Solved

SMTPdiag error

Posted on 2010-09-02
38
2,619 Views
Last Modified: 2013-11-30
Hello,

Mail sent from a partner's Exchange 2003 to our Exchange 2003 does not pass HELO.
(see the SMTPdiag screen capture from the other server)
Telnet from the other server sends a message successfully.

It's a single instance, mail from other domains is OK.
We have 2 MX records pointing to public IP's from our 2 link providers that are NAT to the Exchange internal address.
There is a link load balancer that handles the 2 ISP's.
I've made a change (after that screen capture) so that both MX records point to the first ISP address but mail still didn't go through.
Any ideas? SMTPdiag error SMTPdiag error
0
Comment
Question by:Optec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 16
  • +1
38 Comments
 
LVL 13

Expert Comment

by:George Sas
ID: 33592417
I think this is a firewall issue and not an exchange or smtp issue.

Can you telnet test both servers from a computer located on your LAN ? Does this work ?
Telnet test mail from the partner network works ?
0
 

Author Comment

by:Optec
ID: 33592448
Telnet from the remote Exchange server to ours works OK.
The other way was not tested because email is delivered.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592486
I'm a bit confused now.
You say , mail can not be delivered from remote network but telnet test works ?
When I say telnet test mail , I mean you have to test and send an e-mail trough telnet :
http://support.microsoft.com/kb/153119

Does this work ?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:Optec
ID: 33592504
Yes telnet session from the other server successfully sent an email which I received.
However sending email from outlook through that server is not successful.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592519
Common issue can be :
Your SMTP server name or address as specified has an error.
or
Your SMTP port is blocked.


Its the FQDN set up correctly on the remote smtp connector ?
Does the remote location use a smart host ?
Do you have a correct reverse DNS set up ?

Check your DNS and MX records :
http://www.dnsstuff.com/
http://www.mxtoolbox.com/

0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592525
K , then that it's the FQDN on the sender exchange. It does not present itself as it should.
0
 

Author Comment

by:Optec
ID: 33592537
What needs to change at the sender Exchange?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33592540
And , when you are using Telnet you are connecting directly to the remote host , but when you use Outlook , your exchange might use a smart host.
Check your SMTP protocol properties and fix the FQDN and see the smarthost.
You might wanna make a new SMTP connector that will deliver mails to your domain DIRECTLY to your exchange server instead of going trough the DNS and smarthost.
0
 

Author Comment

by:Optec
ID: 33592552
I'll ask the other Exchange admin to check the SMTP properties as you suggested
0
 

Author Comment

by:Optec
ID: 33592693
Where in the SMTP connector is the FQDN referenced?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33593983
Open the ESM , go to your server and check SMTP under protocols.
Properties and under the "Delivery tab" check "Advanced"
0
 
LVL 7

Expert Comment

by:Waseems
ID: 33596623
this looks like DNS problem from the other server try using
nslookup
set type=MX
youdomain.com
do you get the correct MX ip and information, I guess not
may be the other domain create a zone for your domain in dns which they should not do, if so just delete it and this should solve the problem
tell me what information nslookup command gave?
0
 

Author Comment

by:Optec
ID: 33599361
Here is the nslookup from the remote server
It looks correct
SP32-20100903-132821.jpg
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33599562
Ok , but still I am sure your remote partner uses an incorrect FQDN or it's using a smarthost.
0
 

Author Comment

by:Optec
ID: 33600021
The FQDN value is mail.valueplace.com
Their email goes out through their Barracuda spam filter
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33600693
Does your exchange check for SPF records ?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33600750
K just to make a summary:
a.You try to send mail from valueplace.com to optecdisplays.com
b.The SMTP diag was done from the REMOTE location.
c. When you try the telnet test from REMOTE location (valueplace.com) the mail goes trough correctly.

Did the remote location tried to make an SMTP connector to send mail DIRECTLY to your MX records instead of going trough Barracuda ?
0
 

Author Comment

by:Optec
ID: 33601151
My Exchane (Optec) has ORF anti spam software in which I enabled SPF, however, messages are stopped before reaching that stage.
The summary is correct.
Remote Exchange has not tried SMTP connector, I can ask for it next week.
Here is a log sent to me from Valueplace:



Delivery has failed to these recipients or distribution lists:
 
oded@optecdisplays.com
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.
 
 
 
 
 
 
 
Diagnostic information for administrators:
 
Generating server: smtp.valueplace.com
 
oded@optecdisplays.com
#< #4.0.0 X-Spam-&-Virus-Firewall; conversation with mail.optecdisplays.com[67.91.72.36] timed out while sending HELO> #SMTP#
 
Original message headers:
 
X-ASG-Debug-ID: 1283360827-2b8400300000-lrRreK
X-Barracuda-URL: http://10.80.80.241:8000/cgi-bin/mark.cgi
Received: from mail.valueplace.com (localhost [127.0.0.1])      by
 smtp.valueplace.com (Spam & Virus Firewall) with ESMTP id A7D732B8DC1   for
 <oded@optecdisplays.com>; Wed,  1 Sep 2010 12:07:08 -0500 (CDT)
Received: from mail.valueplace.com ([10.80.80.246]) by smtp.valueplace.com with ESMTP id jFWV5M86RoeKDTWB for <oded@optecdisplays.com>; Wed, 01 Sep 2010 12:07:08 -0500 (CDT)
X-Barracuda-Envelope-From: helpdesk@valueplace.com
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-ASG-Orig-Subj: test
Subject: test
Date: Wed, 1 Sep 2010 12:07:07 -0500
Message-ID: <BB0DC9E55623D04EBB18B993DA75B1A603164303@exchange1.Consolidated-Holdings.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: test
Thread-Index: ActJ+BtscuBoj/bAQT6ihSRBsN6isA==
From: Help Desk <helpdesk@valueplace.com>
To: <oded@optecdisplays.com>
X-Barracuda-Connect: UNKNOWN[10.80.80.246]
X-Barracuda-Start-Time: 1283360828
X-Barracuda-Virus-Scanned: by Barracuda Spam & Virus Firewall at valueplace.com



0
 
LVL 13

Expert Comment

by:George Sas
ID: 33601191
It's your e-mail delivered directly to your exchange ?
Does the ORF check for reverse DNS ?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33601224
Do you require authentication upon receiving e-mail ?
I noticed the SMTP test sends "ehlo" ... have you (remote host)  tried the telnet test with EHLO instead of HELO ?
0
 

Author Comment

by:Optec
ID: 33601295
Yes my email is delivered directly to the Optec Exchange server.
Yes ORF checks reverse DNS.
Both Valueplace name and ip are whitelisted in ORF.
The telnet messages showed in ORF logs as whitelisted.
Haven't tried EHLO telnet.
Are you asking about AD authentication upon receipt?  I don't think so, where do I verify?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33601309
I am asking about the SMTP authentication.
I have asked about the reverse DNS because maybe your ORF tries to resolve the DNS of smtp.valueplace.com and check it against the IP address of the barracuda box that delivers you the mail and if that does not match it will drop the connection.
Has the barracuda same IP as the smtp.valueplace.com ?
0
 

Author Comment

by:Optec
ID: 33620355
Update

My Exchange (Optec) does not use SMTP Authentication.

The Barracuda and smtp.valueplace.com have the same public ip of 68.143.33.62.

Looks like remote Exchange has DNS issue, it resolved mail.optecdisplays.com to 74.208.5.3 and 74.208.5.21 which are the Name Servers instead of 67.91.72.36.

0
 
LVL 13

Expert Comment

by:George Sas
ID: 33621580
K , can they fix that ? If they fix it then your problem is fixed also ... not YOUR problem anyway :)
0
 

Author Comment

by:Optec
ID: 33622395
Remote Exchange fixed the nslookup error and issued the following:

telnet 67.91.72.36 25
EHLO valueplace.com

At this point the connection timed out and it showed the “Connection to host lost” message from telnet.

Then

telnet 67.91.72.36 25
HELO valueplace.com
The SMTP gateway immediately replied with a 250 mail.optendisplays.com Hello [68.143.33.58]

Then completed the command sequence and the message was sent.


0
 
LVL 13

Expert Comment

by:George Sas
ID: 33623160
Good :) so the problem is still on the other side or maybe your spam filter does not like the EHLO.
0
 

Author Comment

by:Optec
ID: 33623166
Any other ideas to fix the issue?
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33624787
I don't know the ORF anti spam , but I would suggest you to contact their rupport department and ask them if this is a known bug
0
 

Author Comment

by:Optec
ID: 33628240
I have emailed ORF and they said that the fact that the log viewer did not have any sender entries for the domain indicates these emails never reached ORF (timed out at the HELO stage before it had a chance to test them), so it is definitely not ORF blocking them.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33668664
hi optec
Can you go to DC of both domains (yours and the other exchange server)

from DC
do this
start > run > dnsmgmt.msc

check if there is any MX record entry in DC forward look-up zone.
Or if there is an entry for your partner exchange in yours.

Please post screenshots of internal DNS at both locations
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33670006
Optec: "Yes ORF checks reverse DNS." - Can you temporary disable this and see if it works ?
0
 

Author Comment

by:Optec
ID: 33677227
Both ends don't have any mx record in the forward look-up zone.
A test email didn't arrive after disabling reverse DNS checks in ORF.
0
 

Accepted Solution

by:
Optec earned 0 total points
ID: 33718698
We found that our Palo Alto Networks 500 Firewall classified SMTP traffic from ValuePlace as Unknown-TCP and therefor dropped the session.
It is still under investigation at PAN, my guess is that this traffic deviated a bit from the protocol standards as it was a singular event.
Meanwhile another rule was added to allow this traffic.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33719050
Tbh , I gave up :( I'm not a network guy so I didn't thought at the firewall as it was allowing telnet ... we live and learn.
0
 

Author Comment

by:Optec
ID: 33719103
I also didn't think to check the firewall logs because of telnet success.
Thank you for all your help.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question