Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 874
  • Last Modified:

Exchange 2003 email reception problem

I manage an Exchange 2003 email server for a customer that has recently started having problems receiving from certain domains.

I've been watching the logs and found that the typical SMTP "conversation" for the problem domains doesn't include any DATA commands.  You can see a small excerpt of the log in the attached file.

All the domains that have trouble send to my customer do the EHLO, MAIL, and RCPT commands, then wait several minutes and then QUIT. Some of the domains show QUIT in just a few minutes, while others wait until the connection times out and then quit.

DNS appear to be correct (reverse also) and the Exchange 03 is up to date.  The customer is on DSL and although the connection is busy, it's certainly not overloaded. This happens consistently for certain domains - their email never gets through while other flow right through every time.

I really need to fix this!
SMTP-Log-Sample.txt
0
davedave308
Asked:
davedave308
  • 5
  • 2
  • 2
2 Solutions
 
davedave308Author Commented:
I just realized I should post this too.  This is the message the sender receives:

The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
            < ***** #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Default] '[Errno 60] Operation timed out' (delivery attempts: 5)>

Note that the ***** is the sender's email server name but is not the one in the other example I posted. It appears that the email just sits in the senders outbound queue until it expires.
0
 
Wonko_the_SaneCommented:
It looks like your Exchange server sends the proper response, but then nothing comes back. Is there any other hardware/software involved in this, such as a third-party firewall?

When you say "certain domains", can you identify a pattern, e.g. do they seem to be using the same provider?
0
 
davedave308Author Commented:
No hardware on the server has changed but the DSL modem was swapped out 3-4 months ago. It's the same model Actiontek 704WG (I think) but has a newer firmware.  I think this problem has been going on for about 4 weeks.  I think it's serious enough that they noticed right away so I don't think it coincided with the DSL modem change.  The temporary resolution has been to have the "bad" domains" send to personal email accounts - not ideal.  There is no firewall on the server, no AV.  There doesn't seem to be a pattern that I've noticed, but I'll look for more of the problem domains.  US Bank appears to use MS Hosted Exchange but I don't know about the others. It's hard to pick them out in the logs because I have to look for the connection sequence without the "DATA" line.

Thank you for the reply.  I'll put together a short list of a few domains and see if there's any consistency as soon as I get a chance today.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Wonko_the_SaneCommented:
Another thing that's always suspicous I forgot to mention:
Are you running any virus scanners on your Exchange servers, either file-based or Exchange-integrated? They often cause strange problems, and since they update themselves on a daily basis would be an explanation why it suddenly started, without any other changes you are aware of.
0
 
davorinCommented:
Look at this post - CharlieBrady posted an explanation of possible cause of the problem:
http://forums.contribs.org/index.php?topic=46747.0

As Wonko already suggested I would check firewall configuration or internet connection.
Checking all sites at www.mxtoolbox.com and your site with https://www.testexchangeconnectivity.com also would not hurt.
0
 
davedave308Author Commented:
I've taken a look at it with wireshark (see attachment - I've replaced identifying info)

 Wireshark-TCPStream.txt

Then after what show there, I get:
SMTP [RST, ACK] from US Bank to us
TCP Dup ACK from our server to US Bank
and now another SMTP [RST, ACK] from US Bank to us and that's the end of it.

I'm using US Bank as the example because I know their emails aren't spam (at least in this case) and they can't send any email to this server.

So it appears that whatever US Bank's servers try to send after the "354 Start mail input; end with <CRLF>.<CRLF>", that the data dies somewhere between them and this email server.  Since the data isn't even getting to the email server, I'm having my customer put their old DSL modem back in place (same hardware, different firmware) to see if that resolves it. Of course, we had replaced the old modem for a reason, but it should work for a day to test this.
0
 
davedave308Author Commented:
Well, that was fast.  They replaced the DsL modem and I started monitoring right away with wireshark.  The emails from USBank came in immediately (I verified with the users too).  I guess the problem was a bad firmware in the modem.  The working has QW04-3.60.2.0.6.3 and the bad one has FW QW06-3.60.3.0.8.1 and both are Actiontec GT704WG. I guess the problem has been around longer than we thought. Thanks to both of you for the help.
0
 
davorinCommented:
I'm glad you figured out the source if the problem!
0
 
davedave308Author Commented:
Thanks to both of you.  Your comments lead me in the right direction.  I never would have thought the DSL modem would be causing such an odd problem like this.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now