The problem turned out to be our Checkpoint firewall. It was allowing complete SMTP packets to/from some domains, but not others. Websense would send the initial SMTP packet, but the firewall was dropping the 220 response from the destination.
Robert On Wed, Aug 7, 2013 at 8:19 AM, Michael B. Smith <[email protected]>wrote: > Enable verbose logging on the send-connector and look at the actual SMTP > stream being sent to SurfControl.**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Robert Cato > *Sent:* Tuesday, August 6, 2013 11:21 PM > *To:* [email protected] > *Subject:* [Exchange] Message Routing**** > > ** ** > > **** > > Environment: Exchange 2007 with all SPs and updates installed**** > > Websense SurfControl in the DMZ as the smarthost/edge server**** > > **** > > Problem: Most outbound mail is not affected. All emails to certain domains > are getting hung in the SurfControl queues.**** > > Using mxtoolbox.com. Our domain is not on any blacklists and the DNS > information is correct. The SMTP test checks out good with some warnings on > connection time and transaction time. I ran the mxtoolbox.com tests > against a couple of domains we know we can't deliver to and they check out > clean. I sent a message from my gmail account to one of the domains and it > got there immediately.**** > > We have a spf record.**** > > The reject messages are being generated by SurfControl and are not helpful: > **** > > Your message could not be sent to all recipients yet. The system will keep > retrying.**** > > **THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE ****** > > Details:**** > > Failed to send to: [email protected]**** > > Failed attempts: 12**** > > Last attempt: Tue, 06 Aug 2013 13:50:16 -0400**** > > Status: [email protected]: [cust31236-4.in.mailcontrol.com], > Incomplete SMTP session (cause: idle timeout [ > cust31236-4.in.mailcontrol.com]).**** > > We have checked blacklists on several sites. The test on > blacklistcheck.com did pop positive for fl.chickenboner.biz, but I am not > finding much helpful about getting off their list.**** > > **** > > The SurfControl server is managed by another team, and they said that more > verbose logs were not available. (I find that hard to believe)**** > > **** > > Any ideas for troubleshooting or resolution are greatly appreciated.**** > > **** > > Robert**** >
