Tuesday, April 27, 2010

421 and 451 Exchange 2007 Errors

Our company was having issues sending emails to certain domains. Everything was fine except for a few of these problematic domains. These emails were just sitting in my Exchange edge server's outbound queue...

The error message I was getting in the Exchange 2007 queue was this:

"451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection dropped." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternates."

After troubleshooting the issue for a while, I determined that my email server and the problematic domains were not talking nicely with EHELO. The resolution was to created a send connector that forced HELO for the problematic domains. From the exchange management shell, run the following to create the special send connector:

New-SendConnector -Name ForceHelo -AddressSpaces problemdomain.com -ForceHELO $true


After you create this connector, you can always add other problematic domains to the connector which will force HELO.

25 comments:

Becky said...

I created a new Send connection per your blog. However I can't see where to type in "-ForceHELO $true"

What am I missing

test said...

use the Exchange Management Shell not the GUI, thats what you are missing

ELI said...

Hello ,

I to am having this issue I created the new send connector and still have messages stuck in the queue from certain domains

Hilton Travis said...

Same as ELI - we're seeing this for one particular recipient (multiple domains) and this didn't do diddly to address the issue. :(

Craig said...

What AV are you guys using? I have seen different AV's not play nice and cause these same issues...specifically ESET NOD32. See if you can temporarily disable your client AV as well as your mail scanning AV and restart your transport agents...see if the messages go through.

-Craig

Anonymous said...

We have forced connection, mail sen successfuly, but today is giving the same error, we dont have Av., any idea?

Anonymous said...

I created the new send connector as posted but it did not fix my issue with one particular domain. Ended up setting smarthost for that domain to go thru my hosted spam filter and it works.

Jaap said...

Had the same problem and the solution suggested didn’t help either but when I turned on the “Use the external DNS lookup settings on the transport server” in the ForceHelo send connector it worked.
Thanks Craig

Anonymous said...

It's working :)

Geoffrey said...

Hello, my default send connector to all domains is set to a cost of 1. Would the cost settings need to be changed once i've added the "ForceHelo" send connector?

Craig said...

Geoffrey - You shouldn't need to change the cost. However, if you see that it is always selecting your default connector and you're still getting the error, I would change your default connector to a higher number so it always checks your custom one first. Also, you might have to restart your transport service.

mkc said...

This worked for me! Took months to find a solution.

udiaz75 said...

After a month and a half of note being able to send emails to one of our customers and a month of researching, this fixed it in seconds.... If you could read my mine!!!!

Toro said...

Craig you're great! That was my headcake from almost 3 weeks.

thx!

Mohit Gupta said...

this is very helpful.

Jason Price said...
This comment has been removed by the author.
Erwin Bayu said...

Hi Craig and guys, this solution works great. Helpful!! Thank you Craig!! I found the same issues yesterday, and last night I created a new send connector to force HELO and now those problematic domains gone from the exchange queue. Also I made a PTR record for my mail server to ensure all follow the rules. Currently I'm monitoring the queue for those problematic domains. Hope everything works fine. However I still have one question WHY these happened recently as we have communicated with those problematics domain since 2 years back, just started yesterday I found this issues. Strange? Thanks

Craig said...

The more I've learned about this issue it seems to be related to Exchange servers and how/if they utilize TLS connections. I read someone's post that seemed to pin it to this issue. It's possible someone change something on either end which is why it might have just broke...

Joe V said...

Craig,

Thanks so much for this. I had been beating my head against this issue for weeks, and this provided a useful workaround. I finally found a permanent resolution that may or may not apply in some of these cases.

I was trolling my event logs looking for another Exchange error when I came across a TLS SMTP error. This tripped the memory of your last comment in this post. Effectively, the error stated there wasn't a valid certificate associated with the our HELO response (server.domain.com, in our case mail.reliascent.comn). This despite us having a UC certificate installed on the server. Long and short of it was we missed attaching that certificate to SMTP when we installed it. The jury is still out on whether this permanently corrected the issue, but I'm hopeful I won't be needing to add any more domains to our ForceHelo connector.

For your reference, here's the powershell command we ran to attach the certificate to the SMTP service:

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxx -Services SMTP

You can find the thumbprints for all availabe cert by running the Get-ExchangeCertificate command.

Hope this is useful for anyone else having this issue!

riversde said...

Hi Craig! This solution works for me also. Thanks a lot!

But how do i add other domains to this connector?

Pedro

jjay said...

Great fix - thanks!

jjay said...
This comment has been removed by the author.
shabber shaik said...

hi,
we are also having same issue for yahoo and some other domains.we have created a new ForceHELO connector then the mails are delivered to all domains except yahoo.then after 2 days we observed that this issue happening with the fire wall, the mail logging and UTM filtered has been enabled,we just disabled them then the mails were gone and now its working fine.

Briyani Missisipi said...

Good information.

ians said...

Hi, when I try creating a new send connector on my edge server, I get "This task may not be run on a edge transport server that is subscribed to an active directory site!" Please help