Exchange2007/SBS2008; issue receiving emails from some servers; 451 4.7.0 Timeout waiting for client input,

Hi,

I have an outside vendor who sends us large attachments (that are still under our 10MB limit) who has an account with sympatico.ca.  Sympatico emails are sent by Microsoft hosted servers; all the emails come from 65.54.190.x servers.  

If they send us a text only email, it is received ok.  Even small attachments work sometimes.  Any email with an attachment over a few 100k is never received.  The Exchange server never sees it.  The SMTP logs show repeated connections to my server, but the tranactions always ends with "451 4.7.0 Timeout waiting for client input"

I can send myself the same attachment with my Hotmail account to my work email account, no problem.

The Exchange 2007 is SP2 and is part of SBS2008.  I have all the latest Forefront updates, and updates in general.  The server was last restarted last Sunday.

I have a Fortigate 100a in front of my network.  It has all the IPS, AV, and spam features turned on.  There is nothing in its logs that suggests it rejected the traffic.  It shows it allowed the connection to go to the SMTP server.

Here is what the SMTP log looks like:

2010-08-26T17:01:24.289Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,0,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,+,,
2010-08-26T17:01:24.290Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,1,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2010-08-26T17:01:24.290Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,2,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,"220 mail.mydomainname.ca Microsoft ESMTP MAIL Service ready at Thu, 26 Aug 2010 13:01:23 -0400",
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,3,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,<,EHLO bay0-omc2-s26.bay0.hotmail.com,
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,4,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-mail.mydomainname.ca Hello [65.54.190.101],
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,5,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-SIZE 10485760,
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,6,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-PIPELINING,
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,7,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-DSN,
2010-08-26T17:01:24.374Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,8,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-ENHANCEDSTATUSCODES,
2010-08-26T17:01:24.375Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,9,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-STARTTLS,
2010-08-26T17:01:24.375Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,10,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-AUTH,
2010-08-26T17:01:24.375Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,11,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-8BITMIME,
2010-08-26T17:01:24.375Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,12,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250-BINARYMIME,
2010-08-26T17:01:24.375Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,13,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250 CHUNKING,
2010-08-26T17:01:24.450Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,14,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,<,MAIL FROM:<username@sympatico.ca> SIZE=2237702,
2010-08-26T17:01:24.450Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,15,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,*,08CD103768357F7B;2010-08-26T17:01:24.289Z;1,receiving message
2010-08-26T17:01:24.450Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,16,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250 2.1.0 Sender OK,
2010-08-26T17:01:24.525Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,17,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,<,RCPT TO:<username@mydomainname.ca>,
2010-08-26T17:01:24.529Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,18,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,250 2.1.5 Recipient OK,
2010-08-26T17:01:24.604Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,19,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,<,BDAT 2237702 LAST,
2010-08-26T17:20:44.582Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,20,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,>,451 4.7.0 Timeout waiting for client input,
2010-08-26T17:20:44.582Z,servername\Windows SBS Internet Receive servername,08CD103768357F7B,21,xxx.xxx.xxx.xxx:25,65.54.190.101:18620,-,,Local

Any suggestions appreciated.

 
IWinsorAsked:
Who is Participating?
 
Shack-DaddyConnect With a Mentor Commented:
I would do some MTU ping tests from your server out to a site on the internet. I've noticed that when there is an MTU problem related to mail, it usually manifests with attachments larger than a certain size and causes timeouts.

Alternately, you may find that you need to set the MTU on the Fortinet to something different. To determine that, you'd want to put a host on a hub in front of the Fortinet and try some MTU tests to internet hosts and then set the MTU appropriately on the firewall.
0
 
Mark DamenERP System ManagerCommented:
I had a problem with incoming SMTP and attachements when a SonicWall firewall was placed in front of our connection.  It was doing filtering/inspection of the SMTP traffic, but not actually blocking it.  This caused similar time out error, rather than hard drops.

Try temporarily disabling the filtering on the Fortigate box and get the person to send again.
0
 
IWinsorAuthor Commented:
Thanks.

I have opened a case with Fortinet, and as might expect, they don't think they are at fault.  

I had thought of your suggestion as an easy way to prove its the Fortigate or not, but I wanted to talk to their escalation support first.  Turning off the protection it provides could lead to a whole other set of problems.

Thanks.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Mark DamenERP System ManagerCommented:
Yep.  Although, if you prime the other end ready to send at a particular time, you'd only need to open it for 5-10mins to demontrate whether it solves the issue.  This is what I did, then went back to SonicWall to work out the issues.

If you have the luxury of time, then go straight for the Fortigate route.
0
 
IWinsorAuthor Commented:
OK.  I will try that tomorrow.  You are probably correct, I can have this answer before i even hear from Fortinet excalation.
0
 
IWinsorAuthor Commented:
Interesting suggestion.

I followed these instructions:
http://www.dslreports.com/faq/5793

From my exchange server's console, I worked back to a packet size of 1472.  Add 28 for headers and you get 1500.  Windows 2008's MTU is 1500.  My fortigate's MTU default is 1500.

Did I miss something in where you were going with suggestion.

Also, if it was the MTU, wouldn't that affect all inbound emails, and not just a few specific ones?
0
 
Mark DamenERP System ManagerCommented:
Any further news on this case?  Did Fortinet come back with any answers?
0
 
IWinsorAuthor Commented:
They asked for a copy of my config file, and asked me to review the "How to configure AV features" documentation.

Waiting for an engineer to be assigned.
0
 
Shack-DaddyCommented:
The MTU thing I've seen affect outbound emails with attachments larger than a certain size. If you have success with some destinations and not others, it probably wouldn't be MTU.

But I recently worked on a situation in which an Exchange server could send attachments out to any domain except for a Yahoo domain (sbcglobal, att, etc). When an attachment was sent to a Yahoo mail server, the attachment would get stuck in a sending loop and would generate a collossal amount of traffic, so much that the ISP would block outbound port 25. This wouldn't happen to attachments sent to any other destination. Our workaround for that was to set up a smarthost or mail relay and just use it for Yahoo-bound mail.
0
 
IWinsorAuthor Commented:
Thanks, Shack-daddy.

My issue is receiving email from some, but not all, MS Sympatico mail servers.
0
 
IWinsorAuthor Commented:
OK, so I shut off the IPS features for my firewall email rule and had the sender resend.  The result was the same, so It appears that the issue is not the IPS.

0
 
Shack-DaddyCommented:
Since beating down-and-out horses is fun--back to the MTU thing, what happens when you do an MTU ping test from your server to the IP of one of the servers that's failing to reach you?

Here's something that might be relevant:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/defc53b7-424f-4354-ba3e-5eae2a9c2282
0
 
IWinsorAuthor Commented:
Talked to Fortigate. They sent me an updated IPS engine that I don't have and can't download anywhere.  

The mail servers in question cannot be pinged.  I have however used the "How to Troubleshoot Black Hole Router Issues" instructions to successfully ping all the hops that can be pinged between myself and the servers with the issue.

I am starting to think there is a bad MTU config'd somwhere on the other end.  Where does one start if one wants to tell a big ISP/ASP like Microsoft or Bell Canada that you thin they have a technical issue?!??!  this should be fun.
0
 
IWinsorAuthor Commented:
I doucmented everything I know about this issue and sent it to the person with the Sympatico account and asked her to open a technical support case with them.  We will see what happens.
0
 
IWinsorAuthor Commented:
The outside vendor moved her accounts to Gmail; problem solved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.