We help IT Professionals succeed at work.

Recipient address rejected: Greylisted for 5 minutes Event id: 7002

RimFire007
RimFire007 asked
on
12,721 Views
Last Modified: 2012-05-09
Hi

A SBS 2003 R2 all SPs installed. One nick. External spam filtering company filters mails and in the HW FW I accept smtp only from their IPs. Due to Open Relay the email domain were blacklisted at Barracuda and Tiopan but hopefully anymore. I just disabled "Connection Filtering / Block List Service Configuration" three clacklist servers I had there.

IPs and email addresses below are slighty modified.

The IP 89.166.51.xx should not have anything to our mail system. It is rather the recipients mail server address.

I got these warmings: This spesific firstaname.lastaname@blueoranges.fi appears there 6 times at one minute Interval. Anything I can do?

Thanks,

Juha

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            7.7.2010
Time:            14:51:37
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #17. The remote host "89.166.51.xx", responded to the SMTP command "rcpt" with "451 4.7.1 <ilker.kamadan@blueorange.fi>: Recipient address rejected: Greylisted for 5 minutes  ". The full command sent was "RCPT TO:<firstname.lastname@blueoranges.fi>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

**************

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            9.7.2010
Time:            10:30:37
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #191. The remote host "mx-1.wmhost.com", responded to the SMTP command "rcpt" with "451 4.7.1 <firstname.lastname@blueoranges.fi>: Recipient address rejected: Greylisted for 5 minutes  ". The full

Comment
Watch Question

Barry GillConsultant
CERTIFIED EXPERT

Commented:
these are outbound messages. Do you have an SMTP proxy or use a smarthost? Or are you doing direct delivery from Exchange?
Shreedhar EtteTechnical Manager
CERTIFIED EXPERT
Top Expert 2010

Commented:

Author

Commented:
I'll ude DNS to route mail = Mails ae deliverd directly to the server.

I need to know where I can list the email domain or IP which are considere safe by exchange. By placing IPs to "Message Delivery Properties / Connection Filtering / Accept List" seems to doesn't help. Those recipeints are BlackListed but I still want to send mail to them.

Rgs,

Juha

Barry GillConsultant
CERTIFIED EXPERT

Commented:
the logs you show above are the RECIPIENT server stating it will not accept YOUR mail, not what your server is saying to incoming servers.

Author

Commented:
I-ll noticed that I can't receive mail from Yahoo. In the same time these were generated to server. Since I believe that filters I have applied checks if the recipient is listed in directory can it be so that below is the actual problem.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            12.7.2010
Time:            18:24:43
User:            HUMBERG\remote
Computer:      HUMHP
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

**********************

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            12.7.2010
Time:            18:24:43
User:            HUMBERG\remote
Computer:      HUMHP
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I can't see mails from Yahoo nor Message Tracking Center. How ever these shows at event viewer

**************
Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            18:28:34
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #23. The client at "192.168.200.1" sent a "ehlo" command, and the SMTP server responded with "250-mail.mydomain.fi Hello [192.168.200.1]  250-TURN  250-SIZE  250-ETRN  250-PIPELINING  250-DSN  250-ENHANCEDSTATUSCODES  250-8bitmime  250-BINARYMIME  250-CHUNKING  250-VRFY  250-X-EXPS GSSAPI NTLM  250-AUTH GSSAPI NTLM  250-X-LINK2STATE  250-XEXCH50  250 OK  ". The full command sent was "ehlo bsafe1.d-fence.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

*****************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            18:28:34
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #23. The client at "192.168.200.1" sent a "mail" command, and the SMTP server responded with "250 2.1.0 myname@yahoo.com....Sender OK  ". The full command sent was "mail FROM:<myname@yahoo.com> SIZE=2518 BODY=7BIT".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

*************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            18:28:34
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #23. The client at "192.168.200.1" sent a "rcpt" command, and the SMTP server responded with "250 2.1.5 administrator@mydomain.fi   ". The full command sent was "rcpt TO:<administrator@mydomain.fi>".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

****************
Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            18:29:18
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #24. The client at "192.168.200.1" sent a "ehlo" command, and the SMTP server responded with "250-mail.mydomain.fi Hello [192.168.200.1]  250-TURN  250-SIZE  250-ETRN  250-PIPELINING  250-DSN  250-ENHANCEDSTATUSCODES  250-8bitmime  250-BINARYMIME  250-CHUNKING  250-VRFY  250-X-EXPS GSSAPI NTLM  250-AUTH GSSAPI NTLM  250-X-LINK2STATE  250-XEXCH50  250 OK  ". The full command sent was "ehlo bsafe1.d-fence.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.




Barry GillConsultant
CERTIFIED EXPERT

Commented:
what sits at 192.168.200.1?

Is that an AV/AS service that you are passing data to?

Author

Commented:
Thansk barrulus

Is there anything I can do? According my tests the domain is not anymoore listed at mxtoolbox blacklist test. I'll also receied an mail from barracuda staiting the domain is removed fron blacklist.

Rgs, Juha

Author

Commented:
192.168.200.1 is the Firewall / Default GW

Juha
Top Expert 2010

Commented:
Juha
I will check the anti-spam solution first and how that is relaying messages to Exchange.

I am still checking.

Author

Commented:
I have now disable all other filters but IMF. Still can't receive from Ýahoo.

At ExRCA the SMTP Inbound test passes as outbound test.

Rgs, Juha
Top Expert 2010

Commented:
Are yahoo mails showing up in d-fence ?
There should be some Admin console there where you can see what emails are allowed to pass and what emails are being blocked ?

Barry GillConsultant
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I'll try to check what tools I have from D-Fence. I turned on the FW to log SMTP. Lets see what it says.

Rgs, Juha

Author

Commented:
It seems that FW logs SMTP from Yahoo. I can't be sure since it can be other mail. The time stam is very close .

D-Fence whitelisting (the external company whose filters spam). I can't login to their webportal.

Rgs, Juha
Top Expert 2010

Commented:
ok. this is strange.
a) Your MX points to D-Fence which is doing your email filtering.
b) When someone sends email - they lookup MX > send mail to D-Fence.
c) D-Fence filters emails and sends clean email to your exchange server.

so my question is - how did Firewall log SMTP from yahoo ?
Did you check if it was inbound or outbound log ?

I think you need to call d-fence and ask them about how can you access the admin console. Otherwise it looks like a black-box operation with no transparent way of knowing which emails are getting rejected / getting quarantined and why.
Barry GillConsultant
CERTIFIED EXPERT

Commented:
what I see happening here is:

a) mx points to D-Fence
b) sending email to you from yahoo looks up MX and delivers to D-Fence
c) D-Fence send to on site baracuda device
d) on site baracuda device connects to Exchange SMTP service
e) mail goes missing

This is why I think the IMF is responsible for missing messages.

c) D-Fence would not send to baracuda if they were blocking
d) Baracuda would not send to Exchange if it was blocking.

Does your yahoo account get a bounce notification?
Top Expert 2010

Commented:
Juha
do you have a baracuda device ? Please clarify.

Author

Commented:
Sunny

Can you try to send to test user from Yahoo? I reply your message next after checked the FW logs again.

Rgs, Juha
Top Expert 2010

Commented:
Got your email. it came to my junk folder.
Sent you a test email.

Author

Commented:
Hi

At FW logs I saw SMTP coming from WAN to LAN at the same time I send from Yahoo. Can't 100% sure what mail it was but 99 % sure it was the Yahoo mail. The FW says that the mail come from D-Fence IP address. The company is so small that it is unlikely some one else mailed just the same time.

"baracuda device". I don't know what that is. The FW is ZyXEL.

Rgs, Juha

Rgs, Juha
Top Expert 2010

Commented:
a) So it's cleared that you dont have a baracuda device.
b) you only have a Zyxel modem / firewall.

So D-Fence is delivering mails to Zyxel (from D-Fence IP)

Please confirm if you received test emails from yahoo.
Barry GillConsultant
CERTIFIED EXPERT

Commented:
my apologies, I saw the mention of Baracuda in the first post.

It does not change things though, d-fence is still sending, so they are not blocking.
Top Expert 2010

Commented:
I didnt get a bounce back when I sent it to your email address juha

Barrulus -- Where the hell are the emails getting lost ?? :-)
Barry GillConsultant
CERTIFIED EXPERT

Commented:
the only thing I can think of is that they are getting hooked by the IMF and sitting stagnant in a queue somewhere.
The SMTP logs we see here only show us getting as far as RCPT TO:<> so we don't know if it actually gets received but I think it is safe to assume that they do.
Because this affects a domain name (yahoo.com) I think the filters are causing the issue.

IF the Exchange server was creating a failure in transmission, the d-fence system would get a failure and that *should* in turn create a DSN with either warning or bounce, but as these are not seen, the logical conclusion is that the Exchange server has fully accepted.

Again, because it is only a specific domain, it has to be something related to IMF.

What other logging are you doing, and can you see any other errors in your event log?
Barry GillConsultant
CERTIFIED EXPERT

Commented:
Top Expert 2010

Commented:
Good point barrulus.

Juha
Can you check exchange queue.

also - what happens if you disable IMF  filtering. Can you get yahoo emails then
Top Expert 2010

Commented:
Guys - I am gonna go grab some lunch and think where yahoo mails are dropping.

Will have to agree with barrulus.

Lets try and disable IMF and see if we can get yahoo emails. Will try IMF engineering after that.

Author

Commented:
Hi

The mail from the C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue folder is now vanished. I boot the server now to see any special event while booting up.

Juha
Barry GillConsultant
CERTIFIED EXPERT

Commented:
have you disabled the IMF?

Author

Commented:
Disabling IMF didn't effect.

barrulus:I-ll check your hints next.

Juha
Barry GillConsultant
CERTIFIED EXPERT

Commented:
can the yahoo sender send to other users? not just this test recipient?
Or does mail from the yahoo user disappear no matter who the recipient is?

what on server anti virus are you using?
Top Expert 2010

Commented:
Check Exchange Services @ C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue

Is SMTP service running ?
Barry GillConsultant
CERTIFIED EXPERT

Commented:
I have to go - 7:30 pm and I am still at work, if I have any revelations I will check in later to drop them in :)

Author

Commented:
Hi

I have tried to send to two separate users from yahoo and the mails don't show up. The AV is F-Secure 9.0 for Win Servers., The latest version. Real Time Scanning is Excluded on these folders:

E:\Program Files\Exchsrvr\MDBDATA\
E:\Program Files\Microsoft SQL Server\
C:\Program Files\Exchsrvr\
C:\Econet Pro\
BUT. AFTER RESTART THEY WERE DISSAPPEARED SO I PLACED THEM BACK.

Here are events while bootup. It seems that some testmails from yahoo shows up there again in the end of the list.

Event Type:      Warning
Event Source:      MSDTC
Event Category:      SVC
Event ID:      53258
Date:            12.7.2010
Time:            20:53:10
User:            N/A
Computer:      HUMHP
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1324
No Callstack,
 CmdLine: C:\WINDOWS\system32\msdtc.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80               ...¿    

*******************

Event Type:      Warning
Event Source:      MSDTC
Event Category:      SVC
Event ID:      53258
Date:            12.7.2010
Time:            20:53:10
User:            N/A
Computer:      HUMHP
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*********************

Event Type:      Information
Event Source:      MSDTC
Event Category:      TM
Event ID:      4193
Date:            12.7.2010
Time:            20:53:10
User:            N/A
Computer:      HUMHP
Description:
MS DTC started with the following settings (OFF = 0 and ON = 1):

  Security Configuration:
      Network Administration of Transactions = 0,
      Network Clients = 0,
      Inbound Distributed Transactions using Native MSDTC Protocol = 0,
      Outbound Distributed Transactions using Native MSDTC Protocol = 0,
      Transaction Internet Protocol (TIP) = 0,
      XA Transactions = 0
  Filtering Duplicate events = 1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

***********************


**********************

Event Type:      Warning
Event Source:      WinMgmt
Event Category:      None
Event ID:      5603
Date:            12.7.2010
Time:            20:53:37
User:            NT AUTHORITY\SYSTEM
Computer:      HUMHP
Description:
A provider, PerfProv, has been registered in the WMI namespace, ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


***************

Event Type:      Warning
Event Source:      WinMgmt
Event Category:      None
Event ID:      5603
Date:            12.7.2010
Time:            20:53:37
User:            NT AUTHORITY\SYSTEM
Computer:      HUMHP
Description:
A provider, PerfProv, has been registered in the WMI namespace, ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*******************

Event Type:      Warning
Event Source:      Perflib
Event Category:      None
Event ID:      1016
Date:            12.7.2010
Time:            20:53:42
User:            N/A
Computer:      HUMHP
Description:
The data buffer created for the "EXOLEDB" service in the "C:\Program Files\Exchsrvr\bin\exodbpc.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

**************

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: e4 c5 c6 00 04 15 00 00   äÅÆ.....

Event Type:      Warning
Event Source:      Perflib
Event Category:      None
Event ID:      1016
Date:            12.7.2010
Time:            20:53:42
User:            N/A
Computer:      HUMHP
Description:
The data buffer created for the "F-Secure Gatekeeper Handler Starter" service in the "C:\Program Files\F-Secure\Anti-Virus\avperf.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 08 cd c6 00 24 07 00 00   .ÍÆ.$...

***************

Event Type:      Warning
Event Source:      Perflib
Event Category:      None
Event ID:      2003
Date:            12.7.2010
Time:            20:53:42
User:            N/A
Computer:      HUMHP
Description:
The configuration information of the performance library "C:\WINDOWS\system32\infoctrs.dll" for the "InetInfo" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*****************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "192.168.200.1" sent a "ehlo" command, and the SMTP server responded with "250-mail.mydomain.fi Hello [192.168.200.1]  250-TURN  250-SIZE  250-ETRN  250-PIPELINING  250-DSN  250-ENHANCEDSTATUSCODES  250-8bitmime  250-BINARYMIME  250-CHUNKING  250-VRFY  250-X-EXPS GSSAPI NTLM  250-AUTH GSSAPI NTLM  250-X-LINK2STATE  250-XEXCH50  250 OK  ". The full command sent was "ehlo bsafe1.d-fence.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

***************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "192.168.200.1" sent a "mail" command, and the SMTP server responded with "250 2.1.0 myname@yahoo.com....Sender OK  ". The full command sent was "mail FROM:<myname@yahoo.com> SIZE=2949 BODY=7BIT".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

*********************************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "192.168.200.1" sent a "rcpt" command, and the SMTP server responded with "250 2.1.5 testi2@mydomain.fi   ". The full command sent was "rcpt TO:<testi2@mydomain.fi> ORCPT=rfc822;testi2@mydomain.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

**********************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #3. The client at "192.168.200.1" sent a "ehlo" command, and the SMTP server responded with "250-mail.mydomain.fi Hello [192.168.200.1]  250-TURN  250-SIZE  250-ETRN  250-PIPELINING  250-DSN  250-ENHANCEDSTATUSCODES  250-8bitmime  250-BINARYMIME  250-CHUNKING  250-VRFY  250-X-EXPS GSSAPI NTLM  250-AUTH GSSAPI NTLM  250-X-LINK2STATE  250-XEXCH50  250 OK  ". The full command sent was "ehlo bsafe1.d-fence.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

*********************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #3. The client at "192.168.200.1" sent a "ehlo" command, and the SMTP server responded with "250-mail.mydomain.fi Hello [192.168.200.1]  250-TURN  250-SIZE  250-ETRN  250-PIPELINING  250-DSN  250-ENHANCEDSTATUSCODES  250-8bitmime  250-BINARYMIME  250-CHUNKING  250-VRFY  250-X-EXPS GSSAPI NTLM  250-AUTH GSSAPI NTLM  250-X-LINK2STATE  250-XEXCH50  250 OK  ". The full command sent was "ehlo bsafe1.d-fence.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

***********************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #3. The client at "192.168.200.1" sent a "mail" command, and the SMTP server responded with "250 2.1.0 myname@yahoo.com....Sender OK  ". The full command sent was "mail FROM:<myname@yahoo.com> SIZE=2946 BODY=7BIT".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

*****************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7006
Date:            12.7.2010
Time:            21:00:03
User:            N/A
Computer:      HUMHP
Description:
This is an SMTP protocol log for virtual server ID 1, connection #3. The client at "192.168.200.1" sent a "rcpt" command, and the SMTP server responded with "250 2.1.5 testi2@mydomain.fi   ". The full command sent was "rcpt TO:<testi2@mydomain.fi> ORCPT=rfc822;testi2@mydomain.fi".  This is an informational event and  does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

********************

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      Queuing Engine
Event ID:      4005
Date:            12.7.2010
Time:            21:03:15
User:            N/A
Computer:      HUMHP
Description:
Time spent on preparing to reset routes: [0] milliseconds Time spent on recalculating next hops: [0] milliseconds Queue length : [0]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Top Expert 2010

Commented:
Out of ideas....
let me revisit this after sometime.

Please post back if you figure out something by yourself.

Since you cannot build - you have to buy.
or in this case search.

Top Expert 2010

Commented:
Sorry wrong window @ post.

Juha
All these are informational items. Let me check these and will post back.

Author

Commented:
Ok Sunny

The problem exists. I'll try to creat gmail account or similiar to see what happens.

Juha

Barry GillConsultant
CERTIFIED EXPERT

Commented:
is the test alias routing to a test mailbox or aliasing to a real user?
Top Expert 2010

Commented:
barrulus it's a real user
Testing without IMF - gmail gets through - but not yahoo.

Barry GillConsultant
CERTIFIED EXPERT

Commented:
have we looked at other logs, other than just the virtual smtp service?

broaden your search, I think the smtp service is working, what about mailstore logs? mailbox logs?
You may have a policy that is not clearing off.

Ok, step back.

How long has this problem existed?
what changes were made before this was noticed? or around the time it was noticed?

Any new software deployed, changes in backup procedures or anything?
Top Expert 2010
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Top Expert 2010

Commented:
its in the firewall connection logs. firewall drops the connection - notifies exchange and creates an event in eventvwr\application

Author

Commented:

I just mention here about IMF hotfix which probably doesn't suite this case
http://support.microsoft.com/kb/912587
Barry GillConsultant
CERTIFIED EXPERT

Commented:
does the firewall have transparent smtp proxy?
can it be disabled?
Barry GillConsultant
CERTIFIED EXPERT

Commented:
cisco fixup smtp allows this to happen, sends a rset to the sender (usually causes a bounce) and quit to the receiver.
firewall based transparent smtp proxy is frequently fraught with these "message ended early" issues.
Barry GillConsultant
CERTIFIED EXPERT

Commented:
and how did you find that out? there is nothing in the postings about them :)

Author

Commented:
Hi

The problem is in the HW FW. It has blocked some mails. Trying to fix it. Yahoo mails are coming in now.

JR
Top Expert 2010
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Barry GillConsultant
CERTIFIED EXPERT

Commented:
cool, clearly in capable hands :)
I am pretty sure it will, matches all the patetrns for it, I should've clicked earlier but hey, such is life.
Top Expert 2010

Commented:
Thanks dude :-)

Kinda things you learn in a normal day @ EE !! ha ha.
Barry GillConsultant
CERTIFIED EXPERT

Commented:
kind of thing I see every day in my day job, just normally have more hands on to see, more memory triggers with the visual examination... good to broaden my experience anyways. :)

Author

Commented:
Hi

Yes. This case is now solved thaks to you all and specially Sunny! Did send an email to hosted spam-filter company if they have any idea why some mails from them (coming from yahoo) were regognized as IDP at the FW. The firewall's firmware is pretty old but since I have there VPN setup and everything else it will be a great risk to try to update firmware. I probably need to monitor it daily basis for awhile the FW logs.

The Exchange own filters are no set back.

Thank you all again!

Rgs, Juha

Author

Commented:
I'll award Sunnyc7 400 point for finding the problem and doing hands on work to fix the issue with FW.

Unfortunatelly I have only 100 points left. They goes to barrulus for great comments and notification what graylisting in the eventviewer logs ment in this case.

Thank you all for help.

Rgs, Juha
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.