SMTP connector ques filling up, outgoing mail not moving.

We are running a single Exchange server, in an active/passive cluster.  In the past two days all outgoing smtp traffic has been at a standstill.  Messages simply sit in their que in a retry state until they expire.  I have noticed that if i fail over from sever1 to server2 smtp flows for about a min or so.  this is really startign to cause problems and needs to get fixed.  I have called micorsoft to no avail, so i am at the feet of the experts here.  we have made no changes to the system in the past few months.  
thank you,
aksealifeIS ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

paul-adamCommented:
what errors (if any) are you getting in your event logs?

Does the SMTP service stop when mailflow stops?

Has your public mailserver IP maybe been blacklisted?
0
vishal_impactCommented:
OK
if you have made no changes than i rec its with your isp tell me more about the services your isp is hostin for you as well which outgoing server you using and also if you can check the mx records .....
BUT B$ doint this I woul suggest to try this on smtp virtual server right click stop and start service and do same on the mail connector and resart the smtp,DNS,and iis serevices and see it this works otherwise give me the mentioned details
0
aksealifeIS ManagerAuthor Commented:
If i go in to the event viewer i have the following error in the application log.

"This is an SMTP protocol error log for virtual server ID 1, connection # 1174.  The remote hos "12.191.22.203", responded to the SMTP command "rcpt" with "550.5.7.0 <jquutyhoiav@ifh.com>...Local Policy Violation ". The full commnad sent was "RCPT TO: <jquutyhoiav@ifh.com> ". This will probably cause the connection to fail."

i have this error multiple times, 100+ in the log.  


0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

vishal_impactCommented:
Ok
its with the user policy if you check in policy setting have you got priority highest to emails
0
aksealifeIS ManagerAuthor Commented:
Where do i check this?
0
aksealifeIS ManagerAuthor Commented:
SMTP services does not stop when mail flow stops.

I checked and our domain has not been blacklisted.

Internal email is flowing normally and we can recieved all outside mail, but still not able to send outside.
0
paul-adamCommented:
Well.....the "local policy violation" is being generated by the opposite ends mailserver so something your server is sending out is violating a policy setting at the destination - The email addresses in the error messages - are they all the same or are they different addresses?

0
paul-adamCommented:
have you added any new DNS records...like an SPF record or maybe even a reverse lookup on your mail servers public ip?
0
InfraTechCommented:
in your log entry above, it says the REMOTE host responded with "550.5.7.0 Local Policy Violation" so the policy being referenced is from the remote server. My guess is that they are classifying your email as SPAM or the person you are sending to mailbox is full.

I would try the SMTPDIAG program from Microsoft located here http://www.microsoft.com/downloads/details.aspx?FamilyID=bc1881c7-925d-4a29-bd42-71e8563c80a9&displaylang=en

Its helped me numerous times. you can also try to use telnet following the steps outlined here http://support.microsoft.com/kb/153119 but the SMTPDIAG is easiest
0
aksealifeIS ManagerAuthor Commented:
The email addresses in the error log are all different. there are also event warnings that calling client does not have permission to use MTA RPCs. Outgoing emails are slowly moving thorugh que on passive cluster, but still getting errors. No new records have been added, but we have instituted GFI recently, which was working fine till last week. we have uninstalled and disabled it now in effort to get email back on track.
0
David Scott, MCSENetwork AdministratorCommented:
which GFI product? did the uninstall resolve the issue?
0
aksealifeIS ManagerAuthor Commented:
We had GFI MailEssentials 12, the latest build, installed on the Exchange Server cluster, and GFI Mailarchiver 4 running on a seperate server.  Unistalled MailEssentials and that did not solve the issue
0
aksealifeIS ManagerAuthor Commented:
Also outgoing mail appears to work when i fail over to the passive, server2, on the cluster.  Any thoughts as to why smtp does not work on server1, but does on server2?
0
David Scott, MCSENetwork AdministratorCommented:
it sounds like it could be related to gfi but you've uninstalled and restarted exchange?  

i would download the exchange troubleshooting assistant, http://www.microsoft.com/Downloads/details.aspx?FamilyID=4bdc1d6b-de34-4f1c-aeba-fed1256caf9a&displaylang=en
there is a way to troubleshoot mail flow issues.

i would do some google searches on those errors you have in your event logs.  

regarding the local security violation in the logs.. is that all from the same domain?  

something is different between the two servers, something on server 1 is causing it not to work. we just have to figure out what

0
David Scott, MCSENetwork AdministratorCommented:
also try the smtp diag as suggested above.  
0
David Scott, MCSENetwork AdministratorCommented:
check to make sure you aren't an open relay---go to dnsstuff.com and do a report on your domain.  it might not be free anymore but a dnsstuff membership is cheap and is a good tool

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Scott, MCSENetwork AdministratorCommented:
try those and report back, i've gotta leave work now, i'll check back when i get home and see how you are doing
0
aksealifeIS ManagerAuthor Commented:
did the dnsstuff report and all was good. now i am just attempting to find the difference between server1 and sever2 that is causing server1 to not allow SMTP.   And yes, i did an unistall of GFI mailessentials and restarted both servers, as it was installed on the shared drive between the cluster.
0
David Scott, MCSENetwork AdministratorCommented:
yep, compare the smtp virtual server settings and smtp connector settings.  
0
vishal_impactCommented:
HI
OK i can ask you to try one way around if you have a mail connector it will forward all your mails as well and bear in mind the mail connector will override your smtp virtual server setting so all what you can try is stop the smtp server then restar the connectoe and iis services and test the folw if its still blocking then try creating new smtp and see if that works and also make sure to add these new smtp in your connector as well.
0
aksealifeIS ManagerAuthor Commented:
OK, first off thank you to all that have offered help so far,
After another 4hrs with my good buddy at microsoft, this is what we have come up with.  When i am on node2 of the cluster mail flows in and out like normal, all smtp traffic is normal.  When i am on node1 all internal mail flows normally, and outgoing smtp is blocked.  i went to dnsgoodies.com and checked my IP of the firewall, and mx recored.  When i am on node1 all return as blocked, but if i go to node2 only a few return as blocked or blacklisted.  The MS tech is leading me to believe that a machine on our network is infected with the STORM worm.  I am currently scanning all workstations in an attempt to find the infected machine.  This would also explain why we have been getting large jumps in bandwidth usage at very strange times of day.  Any other thoughts or idea would be most helpful.
0
David Scott, MCSENetwork AdministratorCommented:
"i went to dnsgoodies.com and checked my IP of the firewall, and mx recored.  When i am on node1 all return as blocked".  What do you mean "all return as blocked"?  

what is leading him to believe that you have a pc with the storm worm?  the bandwidth?  as far as i know that worm targets systems running iis 4 or 5 that don't have a certain ms update.  do you have a machine that is/was running iis 4 or 5?

when your outbound email slows down and stops, what do you see in your queues?  do you see alot of smtp connectors to external domains?  

the worm can do two things, make the pc part of a botnet and/or send numerous outbound emails.  

do you have any internet reporting software (websense for example)?  that would help

if you have the storm worm on one of your client machines i don't understand why it would affect the smtp on one server and not another
0
aksealifeIS ManagerAuthor Commented:
when emal slows and stops i see a large amount of connectors to outside domains, that just sit in retry.  we do not have any internet reporting software.  the ms tech ran that same report on dnsgoodies and all sites reported back that our domain was blocked, and it still shows that we are blocked. he then checked with one of the blacklist sites and it returned a report saying that our domain was detected to be infected with the Storm worm.  Now smtp is slow to nonresponsive on both nodes of the cluster.
0
vishal_impactCommented:
ok
if you are on black list this might happen so you need to trace back that which site has black listed you and then go to that site request for removing you from that black list and before doing so make sure that you check thorough that there is no virus in your server anymore otherwise after few mail your server will be blacklisted again and bear in mid that it takes around 48 hours to be removed totally from blacklist
0
David Scott, MCSENetwork AdministratorCommented:
can you see the senders of the emails? it might be one user's address list that is spoofed as the senders. it might help you isolate which machine is the issue.

how many machines do you have on your network?
0
aksealifeIS ManagerAuthor Commented:
We have ran a complete scan of all workstations and servers on the newtwork and removed a few viruses.  It appears that a few addresses have been spoofed, and we have under 200 machines on the network.  I have applied to be removed from the blacklists we were on, so now i am just waiting to see if we get removed and stay removed.  if a users address is spoofed how do you resolve that issue?  is it usually a worm, or is there something else that needs to be done?
0
David Scott, MCSENetwork AdministratorCommented:
Not alot you can do.  Some prevention, Some trying to track down who spoofed your email.  here is an article with some suggestions

http://www.windowsecurity.com/whitepapers/How_to_protect_from_SpoofedForged_Email_.html
0
David Scott, MCSENetwork AdministratorCommented:
did you make sure you aren't an open relay?  that will cause you to get blacklisted
0
aksealifeIS ManagerAuthor Commented:
i did check and we are not an open relay.
0
aksealifeIS ManagerAuthor Commented:
We have now been removed from all blacklists and mail is flowing smoothly,

thank you all for your help.
0
David Scott, MCSENetwork AdministratorCommented:
I think all of our contributions helped lead this asker to the solution.  He called MS for support during this question instead of continuing troubleshooting with us.  I don't think the points should be refunded, yet split amongst the contributors
0
aksealifeIS ManagerAuthor Commented:
I am sorry for the mixup on the points.  you are correct that you all helped us get to the final solution.  Thank you all again for the support that you have provided.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.