Symantec Messaging Gateway (SMG) fails to deliver some or all messages and messages are accumulating in the Delivery queue with the following queue status:
 

450 4.4.1 [internal] Connection Timed Out

This queue status message indicates that SMG is attempting to establish a network connection to the destination mail server on port 25 but the network connection attempt is failing due to a timeout.

There are a number of potential reasons why SMG is unable to establish a network connection to the destination mail server. The most common are as follows:

• A firewall or other network device is denying connection attempts from SMG to the destination mail server
• A network routing issue is preventing the network connection from being established from SMG to the destination mail server
• A firewall or other network device is scanning SMTP session content and either interrupting the network connection or taking too long to scan content and SMTP deliver times out
• Messaging Gateway has been configured to perform a reverse DNS lookup as part of outbound mail processing, but the reverse lookup is failing.

Diagnosing SMTP connection Issues

• Perform a telnet test from the SMG command line interface to the destination mail server as described in Troubleshoot email delivery issues using telnet
• Collect a packet capture of connection attempts to the destination mail server and review the packet capture for failed TCP/IP connection attempts
• Confirm that any intermediate firewalls or network security devices are configured to allow SMG IP addresses unrestricted ability to connect to port 25 on internal and internet servers / IPs
• Ensure that firewall or network traffic content scanning is either disabled for SMG message delivery or that this network or content scanning is not interrupting SMTP connections

Firewall Issues

If you have a firewall between the Messaging Gateway and the destination SMTP server, ensure that SMTP/ESMTP inspection features are disabled. Consult with the firewall vendor for information on how to disable these features.

Firewalls that are known to have such features are:

• Cisco ASA - Disable all esmtp_inspect features
• Cisco Pix - Disable mailguard
• Checkpoint - Disable the smart defense technology for SMTP/ESMTP

Reverse DNS Issues

Disable the Reverse DNS Lookup for outbound mail.

1. In the SMG Control Center, click the Administration tab.
2. Navigate to Hosts > Configuration.
3. Click on the scanner(s) having the problem to open their configuration.
4. Click the SMTP tab, and then click Advanced Settings.
5. Click the Outbound tab.
6. Uncheck Enable reverse DNS lookup.
7. Click Continue
8. Click Save.