The Symantec Messaging Gateway (SMG) appliance shows messages in the delivery queue with the message "421 4.4.0 [internal] no MXs for this domain could be reached at this time".
421 4.4.0 [internal] no MXs for this domain could be reached at this time
This is not an error but a description of why the message could not be delivered. The message indicates a general mail delivery attempt failure in which the appliance could not communicate with the remote mail system. This may be the result of an inability to successfully connect to the remote host, to resolve the MX records, or to resolve the DNS host names for the email domain to which the appliance is attempting message delivery. This can also be seen if a Control Center host's Quarantine SMTP listener is not available on port 41025.
Possible circumstances that may cause this issue:
- The local MTA (SMG) cannot communicate with the remote MTA.
- Connection refused by remote MTA
- Connection times out while trying to connect to the remote MTA
- Mail Exchange (MX) record(s) and A records missing
- Firewall rule blocking connection from local MTA IP address
- Destination management - Domain Settings
- Check Protocols > Domains
- Consider adding or modifying the Optional Destination Routing
- A remote Control Center's Quarantine SMTP listener is not available on port 41025 (for Quarantine bound Email)
- Masked mail banner - similar to the one found in Cisco Pix Mailguard/SMTP Fixup
- Issue with PTR or RDNS enforcement
- Invalid Response
- DNS query failure for calls larger than 512 bytes ( DNS UDP packet size has been limited to 512 bytes in SBG 8.0.2-12 and SMG versions )
- Microsoft KB 828263: http://support.microsoft.com/kb/828263
This shows an example of how to troubleshoot a problem to deliver messages to a failing remote domain, in this case example.com is the intended target domain:
- First identify the target's IP address that could not be reached.
- Connect to the SMG scanner via SSH to access the CLI
- Check DNS resolution and identify the destination host that should receive the message that failed
sbg9> nslookup -type=mx example.com
example.com mail exchanger = 5 mail.example.com.
Authoritative answers can be found from:
mail.example.com internet address = 192.0.2.10
- Previous example shows successful DNS resolution. If the previous test fails or times-out, it points to a problem with DNS resolution. If so, check your SMG DNS settings.
- Test connecting to the intended target via telnet. We suggest to include the -b option to force the telnet connection to use a specific source IP address. That source IP address must correspond to the IP address that SMG uses to deliver non-local messages. The SMG setting that controls which IP interface is used for delivery of non-local messages can be found by connecting to the Control Center GUI and going to Administration -> Configuration -> <scanner_hostname> ->SMTP -> Advanced Settings -> Delivery (tab). If set to Auto you can specify which IP address you would like to use for each type of message delivery (see SMG documentation for more information)
sbg9> telnet -b 10.160.96.148 192.0.2.10 25
Connected to 192.0.2.10.
Escape character is '^]'.
220 hostname Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Thu, 14 Oct 2010 13:01:06 +0100
- If the previous test succeeds (as in the example), the original failure could be due to an intermittent issue or the problem requires further troubleshooting. If the previous test fails, the message returned can indicate that the target host cannot be reached, times-out or is rejecting the connection. In case you need further assistance, please contact Technical Support.