[MTA Problem] - Retry timeout exceeded and all hosts for 'domain.fr' have been failing for a long time (and retry time not reached)

I would recommend you SSH into the XG, go to Advanced Shell (Option 5, Option 3) and attempt to send an e-mail to that domain via telnet.  

Lookup the MX record @ https://mxtoolbox.com and then use this guide to sending e-mail via telnet if you're not already familiar with the process.  

https://mediatemple.net/community/products/dv/204404584/sending-or-viewing-emails-using-telnet

Likely you will have an error returned at some point during the process which will give you an idea of what the problem is.  

Tim

I the problem is very strange, because when i test in telnet the test is success...

 but i've an error on mail log (MTA) :

An idea ?

I've add the domain in TLS Exception and same problem...

all hosts for 'orange.fr' have been failing for a long time (and retry time not reached)

Based on my test to smtp-in.orange.fr, it looks like they're still using TLS v1, which is causing the negotiation between the XG and the mail server to fail.  

Trying TLS on smtp-in.orange.fr[193.252.22.65:25] (0):

seconds test stage and result
[000.114] Connected to server
[000.353] <-- 220 mwinf5c58 ME ESMTP server ready
[000.353] We are allowed to connect
[000.353] --> EHLO www6.CheckTLS.com
[000.472] <-- 250-mwinf5c58 hello [159.89.187.50], pleased to meet you
250-HELP
250-SIZE 44000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
[000.473] We can use this server
[000.473] TLS is an option on this server
[000.473] --> STARTTLS
[000.601] <-- 220 2.0.0 Ready to start TLS
[000.601] STARTTLS command works on this server
[000.974] Connection converted to SSL
SSLVersion in use: TLSv1
Cipher in use: DHE-RSA-AES256-SHA

For the Skip TLS negotation option on the XG, did you put orange.fr in there or the actual mail server FQDN/IP Address?  Try throwing smtp-in.orange.fr or the two IP addresses that resolves to into the skip list.  

Tim

Hello,

Thanks you for your reply.

I've already adding the 2 IPs of and i've the same problem !

Have you got another idea ?

Hello,

Thanks you for your reply.

I've already adding the 2 IPs of and i've the same problem !

Have you got another idea ?

PM sent.  

Reply, thanks for your help !

Just for visibility to the community, the issue was that the remote mail server was still using TLSv1 and thus TLS negotiation was failing.  The fix was to skip TLS negotiation for the host/ip addresses of the mail servers.

Tim

Hi,

I have added the smtp-in.orange.fr and the two IP as FQDN and in the ignored TLS negociation pannel but I still have the problem with wanadoo.fr which is owned by Orange. I added the IP : 193.252.122.103 as a FQDN but I still get the same error.

Likely that's because you've added the IP the A record of wanadoo.fr resolves to rather than the MX record.  Lookup the MX record from here, https://mxtoolbox.com/MXLookup.aspx, and add that IP into the TLS skip list instead.  

Tim

Wanadoo.fr and orange.fr have the same MX and the same SMTP server since 10 years.

NausicaMedia : please add in your skip TLS : 193.252.22.65 it's the good IP for Wanadoo.fr and orange.fr

Regards.

Hi,

I thought they use the same addresses. I have added this in the skip TLS and I still got the error. Do you uncheck also Disable legacy TLS protocol ?

Yes i've uncheck the Disable Legacy TLS protocol

Can you share a capture of your screen for see your configuration ?

Sure.