• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Exchange Server accepting email for deleted users

My exchange server is setup to tarpit and recipient filtering if I telnet in and try to send an email to randomuser@mydomain.com it returns 5.1.1 user unknown. Now I have a deleted user steve@mydomain.com and I have deleted his account and mailbox forced update on the RUP and am still able to get 2.1.5 OK and then if I submit an email it just sits in the Deferred Delivery queue. To test this as well I created a new SMTP address on my account test@mydomain.com telnet in and send an email then go back and delete the SMTP address from my user go back and am still able to send an email to the non existent user and behold it sits in the the Deferred Delivery queue.. How do I fix this?
0
HFComm
Asked:
HFComm
  • 11
  • 10
  • 6
  • +1
1 Solution
 
RobinHumanCommented:
Sounds like tarpit / offline address book / GC is retaining the deleted mail address as valid, and so accepts it; when the mail hits the server, there is no mailbox to deliver to, so it sits in deferred.
What happens if you add the deleted user's mail address to your mail addresses - do you get the mail?
0
 
HFCommAuthor Commented:
If I add the email and try to force connection on the queue i do not get the email no.. Another thing I tried just to make sure checking was working is I added steve@mydomain.com to my user and then tried to add steve@mydomain.com to another user and it did fail as the SMTP address exists. The only way I can get the queue to flush out is to actually delete them from the queue.
0
 
SurajCommented:
Where is your MX pointing too ? any spam box -- like Postini? or any firewall ? iwhere any (your) AD information exist ?

-x
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
SurajCommented:
let me know the answer.. i have somethng more for you then...
0
 
MesthaCommented:
I have known it take a couple of hours for an SMTP address to be completely removed from the Exchange org. Have you looked in message tracking to see what Exchange is doing with the message?

-M
0
 
SurajCommented:
take an LDP dump and check if the user account still shows up as a stale object in the Active directory.. I have seen .. this happens many that though you delete a user.. it doesnt get deleted completely...
0
 
HFCommAuthor Commented:
MX record points right at the Exchange server right now... in the next couple of weeks we will be implementing a spam firewall (either aladdin or barracuda)

Methsa this particular address was deleted almost 2 months ago and is still queuing up.

x-sam if you could give a little info into how to dump from the LDP i tried the (proxyAddresses="steve@mydomain.com) and it returns null results as well as the upn of steve@mydomain.local both return null maybe I am doing it wrong.
0
 
SurajCommented:
what is your domain name.. and what is the user;s email address
let me try to telnet from my end and see what it gives me... make sure  you have the recipient filtering enabled,,
0
 
SurajCommented:
also do
telnet localhost
ehlo

mail from: xyz@remotedomain.com
rcpt:steve
hit on enter.. what does it give?
0
 
HFCommAuthor Commented:
x-sam server is: mx.noemail4.us and the email is dlbulk@noemail4.us

telnet test

250 OK
mail from: test@user.com
250 2.1.0 test@user.com....Sender OK
rcpt to: dlbulk <~~ Just the username
550 5.1.1 User unknown
rcpt to: dlbulk@noemail4.us <~`~ old SMTP address that shouldn't work
250 2.1.5 dlbulk@noemail4.us
0
 
SurajCommented:
are you sure your recipient filtering is enabled ...
coz if i try telnet and in "rcpt to " even if i put abc@noemail4.us it says OK then i tried asdasdasd@noemail4.us and again it said OK...

check the following:
global settings --> properties of message deivery--> recipient filtering--> check the option which says reject emails for users who are not in Ad..

go to default smtp virtual server--> general--advance-- chk the rec filter
then restart smtp service
0
 
HFCommAuthor Commented:
Ok.. so here is what I found after what you said.. Rcpt Filtering is enabled in both places.. I have 4 SMTP domains that users on my server use...

landruweb.net
headfirstcomm.net
noemail4.us
lwnis.com


landruweb.net was the first SMTP domain and the other 3 were added later.. rcpt filtering is working for landruweb.net but i tired randoms to the other 3 domains and they accept them all.. the active directory domain is landruweb.local rcpt filtering is workings for the domain as well if I try to send unknownuser@landruweb.local it fails...

When I setup the 3 other domains I created separate SMTP connectors for each domain. (My early exchange days) so this morning I even tried moving just the noemail4.us to the same connector as landruweb.net restarted the SMTP virtual server but still noemail4.us accepts all email but landruweb.net rejects unknowns...  
0
 
MesthaCommented:
SMTP Connectors?
SMTP Connectors are for outbound email only, not inbound. You don't need to have SMTP connectors for those domains, so if you have them, remove them.

-M
0
 
HFCommAuthor Commented:
As so I thought..  but follow this trail with me real quick..

everything as is:

220 mx.noemail4.us Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at
  Sun, 22 Feb 2009 09:10:00 -0600
helo
250 mx.noemail4.us Hello [192.168.9.254]
mail from: test@user.com
250 2.1.0 test@user.com....Sender OK
rcpt to: abuse@noemail4.us
250 2.1.5 abuse@noemail4.us


Now removing the SMTP Connector that says noemail4.us

220 mx.noemail4.us Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at
  Sun, 22 Feb 2009 09:11:43 -0600
helo
250 mx.noemail4.us Hello [192.168.9.254]
mail from: test@user.com
250 2.1.0 test@user.com....Sender OK
rcpt to: abuse@noemail4.us
550 5.7.1 Unable to relay for abuse@noemail4.us

0
 
MesthaCommented:
Unable to relay means Exchange doesn't know it is responsible for email for the domain.
You have made a mistake that others have done in the past, so you are not alone. What you have done with SMTP connectors is allowed Exchange to accept the email for those domains. However it accepts ALL email for those domains, which is why recipient filtering doesn't work. Once the email hits the server Exchange can then deliver it purely based on the fact that you have users with those domains in their email addresses.

That is not how it is supposed to work and is a quirk of the SMTP connector system. No doubt you had allow the server to relay email for these domains enabled as well.

What you should be doing is having the domains listed in recipient policy. Recipient Policy controls which domains Exchange knows it is responsible for. Do you have the domains listed in recipient policy?

-M
0
 
HFCommAuthor Commented:
Yes all the domains are listed in the Recipient Policy and are checked as This Exchange Organizations is responsible for all email sent to this domain.
0
 
HFCommAuthor Commented:
As well rcpt filtering works for landruweb.net and landruweb.local which also both have their own SMTP connectors.
0
 
MesthaCommented:
Those SMTP connectors are not valid and should be removed.
While you have them in there you have an invalid configuration. Remove them and then restart the SMTP Server Service.

You then need to troubleshoot why recipient policy is not updating SMTP correctly so that it accepts emails for those domains. I suspect it has never worked correctly and that is why someone put the SMTP Connectors in place.

Start with the Exchange Best Practises tool from Microsoft and confirm it doesn't flag anything wrong, particularly with SMTP.

-M
0
 
HFCommAuthor Commented:
So if I got this right. I only need the Default SMTP connector created by the Exchange Install? and then as long as the additional domains are defined either in the Default RP or an additional RP the email should work correctly?

And then users that I have changed their default SMTP address to one of the other domains should still be able to send email perfectly fine with just the default connector?

I can tell you if that is the way it is supposed to work your right it has never worked that way. From the very beginning until I created the SMTP connectors..

Well off to the BPA tool and see what I can find there.. will post results
0
 
HFCommAuthor Commented:
Ok ran BPA Health Check the only critical warning that came up was the the Page file is larger then Pysical ram and the only 2 things regarding SMTP were that the queue directory is on the same drive as exchange and that SMTP is running with basic authentication.
0
 
MesthaCommented:
Exchange doesn't install an SMTP Connector by default, except on SBS.
An SMTP Connector is for outbound email only. Think of it like the SMTP virtual server is the road and the SMTP Connector is the map. All an SMTP Connector tells you is how to route the email.

Exchange routes email based on the recipient, not the sender. So if you change the default email address for one of the other domains the email will flow correctly.

I have to suspect that the recipient policy is either not enabled, or hasn't taken correctly.
Dealing with the easy option first - ensure that the domains are listed either on the default recipient policy or additional policy and are enabled.
If that still doesn't resolve the issue, remove them from the list completely and then restart the Exchange services and the SMTP Server service.
The email addresses on the user accounts will not be removed.
After doing that, put the email addresses back on to recipient policy. It should take effect almost immediately.

-M
0
 
SurajCommented:
the domain is listed in the recipient policy.
so any emails for that smtp domain will come in to your exchange server..
The thing is .. you say that recipient filter is enabled...
but if i do a telnet to your domain and the..  in rcpt to: what user name i put...with ur domain name.. if accepts.. it
If your recipient filtering is enabled.. it will check if the user exists in the Ad. if not it will not accept the rcpt to..
try to reinstall SP2 again.. coz i am sure your recipient filter is not working...
0
 
HFCommAuthor Commented:
I think we figured it out.. and raises another question as well..

OK so I had all the domains listed in the Default RP but only had the check box next to landruweb.net and landruweb.local as those are the only 2 i wanted to generate to users automatically (my understanding was that is all that box did) but i just created a new RP for the noemail4.us just to test maid it apply to a group and now all is working well without the connector and the Rcpt filtering is working.

So I need to create an RP for each domain now I don't want the noemail4.us, lwnis.com and headfirstcomm.net to auto generate to users but obviously I want to accept email for those domains for a few select users. Do I just create the RP with no filtering? or assign a bogus filter?

Now from the understanding I have then I actually don't need any SMTP connectors unless I have other exchange servers? As well the default smtp connector I am talking about is the one that the Internet Mail Wizard generated from within Exchange System Manager.
0
 
SurajCommented:
Just disable the recipient filtering -- restart the smtp service.. and re enable it and then restart the smtp service....

HMMM..... hey you know what .. i am sure its working now..

now when i try rcpt to: to that user : dlbulk@noemail4.us or any user@noemail4.us i get USER UNKNOWN..

try it at your end...
-x
telnet-USER-UNKNOWN.bmp
0
 
SurajCommented:
Earlier when i did the same.. your exchange srver Said Ok when i tried from xyz@noemail4.us or dlbulk@noemail4.us.. Try it now...
0
 
HFCommAuthor Commented:
Yes I did go through and delete all the connectors (which were basically over-riding the Rcpt Policy as the additional domains were listed but not enabled) I create new RP's for the domains and all works fine now.
0
 
MesthaCommented:
Recipient policy does two jobs - email address generation and what domains Exchange accepts email for.
If you didn't want to generate email addresses for those domains automatically then you could have put them on to a separate recipient policy with no filter. As long as the domain was enabled, Exchange would accept the email.

-M
0
 
SurajCommented:
That was awesome Mestha... u rock Man....
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 10
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now