Link to home
Start Free TrialLog in
Avatar of ConnieCA
ConnieCA

asked on

Local messages stuck in queue but external mail gets through...

Here's the setup...

New 2nd E2K server(zoot), one Win2K domain, 2 Win2K sites (one E2K server in each), firewall between with port 25 allowed, one Exchange Administrative Group. DNS handled on a different server (unfortunately but the university forces us to do it this way) and it does not support dynamic DNS so all entries are manual.

I set up one new test user on zoot, sent an email from this user to a user on 1st E2K server (home) with no problem. Send test email from mailbox on home to test user on zoot and it fails to be delivered. So, second E2K server can successfully send email but can not receive. Send a test message from telnet on home to zoot...works fine. Send test message from internet to zoot...works fine.

So...the only thing not working is email from home to zoot using mail client (not Telnet).

mx records in DNS are set as follows:
0 home.us.edu
10 zoot.us.edu
30 campusmail.us.edu
50 othercampusmail.us.edu

'nslookup zoot' on home works and returns the correct IP
'nslookup home' on zoot works and returns the correct IP

Queue for zoot on home reads "Remote Delivery" and changes between an Active state and a retry state.

Single Admin Group, single routing group using the default 'direct' connector. Properties under this connector are set to 'use DNS to route to each address space on this connector' and under local bridgehead, it shows 'Home'

Both servers show up in Exchange System Manager under Servers and both show up under Members in the Routing Group. Home is the master, zoot is a member.

SMTP logging is turned on and here is what I get when I send that test message to fbernie...

2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 220+***********************************************************0*2************************2******200********0***0*00+ 0 117 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - EHLO home.itsc.uah.edu 0 4 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 500+5.3.3+Unrecognized+command 0 30 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - HELO home.itsc.uah.edu 0 4 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+zoot.itsc.uah.edu+Hello+[146.229.234.51] 0 44 0 47 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - MAIL FROM:<thompson@itsc.uah.edu> 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+2.1.0+thompson@itsc.uah.edu....Sender+OK 0 44 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - RCPT TO:<fbernie@itsc.uah.edu> 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 250+2.1.5+fbernie@itsc.uah.edu+ 0 31 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionCommand SMTPSVC1 HOME - DATA - 0 4 0 94 - -
2003-10-27 17:16:09 192.67.107.65 OutboundConnectionResponse SMTPSVC1 HOME - - 354+Start+mail+input;+end+with+<CRLF>.<CRLF> 0 44

Am I missing a step here like telling the Exchange Server how to talk between the two servers?

Thanks in advance...

Avatar of OneHump
OneHump

First thing I recommend is to turn of MailGuard (Fixup SMTP) on your PIX.

Then, open the ports you need from this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

At minimum, you need:

25,389 (TCP/UDP),3268,691 (TCP/UDP).

I believe MailGuard is your primary problem, but it sounds like you need to open up more ports as well.

OneHump
Avatar of ConnieCA

ASKER

If mailguard were the problem, would that cause the queue to go into a retry state?
ConnieCA if u have single routing group why do u have connectors?Connectors could get corrupted.
check out ur GAL from both sersver and see if all users (including new ones)show up.
Hi ConnieCA,

I guess your domain is us.edu right? If it is check this link and check out the error that your connection are facing
http://dnsreport.com/tools/dnsreport.ch?domain=us.edu
I guess that the local mail has never sent out right?  I guess there is also another mail server host by ISP right?  If that is the case the connector is ok since there is no problem sending thru your ISP.  You will need to open port 25 and put a filter on it.  The most important are your DNS settings and SMTP protocol.
If you are not sending that means your outgoing setting in SMTP protocol  has not pointed to your Gateway and its DNS is not pointing to ISP's DNS.
*  click on SMTP protocol and right click on Default SMTP Virtual Server --> select Delivery Tab and go to advance tab --> click on Configure button --> now check if your firewall IP is listed here (Gateway).
* as for you DNS you should remove the "." under your DNS console..this will enable fowarder.  Then right click on the server Name and select fowarder --> now put in the DNS server of your ISP.  This will foward DNS inquires to your ISP that way it will not be return back to you serval days later because it can't find the desdination.   If you have others host your website or other mail server than you need to create A host file in your DNS server pointing it to these area.   For example, your website is www.123.com  you'll need to creat www A host file pointing it to your web server IP that is not with in your Lan.  As for mail pointer it all depends on your mx record you can have it call postoffice.123.com or mail.123.com or owa.123.com etc..  In any of these case you will also point it to the MX record's IP address.

Good Luck!
Tbird008
Vahik...

Interesting...this used to be working but I did as you suggested. I added a test user to each server. Home (which is our original DC/Exchange 2K server), Animal (which is our new, 2nd DC that sites in our new 2nd site) and Zoot (which is our new 2nd E2K server which sits in the same site as Animal).

I added a new test user to each of the new servers and only the server added to home shows up in my GAL.

In AD Users and Computers, Zoot & Animal see all 3 new users. Home only sees it's own test user.

The connector isn't something I added. It was there (I'm assuming) by default.

Any ideas?

Connie
Additionally, is that info (the new testusers) something that would be impacted by 'mailguard' on the PIX as mentioned above?

Tbird008...

Actually, our domain is 'itsc.uah.edu' and the mx records are set to reflect that. Sorry for the confusion.
Vahik...

It took awhile but those test users did eventually show up on home and subsequently in the GAL...
One other piece of info that I didn't include in the original post...

On home (the original E2K server), the queue for zoot.itsc.uah.edu is in a retry state and when you look at properties for that queue, it says 'the connection was dropped by the remote host'
Ok PIX mailgurd is nothing but trouble just turn it off and try to see if ur problem goes away.
If not then delete ur connector(Two exchange within the same routing group do not require connectors.
DNS will take care of everything).
Call back if still have problem.
Will do. I'm waiting on the firewall guy to turn off mailguard now.

Just to clarify regarding the routing group...does a routing group have anything to do with mail going to/coming from the outside?  I don't want to mess anything up that has been working on the original server.
Sorry I hadnt been posting to this.  Yahoo has apparently been catching my EE mail as spam, even though I had turned that "feature" off.  

Looks like Vahik has this one under control.

OneHump
OK...with mailguard turned off, when I try to send an email to a user on the new exchange server it gets bounced back with this message...

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <home.itsc.uah.edu #5.7.1 smtp;550 5.7.1 Unable to relay for ztestuser@itsc.uah.edu>

Did I turn something off that I shouldn't have?
Thank you for turning MailGuard off.  It's a nasty critter.  :)

Sorry if any of this was covered in prior posts, but are your servers in different forests?  It looks like a recipient policy issue.  

Also please clarify your last post.  Are you sending from one Exchange server to the other?

OneHump
Sorry...

One forest, one domain (itsc.uah.edu), two E2K servers located in two W2K sites. Trying to send a test message between the two.

Firewall guy turned off mailguard but only temporarily. Evidently (is this correct?) you can't turn it off for traffic between two IP's and he believes it creates a big security problem if it's off.

OneHump...

I ran a tool called portqry to test connectivity between the two exchange servers (keep in mind...one of the exchange servers (zoot) is NOT a domain controller...that is a seperate machine).

so...to summarize

One domain, 2 Win2K sites, 2 exchange servers (one in each site), 1 routing group...

Exchange server 'home' also functions as a domain controller
Exchange server 'zoot' is a server but not a domain controller.

user with a mailbox on zoot can send mail to a user with a mailbox on home.
user with a mailbox on home can NOT send mail to a user on zoot (just sits in the queue on home)

ran portqry from zoot to home and queried port 25 (OK) and port 389 TCP/UDP (OK)
ran portqry from home to zoot and queried port 25 (OK) and port 389 TCP/UDP (NOT LISTENING ON EITHER)...

Now given that this is not a domain controller, does port 389 on zoot still need to be open?

Thanks,
Connie
It would need to be open if those servers are in the same AD site.  I think this is firewall related.  You can confirm that by opening up all ports between the boxes.  I'll bet a buck that your problem is solved at that point.

I believe mailguard gets turned off per pix.  It's a horrible "feature" that should never be on.  I think you'll get consensus about that here.

OneHump
Unfortunately, opening up all ports isn't an option. This being a university, the firewall isn't controlled by us. So I am trying to determine the ports that HAVE to be open on the Exchange server.

The E2K server I'm asking about is in the same AD site as a GC/DC and the other E2K server is in a seperate AD Site.

Does the E2K server that isn't a domain controller need 389 to be listening?
389 needs to be open between the servers.  The server that is not a DC won't be listening.

I would have a look at Vahik's article and go from there.  It's a bad idea to have a firewall between servers in the same routing group/AD site, but I understand your constraints.  Universities in California are like that too.

OneHump
Yeah...I'm a recent transplant from Cali.

389 needs to be open between the Exchange Servers? or just between the two domain controllers?

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of OneHump
OneHump

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks much...the list from Vahiks article is a long one and I was just trying to find out the minimum ports I need to streamline this troubleshooting process.

Thanks again...
My pleasure.  Just ask if you need anything else.
Well I'm still stumped on this problem so I'm combining every thing I know about our scenario to repost cuz I can NOT figure out what is causing mail not to move in one direction internally.

Hopefully I'll see you in that post :)
It's the firewall.  :)

Do this...

telnet to port 25 on each exchange server from the other server.  If you can do that, then you have port 25 connectivity.

You then need to make sure you have LSA (Link State Algorithm) access so LSA tables can be built for routing.  Shut down the system attendant on both boxes and use blues port tool to make sure you have 691 open.  Here is a link to that tool:

http://www.webattack.com/download/dlbluesport.shtml

If you have 691 and 25 open, then it might be something called "getnexthop", which is what Exchange uses when contact an AD server to determine the GUID fo the remote MTA it needs to deliver to.  You should use Blues port tool to ensure you have 3268 and 389 open between your Exchange server and ALL DCs in the AD site.  You can't just one one DC accessible, you need ALL DCs.

Try all that and let me know how you do.

OneHump
Oh yea, a couple more things:

1.  What queue are these messages in?

2.  Turn logging to Medium for MSExchangeTransport SMTP and Categorizer.  Comb those logs for problems.  If we see nothing there, we'll turn it to max and then add more logging objects.

OneHump