Solved

SMTP hangs after 354 Send BDATA

Posted on 2004-09-03
17
1,266 Views
Last Modified: 2012-06-27
I have just set up a new Exchange 2k3 in the same organization as my Exchange 2K.  Everything I am doing now I have done in a practice setup and all worked fine.  The new mail server joined the organization just fine.

The only problem that I have is sending mail from a MB on the new 2k3 server to a MB on the 2k server.  The mail transfer hangs after the command

354 Send Binary Data

I verified this with SMTP logging and a sniffer from Ethereal.

If I send mail from 2K to 2K3 all works OK.  I have seen threads regarding firewalls having problems with this SMTP command but this transfer does not occur through a FW.  Both servers are on the same subnet.  Transmission is from NIC to NIC.

Does anyone have any ideas about this????
0
Comment
Question by:sdebenedetto
  • 9
  • 5
17 Comments
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

Do you have the IP on the SMTP virtual server *unassigned* ... do you have multiple IP's on the E2K3 box?
0
 

Author Comment

by:sdebenedetto
Comment Utility
It is unassigned but each server only has 1 IP.  Should I assign the 1 IP it does have to the Virtual Server or leave then as is?
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
I'd leave it unassigned ... have you tried turning up MSExchangeTransport on the E2K3 box to maximum and check the event logs on the E2K3 server ...
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Gotta run to lunch ... I'll try to help you out when I get back ...
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

You might try disabling ESMTP verbs ... http://support.microsoft.com/default.aspx?scid=KB;EN-US;257569 ... I'd try to disable 8BITMIME first, if that works good ... if not maybe temporarily disable all ESMTP verbs ... you'll want to do this after hours since it may stop mail flow temporarily ..  I did it to resolve some issues between 5.5 servers and E2K3 - I've also seen some message board postings of MVP's recommending to try this ... still haven't seen an actual fix though ...
0
 

Author Comment

by:sdebenedetto
Comment Utility
Sorry it has taken me some time to get back.  I left early on Friday for a Labor Day weekend getaway with my wife.

I will try the KB article mentioned.  I can do this at any time b/c there is only 1 mailbox on this new server, mine.  I can mess with it as much as I want to get it fixed.

It definately looks like the problem is on the 2000 side though.  I say this b/c when I udated the driver on the 2000's NIC card and rebooted the server the 2003 message queue emptied and transferred.  I was able to send a few messages before it stopped again.  It is more likely that the problem is on the 2000 side, esp considering that server gets no inbound smtp until now.  Traditionally all of our clients POP3 from and external server and then it gets put on the exchange b/c it arrives to the client's exchange folder.

How do I turn up MSExchangeTransport?
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Open up System Manager ... navigate to the server > right click and go to properties > click on the diagnostics tab and look for MSExchangeTransport ... you'll see mutliple categories in there ... I'd turn up the first two and the SMTP protocol ...
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:sdebenedetto
Comment Utility
I tried the KB article mentioned above with no success.  I started with shutting off 8bitmime and then tried shutting off all ESMTP verbs and the problem still happens.

The SMTP session always hangs after the commands

XEXCH50 size 2
354 Send binary data

where size is the size of the data to be sent

I found KB article 818222 for shutting off the XEXCH50 command for remote domains but nothing where I can turn it off between 2 servers in the sme organization.

Here's the kicker.  I started forwarding mail via smtp from a mailbox on an external server at our ISP to the Exchange server having the problem.  All is happy and OK.  SMTP works fine.  When I sniff these sessions I see that it appreas to use 8bit mime and does most things the same as an smtp session between the 2 exchange servers except it doesn't use the XEXCH50 command.

Could this command be the problem?



0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility

Did you turn off ESMTP verbs on both virtual servers or just one box?

Here is a snippet of information I found regarding the XECH50 command and ESMTP verbs ... the guy was talking about a past exploit, but it may shed some light as to the usage and what is going on with the ESMTP verb ... That being said - do you have all of the service packs installed for both exchange servers?



Microsoft Exchange communicates with other email servers via SMTP and Extended SMTP (ESMTP). Microsoft has added multiple extensions within its
Exchange application for ESMTP including the XEXCH5013 command. This command is referred to as a SMTP extended verb. This extended verb is not
part of ESMTP standards, and has not been proposed in any RFCs or accepted by the Internet community as a standard. The exploit lies within this Microsoft
proprietary extended verb and Exchange’s processing of it.

According to Microsoft’s Knowledgebase article 81245514, the XEXCH50 command is meant to only be used between Exchange servers. The exploit in
question uses this fact and sends values that are not checked properly before their execution to Internet accessible Exchange servers. The command is meant
to communicate message properties about recipients and the message itself. The command itself is expected to be less than 50 bytes in length, according to
Microsoft. The true vulnerability is that the command takes two parameters and that those parameters are not checked for boundary conditions. The program is
expecting positive integers with a reasonable size specifying the message size. The exploit can send a very large number, which is interpreted as the amount of
memory to allocate to hold the incoming message.

The XEXCH50 command has been described by the authors of Fluffy the SMTPGuardDog15 email protection software. “Allows transfer of binary data with Exchange specific recipient information (eg plain text only versus MIME, etc). If accepted, © SANS Institute 2004, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Aaron Smith GCIH Practical Page 10 of 54
receiver SMTP servers sends 354 Send Binary data and sending SMTP server sends the number of bytes as the first parameter on
the XEXCH50 command. Once these bytes are sent, the receiving SMTP server sends an acknowledgement”

Another description16 of the command simply states that the command is used to transfer email between Exchange servers in the native Exchange format. The
description explaining the sample exploit states that the XEXCH50 command has two parameters. The first parameter is the length of the message to be sent
while the second parameter is only known, at the time of this document, to be the value of two or smaller integer values. If the first parameter is a very large value, Exchange allocates memory to accommodate the transfer of the expected binary data in the message. If the first value is a negative number, the recipient server will not allocate memory, but will accept data. This last scenario could be used to overwrite the server’s heap. A computer’s heap is a location in computer’s memory that allows space to be dynamically allocated to store data for a currently running program.

0
 

Author Comment

by:sdebenedetto
Comment Utility
SP3 on the 2000 box and SP1 on the 2003.

I only turned off the ESMTP verbs for the 2000 box.  The situation only happens with mail being sent from 2k3 to 2k.  From 2k to 2k3 mail is tranferred just fine.  My reasoning for doing only 1 side is that it is the receiver of the mail that advertises the verbs in response to ehlo, so I only turned off the verbs on the receiving side of the problem.

Should I turn off ESMTP on the other side as well?

I am working on building a separate routing group with an SMTP connector so that I can specify a trasfer of mail with HELO instead of EHLO to see if that will make a difference.  I have never worked with routing groups or connectors before so this may take me a little while.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Are both servers in the same site?
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
fyi ... did you turn up MSExchangeTransport on the server that is having difficulty sending email? I'm curious if there is more information in the application event logs ...
0
 

Author Comment

by:sdebenedetto
Comment Utility
I found the problem.  It was with the AV software.  I use Symantec's latest 9.0.  I thouhgt I had it configures properly but there Are a couple of options that are new to 9.0 that I missed.  Thanks for all of your help.  It didn't solve the problem but I learned a lot more about how Exchange works and it's diagnostic tools.

I have never used this site before.  Can I accept 1 of the other answers so that you get awarded the points, or is that frowned upon?  Even though my problem wasn't solved you sure gave me a lot of good advice and to me that is worh the points.
0
 
LVL 12

Expert Comment

by:BNettles73
Comment Utility
Either way it is probably not a big deal ... awarding the points is soley up to you ... if others had helped I would say no, but since it has been pretty much you and I, it probably isn't a big deal ...

Thanks!! just goes to show ... when in doubt ... check the AV stuff first lol ... I should've known that ... Glad you got it fixed ...
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with no points refunded (of 200)

modulo
Community Support Moderator
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now