Symantec Messaging Gateway (SMG) shows messages in the delivery queue with the message "421 4.4.0 [internal] no MXs for this domain could be reached at this time".

This is not an error but a description of why the message could not be delivered. The message indicates a general mail delivery attempt failure in which the appliance could not communicate with the remote mail system. This may be the result of an inability to successfully connect to the remote host, to resolve the MX records, or to resolve the DNS host names for the email domain to which the appliance is attempting message delivery. This can also be seen if a Control Center host's Quarantine SMTP listener is not available on port 41025.

Possible circumstances that may cause this issue:

• The local MTA (SMG) cannot communicate with the remote MTA. 
  • Connection refused by remote MTA
  • Connection times out while trying to connect to the remote MTA
  • Mail Exchange (MX) record(s) and A records missing
  • Firewall rule blocking connection from local MTA IP address
• A remote Control Center's Quarantine SMTP listener is not available on port 41025 (for Quarantine bound Email)
• Masked mail banner - similar to the one found in Cisco Pix Mailguard/SMTP Fixup (Some domains have slow or no mail delivery with Messaging Gateway and Cisco PIX firewalls)
• An issue with PTR or RDNS enforcement
• Invalid Response
• DNS query failure for calls larger than 512 bytes ( DNS UDP packet size is 512 bytes as defined in RFC1035, longer messages are truncated, with the query retried over TCP) ensure firewall policies are allowing TCP/UDP port 53.
  • Microsoft KB 828263 

1. Verify that the recipient's MX record can be resolved:
   1. Connect to the SMG scanner via SSH to access the CLI
   2. Execute the following command (replace example.com with the domain that mail is not being delivered to):
      
      nslookup -type=mx example.com
       
      • If the above command times-out, or if the test fails, then there is an issue with DNS resolution and it is recommended that the SMG's DNS settings be reviewed
      • If the above command is successful, proceed to step 2
2. Verify connectivity to the IP address from step 1:
   1. Connect to the SMG scanner via SSH to access the CLI
   2. Execute the following command"
      
      telnet -b [SMG's Outbound IP] [IP Address from step 1] 25
      
      The SMG setting that controls which IP interface is used for delivery of non-local messages can be found by connecting to the SMG's GUI and navigating to Administration -> Configuration -> <scanner> ->SMTP -> Advanced Settings -> Delivery.
   • If the command above fails, then the message returned will indicate whether the target IP address cannot be reached, times-out, or is rejecting the connection
   • If the command above succeeds, then the original failure may have been due to an intermittent connectivity issue.