Exchange 2007 Delivery Delayed (maybe need certificate?)

Question

Last week, I setup a new domain and Exchange Server 2007 SP1. I created new accounts and mailboxes for my 30 users and imported all mail from their old domain to this new server. It's a Hub Transport on a Windows 2003 Server R2 SP2. I don't have an Edge Transport Server. I setup the server as servername.mydomain.local and then added mydomain.com as the default accepted domain.

Internal email and most external mail is flowing just fine.

However, my users are getting "Delivery Delayed" messages when sending to a couple external addresses. In the Exchange Management Console "Queue Viewer", 2 recipient domains are rejecting email with similar notices:

451-4.4.0 Primary target IP address responded with: "554-p3pismtp01-027.prod.phx3.secureserver.net##451 4.4.0.554 Your access to this mail system has been rejected due to spam or virus content. If you believe that this failure is in error, please submit an u...

I believe they accepted mail in the past from the old Exchange server.

This morning, I added an SPF record with our domain registrar for the new server (there was none before for the old server). It doesn't seem to have helped.

I think the rejections might be related to a needed certificate on my server? I am getting an error 12014 in my Event Log.

Event Type: Error
Event Source:   MSExchangeTransport
Event Category: TransportService 
Event ID:   12014
Date:       10/28/2010
Time:       12:27:05 PM
User:       N/A
Computer:   SERVERNAME
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name mail.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP Send Connector with a FQDN parameter of mail.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Is this the same as the self-signed SSL Certificate? In the Exchange Shell, Get-ExchangeCertificate yields a thumbprint with Services listed as IP.WS and the Subject as CN=servername. I am thinking that I need to create a certificate for one or more of the following?
1. mail.mydomain.com (the FQDN used in my MX record)
2. servername.mydomain.com
3. servername.mydomain.local
and then use the Enable-ExchangeCertificate cmdlet as directed in the Event log error?

I need help figuring out which certificate to create and how to do that if it's not the same as the SSL certificate...

Also, I'm not sure if this might be related: I set my SMTP send connector to specify mail.mydomain.com as the FQDN response to HELO or EHLO. However, per the system Help recommendation, I left my Receive Connectors (Client and Default) as servername.mydomain.local (regarding HELO response).

Any help and guidance would be greatly appreciated! Thanks! -Dan

score 4 · Answer 1 · answered Oct 28 '10 at 17:11

4

It's got nothing to do with the certificate. the clue is in the notification:

Your access to this mail system has been rejected due to spam or virus content

So you need to find out exactly what's triggering their Spam filter. You could try to contact the postmaster at the recipient domain.

answered Oct 28 '10 at 17:11

joeqwerty

109,901
6
81
172

Agreed. Also, do you have a proper RDNS record set up with your ISP? – CarloBaldini Oct 28 '10 at 20:02
I understand that their spam filters are being triggered, but I suspect it has something to do with failing to authenticate my server. – HighTechGeek Oct 28 '10 at 20:23
I could contact their postmaster, but I'm pretty sure the problem is on my end. I don't have the reverse DNS setup with my ISP (Comcast Business). I'll contact them about getting that added. Besides certificates and SPF records, what other email validation techniques are available out there that I might not be adhering to? How can I verify my certificates are properly configured? Or should I stop focusing on the certificates? :/ – HighTechGeek Oct 28 '10 at 20:32
1

The problem is on your end, but as I stated in my answer, based on the message you recieved from the recipient server, it appears to be a content issue, not an issue with your server certificate (which is not used for sending email unless you're using TLS), and it's not an issue with your rDNS or SPF records. While you should make sure that those things are in order, none of them are going to resolve this issue for you. Again, you could try contacting the postmaster on the recipient end to see if they can give you any clue as to what specifically triggered their Spam filter. – joeqwerty Oct 28 '10 at 20:38
I just had Comcast Business setup a pointer record for my static IP and mail.mydomain.com. I kept using the term "Reverse DNS" and they kept using the term pointer record, so I'm hoping that's the same thing! – HighTechGeek Oct 28 '10 at 21:15
Yep, it's the same thing. Using the term rDNS seems to be a fairly recent thing. Old school DNS guys (like me) tend to say PTR record more often than we say rDNS record. – joeqwerty Oct 28 '10 at 21:19
Regarding content, in the past, I've seen email flagged as spam due to signatures with hyperlinks in them and other html code, etc. In this case, I am sending generic plain text test emails and those are also being blocked. I suppose if someone in the office sent bad content to both of these domains, they may have blocked all mail from us for the near future. I checked our domain against a list of 105 known blacklists (mxtoolbox.com) and we are not listed on any. I have seen spam filters that will block email if the reverse DNS or SPF records are bad, so that's why I was looking at those. – HighTechGeek Oct 28 '10 at 21:21
Thanks for the clarification about the rDNS, joeqwerty! That's good to know. – HighTechGeek Oct 28 '10 at 21:26
I'll research the 2 problematic domains and see if I can find anyone that will answer me... I'll also reboot the server tonight, now that I setup a new certificate and see if that makes any difference... Hopefully I didn't introduce new problems. I'll report back, thanks! – HighTechGeek Oct 28 '10 at 21:31
Looking forward to hearing what happens with this... – joeqwerty Oct 28 '10 at 22:23
secureserver.net (aka GoDaddy.com) requires an rDNS PTR record. Since my error messages were cut off, I Googled part of it (interestingly not including secureserver.net) and I got 52 results. All of these results named secureserver.net as the root of their problem, similar to mine. Apparently, the rest of the error message is: "...submit an unblock request at unblock.secureserver.net" - nice of them to put that at the end. I went there, filled in the form, and was presented with "Thank you. Unblocked. If you have additional questions please call 480-624-2500." My emails now go through. – HighTechGeek Oct 29 '10 at 05:23
If you go to unblock.secureserver.net, it simply says: "What can I do if my IP address is blocked? We recommend that you troubleshoot some common problems that might be causing your IP address to be blocked. This can help to prevent your IP address from getting blocked in the future. Two common solutions are: 1. Complete a thorough virus scan on all servers and computers behind the blocked IP address. 2. Verify that your rDNS contains a name that includes "mail", "SMTP", "relay", or "MX". For example: mail.example.com, smtp.example.com, or mx1.example.com." – HighTechGeek Oct 29 '10 at 05:25
Glad to hear that you got it resolved. – joeqwerty Oct 29 '10 at 11:05

score 0 · Accepted Answer · answered Oct 29 '10 at 05:30

0

BitCareTech hit the nail on the head (see above)

Short answer: I had to create an rDNS PTR record with my ISP and then go to unblock.secureserver.net (aka GoDaddy.com) and request that they unblock my IP address. See details above...

answered Oct 29 '10 at 05:30

HighTechGeek

211
5
12

score 0 · Answer 3 · answered Oct 29 '10 at 05:52

Just to clear up the certificate error, that's just a simple informational log entry. It's a bit like saying "Unable to find very expensive supercar on my driveway, I suppose I had better use that old Ford". That doesn't mean you can't drive to work...

Certificates are used to encrypt email in transit between two points and have nothing to do with sender reputation and won't make people more likely to accept email; if they believed you were sending them spam or virus output then installing a certificate will not make them say "Oh well, they're still sending out infected emails but at least they're offering to encrypt them en-route, so lets unblock them".

Oh, thanks. I thought the certificate verified that you are who you say you are and thus not spoofing the FROM: email address. Maybe I'm confused with SSL certificates. I wasn't blocked due to infected emails. I was blocked because they couldn't verify that I was who I claimed to be. Setting up the rDNS record opened their gates and let me pass through. — HighTechGeek, Oct 30 '10 at 06:43

Exchange 2007 Delivery Delayed (maybe need certificate?)

3 Answers3