Interpreting an SMTP protocol log

Email service is provided by an Exchange Server within a Windows SBS Server 2003 SP2 R2 environment.
I am in discussion with a phone billing software support person. The software periodically polls phone calls from a PABX and send the software provider an email attaching a report.
It appears to have worked okay for a few months. But has now stopped working.The scheduled emails are not reaching them, it is claimed.

The software provider insists (and rather rudely if I may add) that the fault lies entirely with our mail server. They offer no suggestions, except stubbornly maintain that;

- their logs show that our mail server had accepted the outbound messages (I have not seen these logs myself)
- they do not use an authenticated network user account to send; our mail server accepts anonymous logons (as proven by their log)

My question is two-fold.

1) I had always assumed that by default, Exchange Server will only accept for delivery, messages from an authenticated user. I have been able to check and verify that relay is not enabled (as by default).
How do I check/verify that anonymous logon sending is still rejected. Or as been turned on for some reasons.?

2) I have now turned on SMTP protocol logging, for the next few days.
In interpretating the log, what should I look for to verify that our mail server accepted and successfully (or otherwise) deliver messages to a given email domain.

I might add that apart from the above, the mail server appears to be working normally.

Your assistance in helping me resolve this issue would be most appreciated.
In the process, I would also be able to salvage some or my credibilty.
Who is Participating?
NutrientMSConnect With a Mentor Commented:
No,  Exchange will accept anonymous messages destined for YOUR domain.  If someone tried to connect to your Exchange server and use it to send an email to a DIFFERENT domain, that would require authentication.  This is called Open Relay (Where your server openly relays messages destined for other domains).

As for SMTP logs, try using the Exchange Message Tracking tool to find the email and see what it says.  Otherwise, in the logs, there is normally about 4 lines that will be written for each email message.  If it gets all the way up to delivered (put in the user's mailbox) then it was ok.  Check to see what messages it logs and we'll be able to tell you where it stopped.

Do you have mail filtering software loaded (Anti-virus / Anti-spam) ?
garychuAuthor Commented:
Thanks, NutrientMS.
I suppose this confirms my understanding that messages from an unauthenticated user destined for a different domain could not have been accepted/delivered by our Exchange Server. If these have been rejected, where would I have found them. I have not used Exchange Message Tracking tool before. Would this help?
I may have to revert back re the SMTP logs in a day or two.
Symantec Mail for Exchange Server is in use. Could not find anythign filtered out.
Mail Washer Server for Exchange is used for inbound spam control only.
garychuAuthor Commented:
It's me again.
I have now turned on Message Tracking and Logging.
Will wait a day or two before reverting.
Meanwhile, attached is an extract of some lines from the SMTP protocol log.
By way of reference, W-08 is the computer name (IP=
The problem destination is
Does it look to you that there appear to be repeated tries a delivery?
Anyway, I do not have enough experience to make out what those lines indicate.
Can you please help me determine if in fact the message(s) got delivered?

I would look at that as though the emails are going through ok.  250 is a returned OK message, so after each command, the exchange server has returned OK.

On the DATA line, what looks like a unique message ID <> has the recipient server domain, which normally has the domain / server name of the local server sending the message.

Is this an exchange server sending to an exchange server or a computer sending to an exchange server?

garychuAuthor Commented:
Hi NutrientMS.
Here I am back with some more logged information.
Attached file contains info I managed to log via Message Tracking and SMTP connector log. I have only included the lines relating to a particular message ID.
It's proving to be a puzzle for me.
1) Message tracking reported an event, "Advanced Queue Failed to Deliver Message"
However, SMTP log shows a return code of 250 for that message. How could this be, if it did not get pass the advanced queue stage?
2) I checked for any MSExchangeTransport event-log error that might provide a more detailed reason. (Example, a 4004 error), but could not find any.
3) I have made sure that ESM - Global settings > Internet Message Formats > Default > Properties > General remains at " * ".
4) GFIMail is not used. Symantec Mail Security for MS Exchange is running normally. Could not find any mail/file or attachment quarantined or removed.
5) No NDRs have been generated inspite of 1) see above.

The situation is a local networked computer sending a message to an external email address.
For your reference, in reading the attachment;
Server-SBS ( - domain controller where Exchange Server is installed
LSOP - local domain - internet domain
W-08 - name of the workstation computer sending the message - authenticated user account used to send message - destination address, outside the local network
Local time here is GMT+13

Now, more than ever, I need your help. Thanks

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.