Exchange 2013 with McAfee Security for MS Exchange: email failing to one domain

Question

I run a small domain, low volume email, no marketing. Messages are bouncing immediately when sent to one domain. No problems sending email to any other domain; recipient domain reports no problems with other senders; problem occurs with any sender in my domain. We’re not on any blacklists that I can see. Our email volume is too low for any reputation reports that I’ve looked up.

We’re getting correct DNS for the recipient MX. Recipient says nothing showing from us in their logs. They’re running Office365. I’m not seeing outbound messages in our firewall logs either, and the bounce message appearing pretty instantaneously suggests something on our side of things. Bounce occurs the same whether the McAfee services are running on the server or not, including a mention of McAfeeTxRoutingAgent in the Exchange tracking log.

Appreciate any insight. A sample message tracking entry follows, sanitized info in [square brackets]:

RunspaceId : ac30d4d5-8727-4634-8938-6af37374ed54
Timestamp : 12/18/2019 3:17:54 PM
ClientIp : [MyExchangeserverInternalIP]
ClientHostname : [MyExchangeserverName]
ServerIp : [RecipientServerExternalIP]
ServerHostname : [RecipientServerName]
SourceContext :
ConnectorId : [MyServer] to Internet
Source : SMTP
EventId : FAIL
InternalMessageId : 41175851466766
MessageId : <873CD1E2-E01C-4BAF-BFA9-07AF323C98C5@[MyDomain]>
Recipients : {[RecipientEmail]}
RecipientStatus : {[{LRT=};{LED=550 Requested action not taken: mailbox unavailable};{FQDN=};{IP=}]}
TotalBytes : 3553
RecipientCount : 1
RelatedRecipientAddress :
Reference : {<8beab36d-836c-4ae5-8053-ada54b5dcc07@[MyServer]>}
MessageSubject : test6
Sender : [SenderEmail]
ReturnPath : [SenderEmail]
Directionality : Originating
TenantId :
OriginalClientIp :
MessageInfo : 2019-12-18T15:17:51.847Z;SRV=[MyServer]:TOTAL-SUB=0.749|SA=0.734|MTSSDA=0.002|M TSSDC=0.002|MTSSDMO=0.015;MTSS|MTSSD;SRV=[MyServer]:TOTAL-HUB=1.812|SMRDI=0.003 |SMRCL=0.098|SMRC=0.098|SMR=0.101|CATSM-Malware Agent=0.018|CATSM=0.019|CATRS-Index Routing A gent=0.004|CATRS=0.005|CCC=0.005|CATCM-McAfeeTxRoutingAgent=0.005|CATCM=0.005|CAT=0.038|QDE=0 .509|SMSC=1.009|SMS=0.158
MessageLatency :
MessageLatencyType : None
EventData : {[E2ELatency, 2.563], [ExternalSendLatency, 0.891], [Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel, Opportunistic], [Microsoft.Exchange.Transport.MailRecipient.EffectiveTlsAuthLevel, EncryptionOnly], [DeliveryPriority, Normal], [AccountForest, [MyDomain]]}

Answer 1

Have you received some NDRs? Is there any detailed information in NDRs?

According to your log information, the event ID is failed, and the source is SMTP, it seems that some wrong with Content Filtering or Sender ID filtering.

You could run Get-ContentFilterConfig | fl QuarantineMailbox to check whether mailboxes are in quarantine list.

In addition, you could use Set-SenderIdConfig PS command along with BypassedSenderDomains parameter to whitelist for SenderIF filtering.

A similar case for your reference.

Answer 2

Joy, thanks for the response! That turned out to not be our problem but it is useful information that I may be happy to know in the future.

I switched the outbound SMTP handling on our firewall from proxy to packet filter to reduce intervention. Email still bounced but gave me useful information instead of the generic error:

BN3NAM01FT029.mail.protection.outlook.com rejected your message to the following email addresses: [my address] Your message wasn't delivered because the recipient's email provider rejected it.

BN3NAM01FT029.mail.protection.outlook.com gave this error: Access denied, banned sending IP [our external IP]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 AS(1430)

It took longer than the half hour specified on the page to delist but it works now. No idea why we got banned in the first place, will continue to monitor. We have SPF with reporting enabled and don’t seem to get spoofed much.