1

My office recently had to set up an emergency wireless modem, giving us a new public IP address. We only have this one IP, whereas before we had several static IPs, and one of these led to our exchange server.

Our incoming email doesn't work. Senders are being given rejection messages that look like:

Delivery to the following recipient failed permanently:

[username]@[domain].com

Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the server for the recipient domain [domain].com by mailstore1.secureserver.net. [68.178.213.243].

The error that the other server returned was: 550 5.1.1 <[username]@[domain].com> Recipient not found. http://x.co/irbounce

This is odd because in our GoDaddy DNS settings mailstore1.secureserver.net isn't the primary MX. The highest priority MX record is the one that points to our internal exchange server.

I'm wondering why there isn't any error from the first attempt. Did it send it successfully? If so, then where are these emails on the exchange server? Why aren't they being sent? But if GoDaddy can't send the mail to the exchange server, why not?

I suspect this is an issue with the IP that's being given to GoDaddy. Either that, or it's an IP issue within our fortinet router which handles the virtual IPs that route mail to the exchange server.

Oddly enough, outgoing email appears to work fine.

G3n0c1de
  • 13
  • 2
  • 1
    Are you sure that your email server is accessible over the new IP at ports 25 and 587? Also, are you sure that secureserver will ever successfully accept mail for you? – wfaulk Sep 16 '15 at 21:23
  • 2
    You know, telling us the domain name in question would go a long way in helping us provide insightful answers. – joeqwerty Sep 16 '15 at 21:29
  • Have you updated your primary MX record with the new IP address? – dtoubelis Sep 16 '15 at 21:38
  • 2
    If you're not comfortable posting your real domain name, then at least post your redacted MX records. And while you're doing that, think about why you even have the secureserver.net server in your DNS ;-) – Brandon Xavier Sep 16 '15 at 21:41
  • Why would the OP be uncomfortable posting his real domain name? It's a publicly registered domain name, for pete's sake. It's not a secret. If anyone thinks that obfuscating their domain name is in any way related to "security" they need to stop what they're doing and find a different line of work. – joeqwerty Sep 16 '15 at 21:57
  • @wfaulk, I used telnet's open command on the exchange server and those two ports. It worked with port 25, but not with 587. As for the secureserver, I don't know. This was all set up a while before I've been here. – G3n0c1de Sep 16 '15 at 22:07
  • @joeqwerty, yeah, I'm new to IT. The guy who's 'in charge' of everything is on vacation, so I'm here not knowing what I'm allowed to say. So I played it safe. – G3n0c1de Sep 16 '15 at 22:14
  • Did you telnet the public IP from an external IP? Or use a service like canyouseeme.org? Post your domain if you want real help please. – Jacob Evans Sep 17 '15 at 03:03

1 Answers1

2

Have you updated your primary MX record with the new IP address? Are firewall rules set correctly for the exchange server and the new IP address? As a test you can try telnet into your exchange server from outside of your network using address from MX record.

I would also recommend removing the secondary MX record that points to GoDaddy. This way if your exchange server is unavailable the mail will be re-delivered when it is back online but if it goes to GoDaddy it will be rejected/lost.

dtoubelis
  • 4,579
  • 1
  • 28
  • 31
  • Agree on getting rid of the secondary MX record(s). They're virtually useless, are unnecessary, and probably muck things up more than doing any actual good. – joeqwerty Sep 16 '15 at 21:44
  • @dtoubelis, the MX record doesn't actually use IPs. In the 'Points To' section, it says mail.[domain].com. I think this gets handled in another section of the DNS manager by GoDaddy: under the A(Host) section there's an entry with host "mail", and that points to the IP of my office. I'll delete the other record. – G3n0c1de Sep 16 '15 at 22:12
  • @G3n0c1de, `MX` record is a pointer to an `A` record, so you need to follow the chain and make sure that `A` record for your `mail.[domain].com` points to your new IP address. – dtoubelis Sep 16 '15 at 22:15
  • @dtoubelis, it appears that the chain correctly goes to the new IP. So now I need to figure out if it's getting to the exchange server. Our router has rules set up to make use of virtual IPs, which are translated into the internal exchange server IP. Is there a way I can see if messages are reaching the exchange server from within the Exchange Management console? – G3n0c1de Sep 16 '15 at 22:22
  • @G3n0c1de, have you tried telneting from the outside? Do you have access to your firewall? – dtoubelis Sep 16 '15 at 22:32
  • @dtoubelis, looks like you're on to something. Telnet can't find the server when I'm using a machine that's not connected to our internal network. – G3n0c1de Sep 16 '15 at 22:39
  • @dtoubelis, should I mark this as the answer and open a new thread specifically asking about my router setup? – G3n0c1de Sep 17 '15 at 00:47
  • @G3n0c1de, that would be a good idea :-) – dtoubelis Sep 17 '15 at 02:41
  • Turns out it was a port forwarding issue with our modem. It didn't allow email traffic through on the ports I needed by default. The other issue was that our router was looking for the wrong external IP for the VIPs. I set it to the modem's IP and it everything works now. – G3n0c1de Sep 17 '15 at 19:04