• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

Attachments from OUTSIDE email, take hours to deliver

We have a FE and BE exchange server, the FE is on a DMZ, BE is on local LAN. What is happening is emails with attachments take hours to deliver?
If i go into exchange system manager and look at queue under FE, it shows the link with BE is in the "retry" state and if i go into there and look at waiting emails they all have attachments. I can "force" connection, still no good. It comes back with "the connection was dropped by remote host"???

If i let it wait, it will eventually; about 4-6 hrs, deliver the email locally??

What can i check ???
0
foad
Asked:
foad
  • 7
  • 5
  • 2
1 Solution
 
Andres PeralesCommented:
Do you have some sort of antivirus installed on those exchange servers?  if so check to see if those systems are the root cause of the problem...that is where I would start.
0
 
foadAuthor Commented:
Yes, symantec for exchange on FE and symantec for server on BE. I don't see anything wrong with their setup????
0
 
Andres PeralesCommented:
are you running the antivirus client on those servers?  If so uninstall...also to test, disable the symantec for exchange on your exchange servers to see if that makes a difference.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kieran_bCommented:
Another outstanding reason why Exchange FEs don't go in the DMZ
0
 
foadAuthor Commented:
well some of us HAVE to do it that way for PCI standards. Ok i have tested everything, still emails with attachments (1) meg or larger take hours to get delivered?
0
 
kieran_bCommented:
>>well some of us HAVE to do it that way for PCI standards.

I am aware of no standards which force you to weaken security to qualify.

Have you uninstalled the Symantec software yet?
0
 
foadAuthor Commented:
yes, still any email with an attachment over 200k, stays in "queue" directory until about (8) hrs later. I'm at a loss here, nothing seems to make them go through.

All i can say is that we never had this issue before we split exchnage from "basic"; behind firewall to FE/BE.
0
 
kieran_bCommented:
What more can I say - remove the FE from the DMZ and replace it with ISA - Exchange servers in the DMZ weaken security, and are a bad, bad idea
0
 
foadAuthor Commented:
LOL, wish i could, but we have to use DMZ. Where can i find the correct setup for "FE/BE" as far as virtual smtp, and all as i've read numerous cases that say:

The number one reason for mail delivery failure in these circumstances is a smart host on the SMTP Virtual Server on the original server.

ESM, Servers, <your server>, Protocols, SMTP. Right click on the Default SMTP VS and choose Properties. Click on the tab Delivery and then Advanced. Ensure that smart host is blank.

If you need to use a smart host for delivery then use an SMTP Connector instead.

And i have no clue if this is what i should do or how to do it, as the person who "split" our setup does not work here and we have not been able to contact them...

Al
0
 
kieran_bCommented:
>>And i have no clue if this is what i should do or how to do it,

I doubt that is your problem - if it were, it would probably reject mail completely, not just add a delay.

Has this delay been there from the beginning of the FE/BE split?

Unfortunately, I don't really know how much use I am going to be to you now - when I hit a situation like this commercially, I fix it by not using and Exchange FE, but rather an ISA FE.  The only options I can give you are call Microsoft (or if you are cunning, buy a technet subscription and use one of the free calls you get with that) - or get an Exchange consultant in (but I imagine they will tell you to pull the FE from the DMZ).

MS actually do support an FE in the DMZ, but I know of no other Exchange MVPs that recommend it - still, it means that MS support (if you call them) *should* be able to get it working and fix it.
0
 
foadAuthor Commented:
Thanks for the quick response, i'll be calling Microsoft to open a ticket...

I'll update this question as i go...

Al
0
 
kieran_bCommented:
Excellent - let us know how you get on.
0
 
foadAuthor Commented:
OK,  while i;m waiting for ticket, I've been doing some more digging, and this is what i've found on the BE server in the IIS logs:

17:05:51 FEmailserver      EHLO - 250
17:05:51 FEmailserver      x-exps - 0
17:05:51 FEmailserver      x-link2state - 200
17:05:51 FEmailserver      MAIL - 250
17:05:51 FEmailserver      RCPT - 250
17:05:51 FEmailserver      xexch50 - 354
17:05:51 FEmailserver      BDAT - 250
17:05:51 FEmailserver      MAIL - 250
17:05:51 FEmailserver      RCPT - 250
17:05:51 FEmailserver      xexch50 - 354
17:05:51 FEmailserver      BDAT - 250
17:05:51 FEmailserver      MAIL - 250
17:05:51 FEmailserver      RCPT - 250
17:05:51 FEmailserver      xexch50 - 354


is this normal?
and what does it all mean?
0
 
foadAuthor Commented:
Ok, after working with microsoft fro over (6) hrs on the phone, we had no answer, everything was set up correctly.

So this is what I found:
- Antivirus was not the cause
- Exchange setup was not the cause
- NIC was not the cause
- Being on the DMZ; FE, was not the cause

Came down to our firewall has reached it's max capacity and email is a hog, so by having attachments, it was overloading the firewall causing it to "queue" attachments until connectivity was low; usually after normal business hours.

So we have started the process of replacing firewall, which he palnned for new year, but must push that up. I'd like to thank everyone that tried to direct me on this and i'll be going through and looking at "responses" and try to slpit points for your efforts.

Al
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now