Microsoft KB Archive/322358

= XCON: Exchange 2000 Server Drops SMTP Connections from Certain Domains =

PSS ID Number: 322358

Article Last Modified on 11/19/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Exchange 2000 Server

-



This article was previously published under Q322358



SYMPTOMS
Servers that are running Exchange 2000 Server or Windows 2000 SMTP service do not accept Simple Mail Transfer Protocol (SMTP) messages from certain Internet domains. Mail delivery that is outbound from the server that is running Exchange 2000 Server to these domains is successful. Additionally, mail that is inbound from other domains is received successfully. Non-delivery reports (NDRs) that are returned to users in the problematic domains report that the server that is running Exchange 2000 Server is unreachable. However, there are no reported errors on the server that is running Exchange 2000 Server.

If you do a reverse Domain Name System (DNS) query (that is, a query for the PTR record), notice that the sending servers cannot be resolved. If you take a Network Monitor trace, notice that there are NBT queries before the Microsoft SMTP server disconnects.



CAUSE
This problem can occur if the server that is running Exchange 2000 Server or Windows SMTP service has been configured to reject incoming connections by specifying a domain name on the SMTP virtual server. This setting is available under Connection Control on the Access tab when you right-click the SMTP virtual server and then click Properties. If the All except the list below option is selected, and if a domain name is specified in the Computers list as Deny connections from, the administrator receives the following warning in Exchange 2000 Server:

Warning: Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance.

If the administrator clicks OK, reverse lookups on the Internet Protocol (IP) address of the connecting mail server are performed on all connection attempts. This precedes any part of the SMTP conversation to allow for the transfer of mail. If the DNS reverse lookup returns failures, which occurs when Exchange 2000 Server does not locate any PTR record for the IP address that initiates the connection attempt, Exchange 2000 Server drops the Transmission Control Protocol (TCP) connection. The sending server may or may not reschedule delivery attempts only to continue failing until the expiration timeout limit is reached on the sending server. The sending server should return a non-delivery report (NDR) to the originator of the message.

By design, the connection is denied and is dropped because Exchange 2000 Server cannot confirm that the connecting IP is not the listed domain in the deny access list when no PTR record is available.



RESOLUTION
Only one solution exists if the server that is running Exchange 2000 Server is configured in this manner. To resolve this problem, request and verify that all external domains that are failing mail delivery to the server that is running Exchange 2000 Server have a PTR record configured correctly for the IP address that is presented in a connection attempt. If the reverse lookup is successful and returns any value, the returned record is then compared to the listed domain names that should be denied to see if the value matches any of the domain names that are listed. If the value does not match any of the denied domains, the connection attempt is permitted, and the SMTP transfer of mail starts.



WORKAROUND
To work around this problem, remove the domain names that are listed as Deny connections from, and then use the other two options to restrict connections. This problem does not occur when you deny connections by selecting Single Computer IP or Group of Computers because these options do not use reverse lookup.



STATUS
This behavior is by design.

Additional query words: SMTP NDR DNS DSN gethostbyaddr block netmon

Keywords: kbprb KB322358

Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.