SMTP Error: all relevant MX records point to non-existent hosts

Hello everyone, I’m new here.

I swear I searched the topics for the answer to my problem, but I didn’t find it.

Scenario: I have a HestiaCP Server with 30 domains, all working OK for sending and receiving emails. This Server (The 30 domains) cannot receive or send emails to a specific domain ( X ). When I receive an email from this specific domain ( X ), it displays the following errors in the LOG of my Exim Server:

2023-10-03 22:30:23 H=(web2.xxxxx.com.br) [xx.xx.xxx.100] sender verify fail for <silvio@ domain.com.br>: all relevant MX records point to non-existent hosts
2023-10-03 22:30:23 H=(web2.xxxxx.com.br) [xx.xx.xxx.100] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=[email protected] rejected RCPT [email protected]: Sender verify failed

This external domain X ( @domain.com.br ) sends and receives emails from others Servers with no known issues. No SPF, DNS problems identified in the MXtoolbox tool for the domains used in the tests.
Below Mxtoolbox e-mail test for domain X:

Transcript : Connecting to xx.xx.xxx.100

Transcript :

Transcript : 220 web2.xxxxx.com.br [707 ms]

Transcript : EHLO keeper-us-east-1d.mxtoolbox.com

Transcript : 250-web2.xxxxx.com.br Hello keeper-us-east-1d.mxtoolbox.com [18.209.86.113]

Transcript : 250-SIZE 52428800

Transcript : 250-8BITMIME

Transcript : 250-PIPELINING

Transcript : 250-AUTH PLAIN LOGIN

Transcript : 250-CHUNKING

Transcript : 250-STARTTLS

Transcript : 250 HELP [224 ms]

Transcript : MAIL FROM:[email protected]

Transcript : 250 OK [209 ms]

Transcript : RCPT TO:[email protected]

Transcript : 550 Sender verify failed [257 ms]

Transcript :

Transcript : LookupServer 2896ms

Below is a Header of a test email received from this domain X, received without problems in another email box, hosted on another Server.

Return-path: [email protected]
Envelope-to: [email protected]
Delivery-date: Tue, 03 Oct 2023 22:23:16 -0300
Received: from [177.xxx.xx.xxx] (helo=zimbra.domain.com.br)
by web2.xxxxx.com.br with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from [email protected])
id 1qnqbc-0006q7-6f
for [email protected]; Tue, 03 Oct 2023 22:23:16 -0300
Received: from zimbra.domain.com.br (localhost [127.0.0.1])
by zimbra.domain.com.br (Postfix) with ESMTP id 198554E0DD0
for [email protected]; Tue, 3 Oct 2023 22:23:02 -0300 (-03)
Date: Tue, 3 Oct 2023 22:23:01 -0300 (BRT)
From: [email protected]
To: ricardo [email protected]
Message-ID: [email protected]
Subject: TESTE 2223
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=“=_7b27bbc7-423d-46a0-8326-4b440e661cad”
X-Originating-IP: [201.26.30.243]
X-Mailer: Zimbra 8.7.0_GA_1659 (ZimbraWebClient - GC117 (Win)/8.7.0_GA_1659)
Thread-Index: 3fhgl5RLAtXEYy54TzHKoOBDHsNpzA==
Thread-Topic: TESTE 2223

Thank you in advance if you can help me

Is the domain hosted on the same server?

Hi Eris, thanks for your feedback.

These domains were already on the same Physical Server, but on different virtual machines. Today they are on the same virtual machines, but on different physical machines, in different physical locations and with IPs in different ranges. This migration took place months ago. It’s a coincidence that these customers from domains A and B tried to exchange emails, they had never spoken to each other. Chances of fate to reveal hidden problems.

You could try to simulate the connection from the remote mail server so you could see more info about what exim is doing with that message.

Assumptions:
sender: [email protected]
recipient: [email protected]
remote server name: zimbra.domain.com.br
remote server ip: 177.xxx.xxx.xxx

With that info you could use command exim4 -bhc to simulate the connection and in every step you willl see the filters, acls, checks, etc. that exim is using to send the mail and maybe you could get a clue to know what is going on.

Note: the mail won’t be send so you can test it all the times you need.

As you will need to recreate the connection manually, I left here the commands you should use:

exim4 -bhc 177.xxx.xxx.xxx
EHLO zimbra.domain.com.br
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
SUBJECT: Test

Here the message
.
QUIT

Dear @sahsanu, thank you very much for the tip. I didn’t know these exim command options and it was a very useful learning experience. Using the commands, we can see where the problem of not sending/receiving emails from “external -domain.com.br” occurs.

RCPT TO: [email protected]

using ACL “acl_check_rcpt”

processing “accept”

check hosts = :

host in “:”? no (end of list)

accept: condition test failed in ACL “acl_check_rcpt”

processing “deny”

message: Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period

check ratelimit = 600/ 1h / $authenticated_id

= 600/ 1h /

ratelimit condition count=1 600.0/1h/per_mail/88.99.xxx.xxx

ratelimit found key in database

ratelimit db updated

ratelimit computed rate 4.0

deny: condition test failed in ACL “acl_check_rcpt”

processing “warn”

check ratelimit = 550/ 1h / strict / $authenticated_id

= 550/ 1h / strict /

ratelimit condition count=1 550.0/1h/per_mail/88.99.xxx.xxx

ratelimit found pre-computed rate 4.0

warn: condition test failed in ACL “acl_check_rcpt”

processing “deny”

message: Restricted characters in address

check domains = +local_domains

internal-domain.com.br in “dsearch;/etc/exim4/domains/”? yes (matched “dsearch;/etc/exim4/domains/”)

internal-domain.com.br in “+local_domains”? yes (matched “+local_domains”)

check local_parts = ^[1] : ^.*[@%!/|]

comercial in "^[2] : ^.*[@%!/|]"? no (end of list)

deny: condition test failed in ACL “acl_check_rcpt”
processing “deny”
message: Restricted characters in address
check domains = !+local_domains
internal-domain.com.br in “!+local_domains”? no (matched “!+local_domains” - cached)
deny: condition test failed in ACL “acl_check_rcpt”
processing “require”

check verify = sender
routing [email protected]
external-domain.com.br in “dsearch;/etc/exim4/domains/”? no (end of list)
external-domain.com.br in “!+local_domains”? yes (end of list)
calling dnslookup router

dnslookup router declined for [email protected]
“more” is false: skipping remaining routers
no more routers
----------- end verify ------------

require: condition test failed in ACL “acl_check_rcpt”

end of ACL “acl_check_rcpt”: not OK

LOG: H=(zimbra.external-domain.com.br) [88.99.xxx.xxx] sender verify fail for [email protected]: all relevant MX records point to non-existent hosts
550 Sender verify failed

LOG: H=(zimbra.external-domain.com.br) [88.99.xxx.xxx] F=[email protected] rejected RCPT [email protected]: Sender verify failed
LOG: SMTP command timeout on connection from (zimbra.external-domain.com.br) [88.99.xxx.xxx]

But I confess I don’t know what to do now . I suppose there is a file for me to check “acl_check_rcpt”, but I don’t know where it is. Could you guide me?
Thanks again

1. . ↩︎

2. . ↩︎

From your server:
dig external-domain.com.br mx

And then
dig domain_you_saw_in_previous_command_as_mx_record

Because all seems a dns issue, maybe you already have some related info to that external domain in your server (maybe a zone in your dns server remains in your server after it was migrated to another one…, some entry in /etc/hosts, etc.)

Wonderful @sahsanu . Solved by adjusting the etc/resolv.conf file and removing localhost ( 127.0.0.1 ) from the list. Thank you for your patience with this Padawan

Then another problem arose, already addressed here on this forum, The false positive of Spamhaus.org. Colleague @Felix addressed this case in the following post, but it was not clear to me what he did in the /etc/bind/bind.named.conf file to circumvent the situation. I would really appreciate it if could share, to avoid me turning off Spamhaus.org from my configuration . Post =(Rejecting incoming messages - zen.spamhaus.org)

Thank you very much

Glad it is solved but, why you need to remove 127.0.0.1 from resolv.conf? I mean, it was your resolver and it is possible not working as expected because there is a zone with the external domain there…

Regarding spamhaus issue, the best thing you could do is to fix the dns issue you have but the other option I would recommend is to create a free query key from spamhaus and use it on your server.

In this link you have all the info to create the key and configure exim to use it.

@sahsanu Don’t worry about the Resolver, everything works OK, as I don’t use Hestia’s DNS as my main DNS; it’s important that it talks to my Cloudflare!

Thank you very much, I made the recommended Spamhaus query key adjustment and everything is working perfectly.
Thank everyone for your help and patience.

See you next time.