SBS 2008 Exchange not receiving inbound mail

I have an SBS 2008 client installation where the Exchange Server has stopped receiving inbound mail. When I send email to the server from my office, I first get a message that the email was delayed. Then after several hours, I get a non-delivery report stating "#550 4.4.7 QUEUE.Expired; message expired ##"

I can telnet to the server and send a message.When I send it, it says "added to queue".

I can send mail outbound just fine. The issue is only with inbound mail.

I ran the mail flow troubleshooter and it failed with a message "Mail submission failed: Error message: Server does not support secure connections.."

This led me to believe that the problem was the certificate. I believe that the server was installed with a self-signed certificate but it is less than a year old so I do not think that is is because the certificate has expired.

Any ideas?

Thanks,

Dave
dcadlerAsked:
Who is Participating?
 
sunnyc7Connect With a Mentor Commented:
You have back pressure. That's stopping your inbound message flow.
Will post back
0
 
sunnyc7Commented:
Hi dave$on yiur sbs go here
Start run eventvwr
Windows logs/application

Check if there are any msexchangetransport errors with 15000 series event I'd
Please post back

Thanks
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
dcadlerAuthor Commented:
Shreedhar: They have a self-signed cert that was created less than a year ago. They were receiving mail until last week, I realize that it is better to use a public CA but the client decided to do self-signed. Still, it should work at least until the 1 year expiration date, yes?

Sunnyc7: They were getting Event ID 15006, Source: ExchangeTransport errors until yesterday.They only had 1.5GB of space left on C:\. The event error insidated that it was stopping inbound email services due to the disk space issue.

I used the SBS Console to move Exchange to their D:\ drive that had 500GB free space and that stopped the event errors.

However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.


0
 
R--RConnect With a Mentor Commented:
Read regarding back pressure.
http://technet.microsoft.com/en-us/library/bb201658(EXCHG.80).aspx
Change he location of the queue database to the other drive where you have enough space by following the article.
  http://www.petri.co.il/back-pressure-moving-queue-database-in-exchange-2007.htm 
0
 
sunnyc7Commented:
However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.

>> What sort of certificates have you applied in exchange. You can apply a self-signed cert.

run this
get-exchangecertificate | fl
0
 
dcadlerAuthor Commented:
I ran get-exchangecertificate | fl. Here is the output 9(with thumbprints, serial numbers and actual domains changed)


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:35:33 PM
NotBefore          : 1/5/2010 10:35:33 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:31:32 PM
NotBefore          : 1/5/2010 10:31:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2010 11:43:07 AM
NotBefore          : 12/30/2009 11:43:07 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=SERVER.mydomain.local
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2011 11:36:49 AM
NotBefore          : 12/30/2009 11:36:49 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mydomain-SERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2014 11:45:06 AM
NotBefore          : 12/30/2009 11:35:06 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=mydomain-SERVER-CA
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-DZZZZZZZZZZ
}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-DZZZZZZZZZZ
NotAfter           : 12/28/2019 11:21:01 AM
NotBefore          : 12/30/2009 11:21:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-DZZZZZZZZZZ
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx



0
 
sunnyc7Commented:
These are all self-signed Cert's.
Did you install any UCC/SAN Certificate with local exchange server FQDN and exchange server name ?
0
 
dcadlerAuthor Commented:
The cert was installed using the SBS initial checklist by the client. They used the self-signed certificate method with the host portion of the FQDN set to "remote". They did not purchase a 3rd party cert.

0
 
sunnyc7Commented:
is your mail server fqdn - remote.domain.com / or mail.domain.com ?

Create a dns entry for remote.domain.com > point it to local IP of exchange / SBS

Test again.

get-outlookprovider | fl

did you troubleshoot / fix the back pressure issue @ as stated above http:#33613117
you have edit the config file
0
 
dcadlerAuthor Commented:
The problem was the back-pressure issue. It just took some time after moving Exchange to resolve itself. Also, for some reason, the user had removed their MX record from the DNS. That has now been restored. I have not changes anything with the certificates and I ma not sure why the Mail Flow Troubleshooter reported the error it did exceplt perhaps for the fact that the user used self-signed certs. I will recoommend that the user purchase a 3rd party certificate that has SAN for the internal as well as the public host name and see if that resolves the error.
0
 
sunnyc7Commented:
Also, for some reason, the user had removed their MX record from the DNS
>> how ?? Why ??
Very hard to figure out these things :(

Please add following to the UCC/SAN name.

mail.domain.com (external fqdn)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal fqdn)
mailservername (internal mail servername)

Digicert and GoDaddy has guides on how to install cert.s

you can also use the u-btech tool to install the cert.
www.u-btech.com/products/certificate-manager-for-exchange-2007.html

All the best :)
Thanks for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.