Exim temporarily reject, Outlook Servererror: 451 Temporary local problem

[neo-hippie]

Hello,

i've got an custumor who has trouble sending email trough my mail server mostly to hotmail recievers.
it is not always... and the first time is rejected, the resending of the email goos well the second time.

the get a email notification from "Systemmanager" saying "Servererror: 451 Temporary local problem - please try later"
i believe this is a local generated email (from outlook). and saying the smtp connection is interupted.

but why only with hotmail/live email adresses (even when sending a mailinglist to several recievers).

in my exim mainlog on the server i found this:
2014-05-27 15:03:19 H=(MAC01) [37.xxx.xx.130] F=<[email protected]> A=login:[email protected] temporarily rejected RCPT <[email protected]>: host lookup did not complete
2014-05-27 15:03:22 H=(MAC01) [37.xxx.xx.130] incomplete transaction (QUIT) from <[email protected]>

i also had the thought it could be Graylisting from Microsoft's servers. but why is the mail not queued and resend automatic?
sinse the second time sendeing the mail always works well.

hope someone can shine a light on this for me.
if you need extra info please let me know.

 

[Arieh]

I'm guessing the DNS server you're using is either too busy or the network connection to it is bad.

You could try:

dig live.be mx

then

dig live.be mx @8.8.8.8

To query through Google's dns, see if that goes faster.

You can also look inside /etc/resolv.conf to see which DNS server is configured, and possible replace it with for example google's DNS.

 

[neo-hippie]

Thanks for you're swift response.
This was one of the things i figured out / tryed using this / other forums.
Unforunetly without a clear result.

dig live.be mx result:
;; Query time: 52 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 28 15:29:44 CEST 2014
;; MSG SIZE rcvd: 1089

dig live.be mx @8.8.8.8:
;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 28 15:31:40 CEST 2014
;; MSG SIZE rcvd: 127

okey it is faster. but could that few microseconds be the difference?

if i would change resolv.conf where should i do it? as resolv.conf is automaticly generated.
and i do not want to messup directadmin.

 

[neo-hippie]

Figured out some thing.
in etc/network/interfaces*
there was dns-nameserver ipadres1 ipadres2 wich were both Leaseweb nameservers
i changed them to opendns nameserver (i prefer above googles.)
now both dig request give me about 35ms

 

[neo-hippie]

Update.

as i mentioned i changed the nameservers to OpenDNS
but this didn't solved the problem.
i have contacted Leaseweb support. they thought it was also the long "ping" to theire nameserver.
they are investigating it as well. but as i said it didn't help, i just recieved antother email from my customer.

 

[nobaloney]

The error, host lookup did not complete, is very specific, and it means that when your system tried to get the DNS record. The hotmail server never even gets your request because your sever can't find it.

So the first step (and maybe the only step) in resolving this problem, is to resolve the DNS issue.

Jeff

 

[neo-hippie]

Hi Jeff, thanks for you're coment.

the problem isn't consistent.
i cannot reproduce the error from my pc (or from the server).
but my costumer has it on a regular basis. BUT not with every hotmail adres.
so there is no logic in this , the error may be specific.

and why the first time an abort/error, and the second time it sends the email perfect.

as you can see in my previous comment the dig from the server to hotmail is working perfect.

Thanks,

 

[neo-hippie]

Okey i have changed /etc/resolvconf/resolv.conf.d/original

it now states:
search localdomain
#nameserver 127.0.0.1 # Use the local resolver first.
nameserver 208.67.222.222 # OpenDNS
nameserver 208.67.220.220 # OpenDNS
#nameserver 8.8.8.8 # Google
#nameserver 8.8.4.4 # Google
#nameserver 62.212.65.123 # leaseweb
#nameserver 62.212.64.122 # leaseweb

dig live.be mx now gives me:
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 01 10:18:29 CEST 2014
;; MSG SIZE rcvd: 321


when enabeling nameserver 127.0.0.1 it't > 200msec
hope this helpes. i'll keep you posted

 

[nobaloney]

Many systems will fail the first time you try to send a message but will accept the message when it's retried; this is a common feauture to help eliminate spam. For example, watch your log when sending an email to my email address (below in my siglines).

Okey i have changed /etc/resolvconf/resolv.conf.d/original

it now states:
search localdomain
#nameserver 127.0.0.1 # Use the local resolver first.
nameserver 208.67.222.222 # OpenDNS
nameserver 208.67.220.220 # OpenDNS
#nameserver 8.8.8.8 # Google
#nameserver 8.8.4.4 # Google
#nameserver 62.212.65.123 # leaseweb
#nameserver 62.212.64.122 # leaseweb

Though you don't make it clear, I'm presuming you mean you've done this on your DirectAdmin server.

You should never use 127.0.0.1 as a resolving nameserver, and you should never use your local nameserver as both a resolving nameserver and an authoritative nameserver, because this can open it to lots of attacks (search the web for more information).

And you shouldn't have this many resolving nameservers; all it will do is slow down your lookups.

And you should not use OpenDNS unless you've registered an account with them and turned off their annoying (on a server) redirection to a default IP# if they can't find the real IP#.

Any of the above issues could cause you problems.

We just use google's nameservers:

8.8.8.8 and 8.8.4.4

Why do you think you really need more?

dig live.be mx now gives me:
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 01 10:18:29 CEST 2014
;; MSG SIZE rcvd: 321

Doesn't it give you an answer?

Jeff

 

[neo-hippie]

Hi Jeff,

in order of you're responce:

1# You are refering to Grey listing, but than it schould be resend automatic bij the MTA.
in this case the user gets an email saying the mail can't be send and he/she has to try again.

2# in deed this is on a DirectAdmin server (thats why this forum ;-))

3# i did not know that, and i did not put that (127.0.0.1) into the original file.

4# most are coment out! only 2 are 'active' i used them for testing the difference.

5# i know of the issue with OpenDNS but it was the fastest in my testing, and as i said i don't like google that much (they've become evil!)

thank you for the answers. i'll change the nameservers to google.
and hope the issue is gone.

 

[nobaloney]

Please let us know if the issue is resolved.

And learn how to be sure your local nameserver isn't resolving, but only authoritative.

If this works:

dig @localhost nobaloney.net

You've got a problem.

Jeff

 

[neo-hippie]

Hi Jeff,

no problem still persists.

ps. i think i have an problem!!!

gona study DNS tomorrow, and try to figgur out why things get localy resolved.
and why/how i can modify resolv.conf because the local nameserver keeps popping up there,
dispite changing /etc/network/interfaces and /etc/resolvconf/resolv.conf.d/original
(and restarting network after every change.)
or do i need to do a reboot after the change?

 

[Arieh]

Please let us know if the issue is resolved.

And learn how to be sure your local nameserver isn't resolving, but only authoritative.

If this works:

dig @localhost nobaloney.net

You've got a problem.

Jeff

Actually not on DA boxes by default; http://help.directadmin.com/item.php?id=115

It allows recursion for localhost but not for others.

 

[nobaloney]

Thanks for the reminder. This may still be a problem; in my tests allowing recursion for localhost will put a domain into the cache. Once it's there, and before it expires, anyone can find it from the server. I'm not sure if this is a problem or not.

And it's often a slow solution, since you're only resolving for your localhost, and therefore the domain being resolved ins less likely to be in the cache than if you use a major public nameserver.

Jeff

 

[neo-hippie]

Hi Jeff,

i think i can confirm that.

when i do an dig @localhost nonlocaldomain.net
the first time it takes > 1000ms
the second time it takes 3 ~ 4 ms

so there is some caching going on.

 

[neo-hippie]

actualy that help file pointet to named.conf.

but in my case the options had an seperate file named.conf.options
just saying.

 

[neo-hippie]

update:

i've put the nameservers in /etc/resolvconf/resolv.conf.d/head instead of original.
now they are automaticly put into resolv.conf at the top.

and using dig now shows google nameserver:
;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 05 09:09:19 CEST 2014
;; MSG SIZE rcvd: 68

btw, jeff when you say " to be sure your local nameserver isn't resolving" do you mean an openresolver?
i've tested my server @ http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl and it's not an openresolver.

i believe everything else is fine. when doing a tracepath it shows searching local domains first and than going to the www

 

[nobaloney]

If it's not openly resolving, then go with that as long as you can go with that and still let it resolve for you but I've already written why I never recommend it nor do it.

I don't really care if Google knows which domain names my server is looking up . I get a lot of value from Google; if that's what they want back from me, okay.

Jeff

 

[neo-hippie]

okey glad we solved the DNS issue.
but i'm not sure if it's related to the email error.

for as far as i can see now, i have only 1 employee from 1 customer on 1 domain that has this issue.
using outlook 2013 on a mac. (there office has 4 employees with macs. and a couple dozen freelancers with an email.)

and why only microsoft email @hotmail/@live/@outlook.
there is no report of any other email provider that has these issues.

 

[nobaloney]

First verify (check the logs) that he's sending email through the server. That verified, check the logs to make sure nothing is misspelled and that it's the right server that isn't resolving.

And then check resolution manually through your shell.

Jeff