SMTP mail sent to front-end server internally not reaching internal recipients only

We recently setup a front-end server to handle activesync, rpc over https and owa.  Everything works fine.

All SMTP traffic is designed to go through our back-end server, whether it be Exchange traffic or a few smtp notifications we have setup.  We have one application that handles notifications, and someone switched it to the front-end server for the smtp notifications to go out.  No big deal, except we found that external smtp mail works going through the fe, but not any smtp mail destined for internal recipients.

We switched it back and it works fine through the back-end, but some people have a history of making this change and we're not aware of it until days later when notifications are not getting through.

On the SMTP relay properties of the fe server, I have it set so no one can access it, yet they still can send mail through it appears.  Thoughts?
LVL 9
diperspAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Stacy SpearPresident/Principal ConsultantCommented:
If you are sending traffic out of the backend, why even have a FE?

Control who has access to Exchange properties with security groups ASAP. If you setup a smtp connector with * as the smtp address space and the backend as the local bridgehead, that should force all mail to go out through the backend I believe.
diperspAuthor Commented:
I was always under the impression a FE server wasn't for SMTP traffic, but for web-type stuff (OWA, rpc, etc.)
SembeeCommented:
If I have a frontend I will usually push everything through it. SMTP inbound and outbound traffic, OWA and other web services. One machine exposed to the internet - and a machine that doesn't have my live content. Takes some load off the backend server.

Simon.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

diperspAuthor Commented:
Darkstar - as for access, it's not that someone has rights to monkey with Exchange settings they shouldn't.  The problem is someone is setting up a server to send smtp notifications through the wrong smtp server.

Simon - more info please.  I'm looking through logs and not seeing errors.  Not sure I understand why any smtp mail going through the FE for external recipients is fine, but internal isn't.
diperspAuthor Commented:
And here's some entries from the back-end server's smtp logs (Identities changed to protect the innocent.)  Servers are on the same subnet, no router or anything between them.

2006-09-08 04:13:56 10.0.0.9 fe.domain.local EHLO +fe.domain.local 250 0 320 37 0
2006-09-08 04:13:56 10.0.0.9 fe.domain.local x-exps +GSSAPI 0 0 22 13 0
2006-09-08 04:13:56 10.0.0.9 fe.domain.local x-link2state +LAST+CHUNK={0000006a}+MULTI+(5)+({00000051}+DIGEST_QUERY+daf6d1a122a8cf42b4df2d5a5a2a7f0b+d6a3103bd2b073e9c772e8f68c60584e++)++ 200 0 68 140 15
2006-09-08 04:13:56 10.0.0.9 fe.domain.local MAIL +FROM:<sender@domain.com> 250 0 55 42 0
2006-09-08 04:13:56 10.0.0.9 fe.domain.local RCPT +TO:<recipient@domain.com> 250 0 41 38 0
2006-09-08 04:13:56 10.0.0.9 fe.domain.local xexch50 +1084+2 354 0 22 14 0
2006-09-08 04:24:26 10.0.0.9 fe.domain.local QUIT fe.domain.local 240 630188 22 14 630157


2006-09-08 04:39:26 10.0.0.9 fe.domain.local EHLO +fe.domain.local 250 0 320 37 0
2006-09-08 04:39:26 10.0.0.9 fe.domain.local x-exps +GSSAPI 0 0 22 13 0
2006-09-08 04:39:26 10.0.0.9 fe.domain.local x-link2state +LAST+CHUNK={0000006a}+MULTI+(5)+({00000051}+DIGEST_QUERY+daf6d1a122a8cf42b4df2d5a5a2a7f0b+d6a3103bd2b073e9c772e8f68c60584e++)++ 200 0 68 140 0
2006-09-08 04:39:26 10.0.0.9 fe.domain.local MAIL +FROM:<sender@domain.com> 250 0 55 42 0
2006-09-08 04:39:26 10.0.0.9 fe.domain.local RCPT +TO:<recipient@domain.com> 250 0 41 38 0
2006-09-08 04:39:26 10.0.0.9 fe.domain.local xexch50 +1084+2 354 0 22 14 0
2006-09-08 04:49:55 10.0.0.9 fe.domain.local TIMEOUT fe.domain.local 121 150994954 60 14 628391
2006-09-08 04:49:55 10.0.0.9 fe.domain.local QUIT fe.domain.local 240 628531 60 14 628391


And here's the same data from the FE server.  Seems it never sends the data - there's nothing further in the log for these two entries shut as a timeout or quit or anything.

2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 220+be.domain.local+Microsoft+ESMTP+MAIL+Service,+Version:+6.0.3790.1830+ready+at++Fri,+8+Sep+2006+00:13:56+-0400+ 0 0 131 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 EHLO - fe.domain.local 0 0 4 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250-be.domain.local+Hello+[10.0.0.9] 0 0 53 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 334+GSSAPI+supported 0 0 20 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 334+oYGhMIGeoAMKAQChCwYJKoZIgvcSAQICooGJBIGGYIGDBgkqhkiG9xIBAgICAG90MHKgAwIBBaEDAgEPomYwZKADAgEXol0EW9m78htE7zLQuYlSnsdwWzusoFkJOU4+rjjfV2ACbpXaaFSvtuiNMIlOlXGDF9g+ezbKkbVUXmHqsdUBjnOHXwTfPph9Li5BVpLwghxn9CAVsWk0vqnbgOlU1Ps= 0 0 224 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 235+2.7.0+Authentication+successful. 0 0 36 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 X-LINK2STATE - LAST+CHUNK={0000006a}+MULTI+(5)+({00000051}+DIGEST_QUERY+daf6d1a122a8cf42b4df2d5a5a2a7f0b+d6a3103bd2b073e9c772e8f68c60584e++)++ 0 0 12 0 16 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 200+LAST+CHUNK={00000029}+MULTI+(5)+({00000010}+DONE_RESPONSE++)++ 0 0 66 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 MAIL - FROM:<sender@domain.com> 0 0 4 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250+2.1.0+sender@domain.com....Sender+OK 0 0 53 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 RCPT - TO:<recipient@domain.com> 0 0 4 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250+2.1.5+recipient@domain.com+ 0 0 39 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 XEXCH50 - 1084+2 0 0 7 0 31 SMTP - - - -
2006-09-08 04:13:56 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 354+Send+binary+data 0 0 20 0 31 SMTP - - - -

2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 220+be.domain.local+Microsoft+ESMTP+MAIL+Service,+Version:+6.0.3790.1830+ready+at++Fri,+8+Sep+2006+00:39:26+-0400+ 0 0 131 0 16 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 EHLO - fe.domain.local 0 0 4 0 16 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250-be.domain.local+Hello+[10.0.0.9] 0 0 53 0 16 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 334+GSSAPI+supported 0 0 20 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 334+oYGhMIGeoAMKAQChCwYJKoZIgvcSAQICooGJBIGGYIGDBgkqhkiG9xIBAgICAG90MHKgAwIBBaEDAgEPomYwZKADAgEXol0EWyLZ0xdoj3FmYuw7H7dKWcbZAvwZK3IqfkxIQZ+gsXhpqK/hz8kk4PaMjaDQ1m4dtiYKQCXaOpGHYSi7IpqOyBf+fJqwpudY77QVStfXNP9GkqGo5PxC9HUghXI= 0 0 224 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 235+2.7.0+Authentication+successful. 0 0 36 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 X-LINK2STATE - LAST+CHUNK={0000006a}+MULTI+(5)+({00000051}+DIGEST_QUERY+daf6d1a122a8cf42b4df2d5a5a2a7f0b+d6a3103bd2b073e9c772e8f68c60584e++)++ 0 0 12 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 200+LAST+CHUNK={00000029}+MULTI+(5)+({00000010}+DONE_RESPONSE++)++ 0 0 66 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 MAIL - FROM:<sender@domain.com> 0 0 4 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250+2.1.0+sender@domain.com....Sender+OK 0 0 53 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 RCPT - TO:<recipient@domain.com> 0 0 4 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 250+2.1.5+recipient@domain.com+ 0 0 39 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionCommand SMTPSVC1 fe - 25 XEXCH50 - 1084+2 0 0 7 0 125 SMTP - - - -
2006-09-08 04:39:26 10.0.0.7 OutboundConnectionResponse SMTPSVC1 fe - 25 - - 354+Send+binary+data 0 0 20 0 125 SMTP - - - -
SembeeCommented:
Have you got a smart host set on SMTP virtual servers anywhere? Backend or frontend? If so, those can get in the way.
Do the servers have separate external IP addresses?
Can you telnet to remote SMTP servers from the frontend server?

telnet maila.microsoft.com 25

Simon.
diperspAuthor Commented:
No smart hosts anywhere.
Servers do not have separate external IPs (Not sure this would be an issue since it's on the internal folks that are having problems.)
I can telnet to remote SMTP servers from the fe.
SembeeCommented:
Was the Frontend server setup with the information stores dismounted?

Simon.
diperspAuthor Commented:
Nope.  Stores are up and running.
SembeeCommented:
Reviewing your original question, if you had set the SMTP properties correctly then no SMTP email could be sent to the machine. Therefore if you don't want anyone to use that server to send email, whether that it is internal or external, then you need to apply further restrictions to the server. Personally I don't see the point - I like all Exchange servers to be able to deal with email that come their way.

When internal messages arrive on the machine, they will sit in the queue. What does the queue say the reason is for the messages sitting there?

I presume that the frontend server can see the backend server? Telnet to port 25 etc?

Simon.
diperspAuthor Commented:
Yes, they can see each other.

When we setup the FE server, we made NO changes to any security or access rights on it.  What I was referring to was that we never explicitly ALLOWED any relaying through the FE.  That's what really threw us was that internal servers WERE relaying through it with no authentication.
Stacy SpearPresident/Principal ConsultantCommented:
Internal mail should route through without restrictions for valid internal recipients and remote recipients if you have it default.
When you tried to Telnet, did you attempt to create an actual message? If so was it successful? You never (I didn't see it) answered the queues question. Should be some reason that it isn't going.
diperspAuthor Commented:
The Q on the FE shows the connection to the BE server and currently 2 messages in retry state.  Reason is shows is "The connection was dropped by the remote host."

I can telnet into the BE server from a workstation on the network and send a message via telnet from an internal user to an internal user.

I can telnet into the FE server from the same workstation and it allows me to send the message and states it has been queued.  However, I never receive the message.  The message sits in the queue as queued with the other 2 that were here from before.

In looking at the message tracking, it shows the message has been routed and queued for remote delivery.

Looking at the SMTP logs shows the inbound (telnet) connection from my workstation to the FE server, but never shows an attempt to send it out to the BE server.

Again - what's odd is that my workstation does NOT have relay rights to the FE server, yet it accepted the email via telnet.
diperspAuthor Commented:
Think I might have finally found it.  The FE server had Symantec corporate running on it, and it was doing SMTP checking.  Turned that off and seems to be working now.
Stacy SpearPresident/Principal ConsultantCommented:
Good ol' Symantec busy keeping us employed! :)
diperspAuthor Commented:
Yup, that was definitely the problem.  Thanks for trying gang.
BooModCommented:
Closed, 250 points refunded.
BooMod
Special Ops Mod

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.