck with Microsoft. Any guidance to what we can do to cover this situation? – Tarek Salah Nov 06 '20 at 17:25
  • Does the bounce contain original message headers? That would probably reveal the server that is configured not to deliver mail to servers listed in DNSBL. It's highly unorthodox to configure DNSBL for outbound mail... – Esa Jokinen Nov 06 '20 at 17:27
  • I can contact the receiver of this email by phone. Do you mean that he can configure DNSBL from his side to whitelist us? and how? – Tarek Salah Nov 06 '20 at 17:33
  • 1
    This error is not about blacklisting the sender, but some server is actually blacklisting the next-hop receiving server for an unknown reason. You should be able to delimit the problematic server using the headers you have in the original message headers attached to the bounce you get. – Esa Jokinen Nov 06 '20 at 17:48
  • FYI, this server is running since several years. There is no changes had been to it. – Tarek Salah Nov 06 '20 at 19:39
0

You could visit MX tool website to see if your domain/IP has been listed in the black lists: https://mxtoolbox.com/blacklists.aspx

Based on the error in the NDR message, it seems that your IP address is added in the blacklist, but you'd better contact the receiver to confirm if their email server added your domain/IP to their blacklist. Besides, add your domain/IP to their allow list and see if there is any difference. If the receiver is from Microsoft, maybe the following documentations are helpful to you:

Ivan_Wang
  • 1,333
  • 1
  • 4
  • 4
  • But I mentioned that I'm not blacklisted anywhere. I checked tens of DNSBL websites and our IP is not listed anywhere! – Tarek Salah Nov 15 '20 at 09:44
  • Please try to do a message trace(https://docs.microsoft.com/en-us/exchange/search-message-tracking-logs-exchange-2013-help) to see if there is any event(e.g. FAIL) and source(Some transport components, e.g. MAILBOXRULE) affecting the message delivery of the problematic mailboxes. – Ivan_Wang Nov 19 '20 at 10:08