Exchange 2010 Unable to Relay Email : Error 451 4.4.0 DNS Query Failed

I'm working on a support request today, my customer found that they cannot send email to certain domain.

Upon opening the queue viewer in EMC, I found that there are Error 451 4.4.0 DNS Query Failed appear on the domain that my user tried to send to.

I've try using telnet command to send email to that domain but without success, the moment when I hit enter on the RCPT TO: someone@domain.com, Error 451 4.4.0 DNS Query Failed appears.

When I performed a nslookup and MX lookup on the target domain, it can be resolved successfully via local  AD DNS server.

Looking into the error and since my customer's messaging infrastructure design is to send emails directly to internet without routing to any smart host, I decided to use the well known Google DNS 8.8.8.8 on Exchange server to route email instead of the AD DNS. When I hit "retry" on the mail queue, the email was transferred immediately.

Below is the steps on how to configure it.

1. Open Exchange Management Console (EMS)
2. On Server Configuration -> Your HUB server -> right-click Properties
3. Click the "External DNS Lookups" tab.
3. Tick "Use These DNS Servers" , click "Add" and insert 8.8.8.8 (Google DNS)
4. Click "OK"
5. Go to Organization Configuration -> Send Connector -> right-click Properties
6. Click the "Network" tab.
7. Tick "Use the External DNS Lookup settings on the transport server"
8. Open "Queue Viewer" on "Tools"
9. Find the targer domain queue, right-click retry

The email is being transferred by now after applying the settings.

Exchange 2010 The Certificate Status could not be determined because the revocation check failed

I helped my customer to renew SSL certificate for Exchange yesterday but I ran into some issue.

My customer’s environment is having a proxy server to handle internet connection for all users. In the Exchange server I already specified Exchange server name in the bypass list but when I import the certificate into CAS, an error The Certificate Status could not be determined because the revocation check failed will display in EMC.

I downloaded the Digicert Certificate Utility for Windows here to test the proxy settings, certificate revocation status and it passes all the test, but unfortunately whenever I re-import the certificate it will display the previous error.

Finally I decided to import the certificate using Powershell.

First I import the certificate without assigning services with below command:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificate.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Then I assign services (POP, IMAP, IIS ,SMTP) to the certificate with below command:

Enable-ExchangeCertificate -Thumbprint certificate_thumb_print  -Services POP,IMAP,SMTP,IIS

The command executed successfully, and when I browse to the OWA page it is showing that it has the valid certificate now, however in the EMC it is still showing the revocation check failed error.

I’m suspect there are something needed to configure on the proxy server, however this is a workaround for myself to get Exchange services published with the valid SSL certificate.