Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SBS 2008 Exchange not receiving inbound mail

Posted on 2010-09-05
12
Medium Priority
?
1,166 Views
Last Modified: 2012-05-10
I have an SBS 2008 client installation where the Exchange Server has stopped receiving inbound mail. When I send email to the server from my office, I first get a message that the email was delayed. Then after several hours, I get a non-delivery report stating "#550 4.4.7 QUEUE.Expired; message expired ##"

I can telnet to the server and send a message.When I send it, it says "added to queue".

I can send mail outbound just fine. The issue is only with inbound mail.

I ran the mail flow troubleshooter and it failed with a message "Mail submission failed: Error message: Server does not support secure connections.."

This led me to believe that the problem was the certificate. I believe that the server was installed with a self-signed certificate but it is less than a year old so I do not think that is is because the certificate has expired.

Any ideas?

Thanks,

Dave
0
Comment
Question by:dcadler
12 Comments
 
LVL 34

Assisted Solution

by:Shreedhar Ette
Shreedhar Ette earned 400 total points
ID: 33608892
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33608929
Hi dave$on yiur sbs go here
Start run eventvwr
Windows logs/application

Check if there are any msexchangetransport errors with 15000 series event I'd
Please post back

Thanks
0
 

Author Comment

by:dcadler
ID: 33612954
Shreedhar: They have a self-signed cert that was created less than a year ago. They were receiving mail until last week, I realize that it is better to use a public CA but the client decided to do self-signed. Still, it should work at least until the 1 year expiration date, yes?

Sunnyc7: They were getting Event ID 15006, Source: ExchangeTransport errors until yesterday.They only had 1.5GB of space left on C:\. The event error insidated that it was stopping inbound email services due to the disk space issue.

I used the SBS Console to move Exchange to their D:\ drive that had 500GB free space and that stopped the event errors.

However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.


0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 28

Accepted Solution

by:
sunnyc7 earned 1000 total points
ID: 33612983
You have back pressure. That's stopping your inbound message flow.
Will post back
0
 
LVL 19

Assisted Solution

by:R--R
R--R earned 600 total points
ID: 33613117
Read regarding back pressure.
http://technet.microsoft.com/en-us/library/bb201658(EXCHG.80).aspx
Change he location of the queue database to the other drive where you have enough space by following the article.
  http://www.petri.co.il/back-pressure-moving-queue-database-in-exchange-2007.htm 
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33613870
However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.

>> What sort of certificates have you applied in exchange. You can apply a self-signed cert.

run this
get-exchangecertificate | fl
0
 

Author Comment

by:dcadler
ID: 33614474
I ran get-exchangecertificate | fl. Here is the output 9(with thumbprints, serial numbers and actual domains changed)


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:35:33 PM
NotBefore          : 1/5/2010 10:35:33 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:31:32 PM
NotBefore          : 1/5/2010 10:31:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2010 11:43:07 AM
NotBefore          : 12/30/2009 11:43:07 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=SERVER.mydomain.local
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2011 11:36:49 AM
NotBefore          : 12/30/2009 11:36:49 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mydomain-SERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2014 11:45:06 AM
NotBefore          : 12/30/2009 11:35:06 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=mydomain-SERVER-CA
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-DZZZZZZZZZZ
}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-DZZZZZZZZZZ
NotAfter           : 12/28/2019 11:21:01 AM
NotBefore          : 12/30/2009 11:21:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-DZZZZZZZZZZ
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx



0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33614731
These are all self-signed Cert's.
Did you install any UCC/SAN Certificate with local exchange server FQDN and exchange server name ?
0
 

Author Comment

by:dcadler
ID: 33618830
The cert was installed using the SBS initial checklist by the client. They used the self-signed certificate method with the host portion of the FQDN set to "remote". They did not purchase a 3rd party cert.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33618874
is your mail server fqdn - remote.domain.com / or mail.domain.com ?

Create a dns entry for remote.domain.com > point it to local IP of exchange / SBS

Test again.

get-outlookprovider | fl

did you troubleshoot / fix the back pressure issue @ as stated above http:#33613117
you have edit the config file
0
 

Author Closing Comment

by:dcadler
ID: 33618887
The problem was the back-pressure issue. It just took some time after moving Exchange to resolve itself. Also, for some reason, the user had removed their MX record from the DNS. That has now been restored. I have not changes anything with the certificates and I ma not sure why the Mail Flow Troubleshooter reported the error it did exceplt perhaps for the fact that the user used self-signed certs. I will recoommend that the user purchase a 3rd party certificate that has SAN for the internal as well as the public host name and see if that resolves the error.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33618918
Also, for some reason, the user had removed their MX record from the DNS
>> how ?? Why ??
Very hard to figure out these things :(

Please add following to the UCC/SAN name.

mail.domain.com (external fqdn)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal fqdn)
mailservername (internal mail servername)

Digicert and GoDaddy has guides on how to install cert.s

you can also use the u-btech tool to install the cert.
www.u-btech.com/products/certificate-manager-for-exchange-2007.html

All the best :)
Thanks for the points.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question