421 connection refused by mxmta.owm.bell.net


Just recently I have not been able to send any mail to domain sympatico.ca which uses this mxmta.owm.bell.net domain. It returns “421 connection refused from [my IP]”.

I have tried looking for contact people at sympatico but no luck so far.

Has anyone else had this issue?


More often than not the bounce message will have a link with more information … did you read through the bounce message carefully to be sure that you didn’t miss it?

Of course, oftentimes the links are useless … but that is the first place to start.

Thanks for the reply.

There are no links in the bounce message other than the e-mail addresses involved. It is happening for every user with @sympatico.ca domain.

xxx@bell.net: host mxmta.owm.bell.net[] said: 421 connection refused from [x.x.x.153] (in reply to end of DATA command)

It is a new issue for about a month. Never had this problem before with this domain. Been running MIAB for 2 years.


ssh to your mailinabox. Then ‘tail -f /var/log/mail.log’. While viewing that log, send an email to someone at sympatico.ca and see what the problem is. You won’t get every reason for failure in the bounced email.

Thanks for the suggestion. I don’t see anything other useful information:

Sep 1 13:41:35 box postfix/smtp[2608]: 7B357201CF: to=XXX@sympatico.ca, relay=mxmta.owm.bell.net[]:25, delay=0.55, delays=0.14/0.01/0.07/0.32, dsn=4.0.0, status=deferred (host mxmta.owm.bell.net[] said: 421 connection refused from [x.x.x.153] (in reply to end of DATA command))

Well there is always the old school approach.

Attempt to send an email with the above log entry (not sanitized) to postmaster@sympatico.ca and cc it to postmaster@bell.ca along with a request to unblock your IP. There is a slight chance that the email to sympatico.ca will be allowed, and if it is not, bell.ca will forward it on.

I have had the “sympatico.ca” issue for a couple of months.

I use MS Exchange server to host my email from which I can trace an email to sympatico.ca


Notice that the third step references our favorite URL: mxmta.own.bell.net

and this trace also mentions its IP address:

Finally I received a rejection email that ends with this:
X-Report-Abuse-To: spam@scanner01.mail.supportedns.com

I have sent the rejection email and these images to the two postmaster email addresses mentioned here in an earlier post. with a request to unlock my IP address.

Will let you know if this works.

Thanks so much. Here’s hoping it gets us somewhere. I am still stuck with it.

I heard back from Abuse at Bells .ca address this morning. It appears there is an issue with a TXT file dealing SPF servers often used to help filter spam, I sent him a test email that he requested.

'We were able to receive your email directly to our inbox. We don’t see any issues receiving emails from dicx to sympatico or bell email addresses.

'However, if emails are forwarded from a 3rd party email domain to a sympatico or bell email address this will not work. The domain dicx has strict SPF records and Bell email server does have SPF validation.

'Our servers are following the instructions provided in the SPF record for {my domain name) by not accepting email from non approved servers.

On checking out this MS page:

Email errors

I decided to remove the TXT file that Microsoft recommends re dealing with SPF servers.

Hope this helps.

Could you elaborate?

@alento - I’d be interested to know if the mails were being sent to a Microsoft address and then forwarded on. I’ve had a look into this before and I don’t think that the situation has been changed at their end.

Microsoft do some weird things when they receive a mail. They validate via SPF and DKIM but then if you take the source of the mail from the inbox and run DKIM again, you find that the mail does not validate.

I’ve just sent a mail from my box to two addresses and then saved the mails from their respective mailboxes

Blueyonder -> bluetest.eml
Outlook -> outtest.eml

I have Anaconda and the DKIM module installed on my Windows desktop so I tested them both with the DKIMVerify command

>dkimverify < bluetest.eml
signature ok

>dkimverify < outtest.eml
signature verification failed

Bear in mind that this is not one mail sent twice, but the same mail.

If we look at the Outlook Authentication header:

Authentication-Results: spf=temperror (sender IP is
 smtp.mailfrom=timothydutton.co.uk; outlook.com; dkim=pass (signature was
 verified) header.d=timothydutton.co.uk;outlook.com; dmarc=pass action=none
 header.from=timothydutton.co.uk;compauth=pass reason=100

Not quite sure about the SPF temperror (although I have moved my box recently) but DKIM passed.

Somewhere between receiving my mail and putting it in my Inbox, Microsoft amended the mails MIME headers. While the appearance of the mail is not altered, this breaks DKIM. So it looks as if when applying the auto forward, Microsoft send on the amended mail.

Forwarding already breaks SPF, but provided DKIM validated, this wasn’t an issue. With DKIM broken as well, DMARC fails.

Someone needs to put pressure on Microsoft to fix what they’ve broken.

I agree that MS needs to fix their broken setup.

Having removed the TXT file recommended and mentioned earlier, all my contacts with Sympatico.ca addresses are receiving their emails.

This is the TXT file that I removed from DNS setup:
v=spf1 include:spf.protection.outlook.com -all

Hope this helps.

This is promising. How does this apply to MIAB? I am not using any Microsoft stuff. Is Microsoft and Sympatico linked in some way?

So to clarify this was from a MS Exchange server, not MiaB, correct?

There is no link other than the publicly shown way in the MS page I referenced.
Sympatico.ca addresses were those given out by Bell Canada; however, they no longer give out Sympatico.ca addresses. Probably now bell.net.

@drdandc - My apologies, I think I may have been confused by JimCanuck’s reference to MS

What’s curious is that you get the error at the end of the DATA send (which is the very last part of the email send)