2 Replies Latest reply: Nov 8, 2013 1:11 PM by ser_caretower RSS

    451 Could not verify recipients All MX servers unavailable for domain - Hybrid to MEG7.5 relay

    ser_caretower

      Hello everyone on the communities.

       

      We have this behavior and SAAS is blocking our inbound messages with the next SMTP response ( please see the attachment for a full screenshot description ).

       

      MessageDisposition: [451 Could not verify recipients(4a1aa725.0.4874985.00-2011.7739603.s13p02m013.mxlogic.net): All MX serversunavailable for domain caretowerlab.com (Mode: normal); Backend TLS: yes;Backend IP: n/a; Policy Set: Default Inbound]

       

       

      If you can have a look and advice it would be much appreciated.

       

      Thanks.

       

      Sergio

       

       

      Hi all,

      We cantenable the Hybrid solution under this environment ( typical one ).

      Meg 7.5 inExplicit Proxy.

      We haveexperienced 2 behaviors:

      1:

      If wedeactivate the hybrid mode, the emails are pushed to the SAAS and SAAS deliverto our MEG 7.5

      Client =>SAAS cloud => MEG 7.5 => Exchange. 

      All OK,almost….. The SAAS portal enable full policy set, and we cant push the policiesvia MEG 7.5. The emails are scanned twice by both engine systems (AV – SPAM –DLP – Image – etc).

      Obviouslythe activity of the SAAS doesn’t report in MEG 75 ( Blocked by Hybrid 0 , 0 )

      Hybrid modeis disabled. Email from our test hits SAAS, process the message and delivers toMEG 7.5

      MEG7.5receives the message

      We can seethat message on the control console ( by Deactivating the service first, togain access to message Audit )

       

      Timestamp

       

      Event

       

      2013-11-06  19:45:21 GMT

       

      Recipient Disposition: [250 Backend; Mode: normal; Queued: no; Frontend  TLS: no; SPF: n/a]

       

      2013-11-06  19:45:21 GMT

       

      Message Disposition: [250 Backend Replied  [24c9a725.0.4872511.00-2193.7735034.s13p02m013.mxlogic.net]: Requested mail  action okay, completed. (Mode: normal); Backend TLS: yes; Backend IP:  81.142.118.219; Policy Set: Default Inbound]

       

       

      Keep your eyes on the Backend IP value.  Now we are going to enable hybrid:

       

      2:

      If hybridis activated.

      The emailsdon’t pass through.

      Let me developthe proof.

      Theregistration process is completed:

      It bringsthe domains that are configured on the SAAS Portal. In this case 2 ( 1 disabled)

       

      Se we can see in the portal that is enabled

       

      Now iswhere the problems come with big intensity ( SMTP Flow stopped!!! )

      Now we aregoing to get more details from the control console, Deactivating the hybridfisrt to enable the Message Audit in the Control Console. 

       

       

       

      2013-11-06  19:58:02 GMT

       

      Recipient Disposition: [250 Deferred; Mode: normal; Queued: no; Frontend  TLS: no; SPF: n/a]

       

      2013-11-06  19:58:02 GMT

       

      Message Disposition: [451 Could not verify recipients  (14f9a725.0.382089.00-2332.734135.s13p02m014.mxlogic.net): All MX servers  unavailable for domain caretowerlab.com (Mode: normal); Backend TLS: yes;  Backend IP: n/a; Policy Set: Default Inbound]

       

       

      Anothertest: Hybrid enabled.

      Now we aregoing to get more details from the control console, deactivating the hybridfirst to enable the Message Audit in the Control Console. 

       

       

       

      Timestamp

       

      Event

       

      2013-11-06  20:08:24 GMT

       

      Recipient Disposition: [250 Deferred; Mode: normal; Queued: no; Frontend  TLS: no; SPF: n/a]

       

      2013-11-06  20:08:24 GMT

       

      Message Disposition: [451 Could not verify recipients  (4a1aa725.0.4874985.00-2011.7739603.s13p02m013.mxlogic.net): All MX servers  unavailable for domain caretowerlab.com (Mode: normal); Backend TLS: yes;  Backend IP: n/a; Policy Set: Default Inbound]

       

       

       

       

      We can seea 451 error: All MX Servers are unavailable (?). What really scares is the factof

      Backend IP: n/a; when Hybridis enabled.
      It looks like the SAASis unable to reach the MEG 7.5 IP address.
      TLS settings

       

      Note:

      Whentesting the SMTP on the Hybrid we get this error / warning

      The EHLOresponse from the server after establishing a TLS connection did not offer theexpected extensions

       

      We have  tried all the settings in all combinations of the settings, even the  appliance is on Explicit and the below applies to transparent bridge and  router.

       
         

      Can  anyone help on this? I have the feeling that it might be due to the firewall  settings which might be filtering encapsulated traffic ? Like ESMPT.
        Or the impossibility of sending the certificate through the port 25 ( stopped  by the Firewall somehow ).

      If so why  if we Deactivate the registration with SAAS the mail flows normally?

       

      I will  open a case with McAfee to see what else can we try.

       

       

      ReferencesConsulted.

      http://www.ietf.org/rfc/rfc3207.txt

      https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=2781 9

      https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=564175229 CQUGZLHWZOKKPSIX[YJGGYERMPWBCIZ&inc=31043&caller=~%2fFindAnswers.aspx%3flstFilte r_a%3d3%26txtCriteria%3d451+Could+not+verify+recipients%26sSessionid%3d564175229 CQUGZLHWZOKKPSIX[YJGGYERMPWBCIZ

      https://community.mcafee.com/thread/61672

      https://community.mcafee.com/message/296363

      https://community.mcafee.com/thread/57533

       

      Thanks,

      Sergio_m@caretower.com