Solved

Local messages stuck in queue but external mail gets through...

Posted on 2003-10-27
27
2,683 Views
Last Modified: 2010-03-05
Here's the setup...

New 2nd E2K server(zoot), one Win2K domain, 2 Win2K sites (one E2K server in each), firewall between with port 25 allowed, one Exchange Administrative Group. DNS handled on a different server (unfortunately but the university forces us to do it this way) and it does not support dynamic DNS so all entries are manual.

I set up one new test user on zoot, sent an email from this user to a user on 1st E2K server (home) with no problem. Send test email from mailbox on home to test user on zoot and it fails to be delivered. So, second E2K server can successfully send email but can not receive. Send a test message from telnet on home to zoot...works fine. Send test message from internet to zoot...works fine.

So...the only thing not working is email from home to zoot using mail client (not Telnet).

mx records in DNS are set as follows:
0 home.us.edu
10 zoot.us.edu
30 campusmail.us.edu
50 othercampusmail.us.edu

'nslookup zoot' on home works and returns the correct IP
'nslookup home' on zoot works and returns the correct IP

Queue for zoot on home reads "Remote Delivery" and changes between an Active state and a retry state.

Single Admin Group, single routing group using the default 'direct' connector. Properties under this connector are set to 'use DNS to route to each address space on this connector' and under local bridgehead, it shows 'Home'

Both servers show up in Exchange System Manager under Servers and both show up under Members in the Routing Group. Home is the master, zoot is a member.

SMTP logging is turned on and here is what I get when I send that test message to fbernie...

2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 220+***********************************************************0*2************************2******200********0***0*00+ 0 117 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - EHLO home.itsc.uah.edu 0 4 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 500+5.3.3+Unrecognized+command 0 30 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - HELO home.itsc.uah.edu 0 4 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+zoot.itsc.uah.edu+Hello+[146.229.234.51] 0 44 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - MAIL FROM:<thompson@itsc.uah.edu> 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+2.1.0+thompson@itsc.uah.edu....Sender+OK 0 44 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - RCPT TO:<fbernie@itsc.uah.edu> 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+2.1.5+fbernie@itsc.uah.edu+ 0 31 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - DATA - 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 354+Start+mail+input;+end+with+<CRLF>.<CRLF> 0 44

Am I missing a step here like telling the Exchange Server how to talk between the two servers?

Thanks in advance...

0
Comment
Question by:ConnieCA
  • 14
  • 9
  • 3
  • +1
27 Comments
 
LVL 10

Expert Comment

by:OneHump
ID: 9630080
First thing I recommend is to turn of MailGuard (Fixup SMTP) on your PIX.

Then, open the ports you need from this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

At minimum, you need:

25,389 (TCP/UDP),3268,691 (TCP/UDP).

I believe MailGuard is your primary problem, but it sounds like you need to open up more ports as well.

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9630266
If mailguard were the problem, would that cause the queue to go into a retry state?
0
 
LVL 26

Expert Comment

by:Vahik
ID: 9630994
ConnieCA if u have single routing group why do u have connectors?Connectors could get corrupted.
check out ur GAL from both sersver and see if all users (including new ones)show up.
0
 
LVL 2

Expert Comment

by:tbird008
ID: 9632870
Hi ConnieCA,

I guess your domain is us.edu right? If it is check this link and check out the error that your connection are facing
http://dnsreport.com/tools/dnsreport.ch?domain=us.edu
I guess that the local mail has never sent out right?  I guess there is also another mail server host by ISP right?  If that is the case the connector is ok since there is no problem sending thru your ISP.  You will need to open port 25 and put a filter on it.  The most important are your DNS settings and SMTP protocol.
If you are not sending that means your outgoing setting in SMTP protocol  has not pointed to your Gateway and its DNS is not pointing to ISP's DNS.
*  click on SMTP protocol and right click on Default SMTP Virtual Server --> select Delivery Tab and go to advance tab --> click on Configure button --> now check if your firewall IP is listed here (Gateway).
* as for you DNS you should remove the "." under your DNS console..this will enable fowarder.  Then right click on the server Name and select fowarder --> now put in the DNS server of your ISP.  This will foward DNS inquires to your ISP that way it will not be return back to you serval days later because it can't find the desdination.   If you have others host your website or other mail server than you need to create A host file in your DNS server pointing it to these area.   For example, your website is www.123.com  you'll need to creat www A host file pointing it to your web server IP that is not with in your Lan.  As for mail pointer it all depends on your mx record you can have it call postoffice.123.com or mail.123.com or owa.123.com etc..  In any of these case you will also point it to the MX record's IP address.

Good Luck!
Tbird008
0
 

Author Comment

by:ConnieCA
ID: 9634702
Vahik...

Interesting...this used to be working but I did as you suggested. I added a test user to each server. Home (which is our original DC/Exchange 2K server), Animal (which is our new, 2nd DC that sites in our new 2nd site) and Zoot (which is our new 2nd E2K server which sits in the same site as Animal).

I added a new test user to each of the new servers and only the server added to home shows up in my GAL.

In AD Users and Computers, Zoot & Animal see all 3 new users. Home only sees it's own test user.

The connector isn't something I added. It was there (I'm assuming) by default.

Any ideas?

Connie
0
 

Author Comment

by:ConnieCA
ID: 9634731
Additionally, is that info (the new testusers) something that would be impacted by 'mailguard' on the PIX as mentioned above?

0
 

Author Comment

by:ConnieCA
ID: 9634741
Tbird008...

Actually, our domain is 'itsc.uah.edu' and the mx records are set to reflect that. Sorry for the confusion.
0
 

Author Comment

by:ConnieCA
ID: 9634751
Vahik...

It took awhile but those test users did eventually show up on home and subsequently in the GAL...
0
 

Author Comment

by:ConnieCA
ID: 9634835
One other piece of info that I didn't include in the original post...

On home (the original E2K server), the queue for zoot.itsc.uah.edu is in a retry state and when you look at properties for that queue, it says 'the connection was dropped by the remote host'
0
 
LVL 26

Expert Comment

by:Vahik
ID: 9637929
Ok PIX mailgurd is nothing but trouble just turn it off and try to see if ur problem goes away.
If not then delete ur connector(Two exchange within the same routing group do not require connectors.
DNS will take care of everything).
Call back if still have problem.
0
 

Author Comment

by:ConnieCA
ID: 9642642
Will do. I'm waiting on the firewall guy to turn off mailguard now.

Just to clarify regarding the routing group...does a routing group have anything to do with mail going to/coming from the outside?  I don't want to mess anything up that has been working on the original server.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9643474
Sorry I hadnt been posting to this.  Yahoo has apparently been catching my EE mail as spam, even though I had turned that "feature" off.  

Looks like Vahik has this one under control.

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9643601
OK...with mailguard turned off, when I try to send an email to a user on the new exchange server it gets bounced back with this message...

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <home.itsc.uah.edu #5.7.1 smtp;550 5.7.1 Unable to relay for ztestuser@itsc.uah.edu>

Did I turn something off that I shouldn't have?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 10

Expert Comment

by:OneHump
ID: 9643750
Thank you for turning MailGuard off.  It's a nasty critter.  :)

Sorry if any of this was covered in prior posts, but are your servers in different forests?  It looks like a recipient policy issue.  

Also please clarify your last post.  Are you sending from one Exchange server to the other?

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9644151
Sorry...

One forest, one domain (itsc.uah.edu), two E2K servers located in two W2K sites. Trying to send a test message between the two.

Firewall guy turned off mailguard but only temporarily. Evidently (is this correct?) you can't turn it off for traffic between two IP's and he believes it creates a big security problem if it's off.

0
 

Author Comment

by:ConnieCA
ID: 9646361
OneHump...

I ran a tool called portqry to test connectivity between the two exchange servers (keep in mind...one of the exchange servers (zoot) is NOT a domain controller...that is a seperate machine).

so...to summarize

One domain, 2 Win2K sites, 2 exchange servers (one in each site), 1 routing group...

Exchange server 'home' also functions as a domain controller
Exchange server 'zoot' is a server but not a domain controller.

user with a mailbox on zoot can send mail to a user with a mailbox on home.
user with a mailbox on home can NOT send mail to a user on zoot (just sits in the queue on home)

ran portqry from zoot to home and queried port 25 (OK) and port 389 TCP/UDP (OK)
ran portqry from home to zoot and queried port 25 (OK) and port 389 TCP/UDP (NOT LISTENING ON EITHER)...

Now given that this is not a domain controller, does port 389 on zoot still need to be open?

Thanks,
Connie
0
 
LVL 26

Expert Comment

by:Vahik
ID: 9646843
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9652329
It would need to be open if those servers are in the same AD site.  I think this is firewall related.  You can confirm that by opening up all ports between the boxes.  I'll bet a buck that your problem is solved at that point.

I believe mailguard gets turned off per pix.  It's a horrible "feature" that should never be on.  I think you'll get consensus about that here.

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9652549
Unfortunately, opening up all ports isn't an option. This being a university, the firewall isn't controlled by us. So I am trying to determine the ports that HAVE to be open on the Exchange server.

The E2K server I'm asking about is in the same AD site as a GC/DC and the other E2K server is in a seperate AD Site.

Does the E2K server that isn't a domain controller need 389 to be listening?
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9653236
389 needs to be open between the servers.  The server that is not a DC won't be listening.

I would have a look at Vahik's article and go from there.  It's a bad idea to have a firewall between servers in the same routing group/AD site, but I understand your constraints.  Universities in California are like that too.

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9653272
Yeah...I'm a recent transplant from Cali.

389 needs to be open between the Exchange Servers? or just between the two domain controllers?

Thanks!
0
 
LVL 10

Accepted Solution

by:
OneHump earned 500 total points
ID: 9653307
It needs to be open between any server that needs to talk to a comain controller and all available domain controllers in an AD site.  3268 is another one you need to the DCs in your site.  That's all in Vahiks article.

Exchange really only needs 25 and 691 between Exchange servers.  That does, of course, depend on what you're trying to do.  An FE server might need several more ports between itself and a backend server.

OneHump
0
 

Author Comment

by:ConnieCA
ID: 9653336
Thanks much...the list from Vahiks article is a long one and I was just trying to find out the minimum ports I need to streamline this troubleshooting process.

Thanks again...
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9653355
My pleasure.  Just ask if you need anything else.
0
 

Author Comment

by:ConnieCA
ID: 9653394
Well I'm still stumped on this problem so I'm combining every thing I know about our scenario to repost cuz I can NOT figure out what is causing mail not to move in one direction internally.

Hopefully I'll see you in that post :)
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9653678
It's the firewall.  :)

Do this...

telnet to port 25 on each exchange server from the other server.  If you can do that, then you have port 25 connectivity.

You then need to make sure you have LSA (Link State Algorithm) access so LSA tables can be built for routing.  Shut down the system attendant on both boxes and use blues port tool to make sure you have 691 open.  Here is a link to that tool:

http://www.webattack.com/download/dlbluesport.shtml

If you have 691 and 25 open, then it might be something called "getnexthop", which is what Exchange uses when contact an AD server to determine the GUID fo the remote MTA it needs to deliver to.  You should use Blues port tool to ensure you have 3268 and 389 open between your Exchange server and ALL DCs in the AD site.  You can't just one one DC accessible, you need ALL DCs.

Try all that and let me know how you do.

OneHump
0
 
LVL 10

Expert Comment

by:OneHump
ID: 9653690
Oh yea, a couple more things:

1.  What queue are these messages in?

2.  Turn logging to Medium for MSExchangeTransport SMTP and Categorizer.  Comb those logs for problems.  If we see nothing there, we'll turn it to max and then add more logging objects.

OneHump
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now