Link to home
Start Free TrialLog in
Avatar of davedave308
davedave308Flag for United States of America

asked on

Exchange 2003 email reception problem

I manage an Exchange 2003 email server for a customer that has recently started having problems receiving from certain domains.

I've been watching the logs and found that the typical SMTP "conversation" for the problem domains doesn't include any DATA commands.  You can see a small excerpt of the log in the attached file.

All the domains that have trouble send to my customer do the EHLO, MAIL, and RCPT commands, then wait several minutes and then QUIT. Some of the domains show QUIT in just a few minutes, while others wait until the connection times out and then quit.

DNS appear to be correct (reverse also) and the Exchange 03 is up to date.  The customer is on DSL and although the connection is busy, it's certainly not overloaded. This happens consistently for certain domains - their email never gets through while other flow right through every time.

I really need to fix this!
SMTP-Log-Sample.txt
Avatar of davedave308
davedave308
Flag of United States of America image

ASKER

I just realized I should post this too.  This is the message the sender receives:

The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
            < ***** #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Default] '[Errno 60] Operation timed out' (delivery attempts: 5)>

Note that the ***** is the sender's email server name but is not the one in the other example I posted. It appears that the email just sits in the senders outbound queue until it expires.
ASKER CERTIFIED SOLUTION
Avatar of Wonko_the_Sane
Wonko_the_Sane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No hardware on the server has changed but the DSL modem was swapped out 3-4 months ago. It's the same model Actiontek 704WG (I think) but has a newer firmware.  I think this problem has been going on for about 4 weeks.  I think it's serious enough that they noticed right away so I don't think it coincided with the DSL modem change.  The temporary resolution has been to have the "bad" domains" send to personal email accounts - not ideal.  There is no firewall on the server, no AV.  There doesn't seem to be a pattern that I've noticed, but I'll look for more of the problem domains.  US Bank appears to use MS Hosted Exchange but I don't know about the others. It's hard to pick them out in the logs because I have to look for the connection sequence without the "DATA" line.

Thank you for the reply.  I'll put together a short list of a few domains and see if there's any consistency as soon as I get a chance today.
Another thing that's always suspicous I forgot to mention:
Are you running any virus scanners on your Exchange servers, either file-based or Exchange-integrated? They often cause strange problems, and since they update themselves on a daily basis would be an explanation why it suddenly started, without any other changes you are aware of.
SOLUTION
Avatar of davorin
davorin
Flag of Slovenia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I've taken a look at it with wireshark (see attachment - I've replaced identifying info)

 Wireshark-TCPStream.txt

Then after what show there, I get:
SMTP [RST, ACK] from US Bank to us
TCP Dup ACK from our server to US Bank
and now another SMTP [RST, ACK] from US Bank to us and that's the end of it.

I'm using US Bank as the example because I know their emails aren't spam (at least in this case) and they can't send any email to this server.

So it appears that whatever US Bank's servers try to send after the "354 Start mail input; end with <CRLF>.<CRLF>", that the data dies somewhere between them and this email server.  Since the data isn't even getting to the email server, I'm having my customer put their old DSL modem back in place (same hardware, different firmware) to see if that resolves it. Of course, we had replaced the old modem for a reason, but it should work for a day to test this.
Well, that was fast.  They replaced the DsL modem and I started monitoring right away with wireshark.  The emails from USBank came in immediately (I verified with the users too).  I guess the problem was a bad firmware in the modem.  The working has QW04-3.60.2.0.6.3 and the bad one has FW QW06-3.60.3.0.8.1 and both are Actiontec GT704WG. I guess the problem has been around longer than we thought. Thanks to both of you for the help.
I'm glad you figured out the source if the problem!
Thanks to both of you.  Your comments lead me in the right direction.  I never would have thought the DSL modem would be causing such an odd problem like this.