Solved

SBS 2008 Exchange not receiving inbound mail

Posted on 2010-09-05
12
1,155 Views
Last Modified: 2012-05-10
I have an SBS 2008 client installation where the Exchange Server has stopped receiving inbound mail. When I send email to the server from my office, I first get a message that the email was delayed. Then after several hours, I get a non-delivery report stating "#550 4.4.7 QUEUE.Expired; message expired ##"

I can telnet to the server and send a message.When I send it, it says "added to queue".

I can send mail outbound just fine. The issue is only with inbound mail.

I ran the mail flow troubleshooter and it failed with a message "Mail submission failed: Error message: Server does not support secure connections.."

This led me to believe that the problem was the certificate. I believe that the server was installed with a self-signed certificate but it is less than a year old so I do not think that is is because the certificate has expired.

Any ideas?

Thanks,

Dave
0
Comment
Question by:dcadler
12 Comments
 
LVL 34

Assisted Solution

by:Shreedhar Ette
Shreedhar Ette earned 100 total points
ID: 33608892
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33608929
Hi dave$on yiur sbs go here
Start run eventvwr
Windows logs/application

Check if there are any msexchangetransport errors with 15000 series event I'd
Please post back

Thanks
0
 

Author Comment

by:dcadler
ID: 33612954
Shreedhar: They have a self-signed cert that was created less than a year ago. They were receiving mail until last week, I realize that it is better to use a public CA but the client decided to do self-signed. Still, it should work at least until the 1 year expiration date, yes?

Sunnyc7: They were getting Event ID 15006, Source: ExchangeTransport errors until yesterday.They only had 1.5GB of space left on C:\. The event error insidated that it was stopping inbound email services due to the disk space issue.

I used the SBS Console to move Exchange to their D:\ drive that had 500GB free space and that stopped the event errors.

However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.


0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 28

Accepted Solution

by:
sunnyc7 earned 250 total points
ID: 33612983
You have back pressure. That's stopping your inbound message flow.
Will post back
0
 
LVL 19

Assisted Solution

by:R--R
R--R earned 150 total points
ID: 33613117
Read regarding back pressure.
http://technet.microsoft.com/en-us/library/bb201658(EXCHG.80).aspx
Change he location of the queue database to the other drive where you have enough space by following the article.
  http://www.petri.co.il/back-pressure-moving-queue-database-in-exchange-2007.htm 
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33613870
However, I received Mail Flow Analyzer err rmeeage that the "Mail submission failed: Error message: Server does not support secure connections.." after I moved Exchange.

>> What sort of certificates have you applied in exchange. You can apply a self-signed cert.

run this
get-exchangecertificate | fl
0
 

Author Comment

by:dcadler
ID: 33614474
I ran get-exchangecertificate | fl. Here is the output 9(with thumbprints, serial numbers and actual domains changed)


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:35:33 PM
NotBefore          : 1/5/2010 10:35:33 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 1/5/2012 10:31:32 PM
NotBefore          : 1/5/2010 10:31:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2010 11:43:07 AM
NotBefore          : 12/30/2009 11:43:07 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=SERVER.mydomain.local
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, server.mydomain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2011 11:36:49 AM
NotBefore          : 12/30/2009 11:36:49 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mydomain-SERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mydomain-SERVER-CA
NotAfter           : 12/30/2014 11:45:06 AM
NotBefore          : 12/30/2009 11:35:06 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=mydomain-SERVER-CA
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-DZZZZZZZZZZ
}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-DZZZZZZZZZZ
NotAfter           : 12/28/2019 11:21:01 AM
NotBefore          : 12/30/2009 11:21:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 111111111111111111111
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-DZZZZZZZZZZ
Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxx



0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33614731
These are all self-signed Cert's.
Did you install any UCC/SAN Certificate with local exchange server FQDN and exchange server name ?
0
 

Author Comment

by:dcadler
ID: 33618830
The cert was installed using the SBS initial checklist by the client. They used the self-signed certificate method with the host portion of the FQDN set to "remote". They did not purchase a 3rd party cert.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33618874
is your mail server fqdn - remote.domain.com / or mail.domain.com ?

Create a dns entry for remote.domain.com > point it to local IP of exchange / SBS

Test again.

get-outlookprovider | fl

did you troubleshoot / fix the back pressure issue @ as stated above http:#33613117
you have edit the config file
0
 

Author Closing Comment

by:dcadler
ID: 33618887
The problem was the back-pressure issue. It just took some time after moving Exchange to resolve itself. Also, for some reason, the user had removed their MX record from the DNS. That has now been restored. I have not changes anything with the certificates and I ma not sure why the Mail Flow Troubleshooter reported the error it did exceplt perhaps for the fact that the user used self-signed certs. I will recoommend that the user purchase a 3rd party certificate that has SAN for the internal as well as the public host name and see if that resolves the error.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33618918
Also, for some reason, the user had removed their MX record from the DNS
>> how ?? Why ??
Very hard to figure out these things :(

Please add following to the UCC/SAN name.

mail.domain.com (external fqdn)
autodiscover.domain.com (external autodiscover)
mail.domain.local (internal fqdn)
mailservername (internal mail servername)

Digicert and GoDaddy has guides on how to install cert.s

you can also use the u-btech tool to install the cert.
www.u-btech.com/products/certificate-manager-for-exchange-2007.html

All the best :)
Thanks for the points.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question