Queue Message: 421 4.4.0 [internal] "no MXs for this domain could be reached at this time." for a Symantec Messaging Gateway appliance

Article:TECH93089  |  Created: 2009-01-25  |  Updated: 2012-06-07  |  Article URL http://www.symantec.com/docs/TECH93089
Article Type
Technical Solution


Issue



The Symantec Messaging Gateway (SMG) appliance shows messages in the delivery queue with the message 421 4.4.0 [internal] no MXs for this domain could be reached at this time.


Error



 421 4.4.0 [internal] no MXs for this domain could be reached at this time


Cause



This is not an error but a description of why the message could not be delivered. The message indicates a general mail delivery attempt failure in which the appliance could not communicate with the remote mail system. This may be the result of an inability to successfully connect to the remote host, to resolve the MX records, or to resolve the DNS host names for the email domain to which the appliance is attempting message delivery. This can also be seen if a Control Center host's Quarantine SMTP listener is not available on port 41025.


Solution



Possible circumstances that may cause this issue:

  • The local MTA (SMG) cannot communicate with the remote MTA. 
    1. Connection refused by remote MTA
    2. Connection times out while trying to connect to the remote MTA
    3. Mail Exchange (MX) record(s) and A records missing
    4. Firewall rule blocking connection from local MTA IP address
  • Destination management - Domain Settings
    1. Check Protocols > Domains
    2. Consider adding or modifying the Optional Destination Routing
  • A remote Control Center's Quarantine SMTP listener is not available on port 41025 (for Quarantine bound Email)
  • Masked mail banner - similar to the one found in Cisco Pix Mailguard/SMTP Fixup
  • Issue with PTR or RDNS enforcement
  • Invalid Response
  • DNS query failure for calls larger than 512 bytes ( DNS UDP packet size has been limited to 512 bytes in SBG 8.0.2-12 and SMG versions )

Supplemental Materials

SourceETrack
Value2560880
Description

This shows an example of how to troubleshoot a problem to deliver messages to a failing remote domain, in this case example.com is the intended target domain:

  • First identify the target's IP address that could not be reached.
    • Connect to the SMG scanner via SSH to access the CLI
    • Check DNS resolution and identify the destination host that should receive the message that failed 

 

sbg9> nslookup -type=mx example.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
example.com mail exchanger = 5 mail.example.com.
Authoritative answers can be found from:
mail.example.com internet address = 192.0.2.10

 

  • Previous example shows successful DNS resolution. If the previous test fails or times-out, it points to a problem with DNS resolution. If so, check your SMG DNS settings. 
  • Test connecting to the intended target via telnet. We suggest to include the -b option to force the telnet connection to use a specific source IP address.  That source IP address must correspond to the IP address that SMG uses to deliver non-local messages. The SMG setting that controls which IP interface is used for delivery of non-local messages can be found by connecting to the Control Center GUI and going to Administration -> Configuration -> <scanner_hostname> ->SMTP -> Advanced Settings -> Delivery (tab). If set to Auto you can specify which IP address you would like to use for each type of message delivery (see SMG documentation for more information)

 

sbg9> telnet -b 10.160.96.148 192.0.2.10 25
Trying 192.0.2.10...
Connected to 192.0.2.10.
Escape character is '^]'.
220 hostname Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Thu, 14 Oct 2010 13:01:06 +0100 

 

  • If the previous test succeeds (as in the example), the original failure could be due to an intermittent issue or the problem requires further troubleshooting. If the previous test fails, the message returned can indicate that the target host cannot be reached, times-out or is rejecting the connection.  In case you need further assistance, please contact Technical Support.


Legacy ID



2009032512563954


Article URL http://www.symantec.com/docs/TECH93089


Terms of use for this information are found in Legal Notices