exim4 receiving email late

I dont have the header with me right now ..

i can post that tomorrow from office...

by looking at print out .. let me write here

Received : from our mail server
by our mail server
via ESMTP  18:29

Received: From replay.ptn-ipout01.plus.net
bye our mail server
(envelopef from <clinet mail adrees>
id ..........
for ouruser@ourdomain.com,  tues day  18:28

x-ironprint-antismap
id.................
Received :from outmx05.plus.net   with ESMTP 14 Jun 2011 16.43:30 + 0100

received : From [ip] (hellow=web.clientdomain.co.uk]
by outmx05.plus.net
for ouruser@ourdomain.com , 16:43:30 +0100

Received: From clientserver.local
tue ,16~:43 + 0100



Our server recieved the email at 18:29 .. but i can see there was  a delay with other mail server..

am i right ??

i can past full output tomorrow.

From the above it looks like the delay is at x-ironprint-antismap. But I  would like to see the full header list if you can manage that. Where is replay.ptn-ipout01.plus.net for instance? The delay could be there too

replay.ptn-ipout01.plus.net is Sender's ISP i belived

I will sent you full header tomorrow for detailed analysis

but i was checking 2 header from this client..
I m confused about time ..

example :

Received From ourexternalmailserver.ourdomain.com
 by ourinternalmailserver.ourdomain.come 15.21 + 0100(BST)

Received From Relay.pcl-ipout01.plust.net
by ourexternalmailserver.ourdomain.com  15.21 + 0100

Received from outmx05.plus.net
by Relay.pcl-input01.plus.net 16.55 +0100

Received from [80.229.x.x]
by outmx05.plus.net 16.55 + 0100

Received From 21st-SBS.....local
by 21.-SBS...   16.55 + 0100


so if you look  from Relay.pcl to ourexternal server
time is going back by 1 hours!!!!

how can it be possible ??


and the other header i attached top.. its time adding by 1 Hr ..


so basically there is a problem between

relay.pcl to our external server

if i understand correctly .. email is sitting in relay.plc for 1 hr....

but why time is going back from 16 to 15 ??


note :I will sent you full header tomorrow from office
but if you can give me some light on this issue that would be great

thanks

also :
I was reader reader analisis..

bellow is an example :

Received From : Client's-isp
by ourmailserver   15.00 + o100

Received From Clients'internalServer
Received By client's-ISP 14.00 + 0100

which mean, Clients sent email at 14.00, client isp received that at 14.00, but client's isp sent that to us at 15.00

so email was sitting on client's ISP for 1 hr ?? is that right ??

now it could be that
(a) our email server was down , so client'sISP sent the email at 14.00, but we did not recievied , and it sents again after 1 hr
(b) there was a problem is Client's ISP, and they sent us email 1 hr late ??

is there any thing else ??

if my understanding is wrong, please tel me along with my previous post.

thanks
 



does it not mean that : We have recived email from external mailserver at 15.00 ??

b ellow is one header :
Received: from ourexternal-domain.co.uk ( [xxx.xxxx.0.xxx])
    by OurInternal.domain.lan (xxx SMTP Relay 11.4.4.12886)
    via ESMTP; Thu, 16 Jun 2011 17:33:25 +0100 (BST)
Received: from relay.ptn-ipout01.plus.net ([212.159.7.35])
            by ourexternal-domain.co.uk  with esmtp (Exim 4.69)
            (envelope-from <client.email@21.co.uk>)
            id 1QXFVP-0002sK-33
            for ouremail@ourdomain.com; Thu, 16 Jun 2011 17:33:19 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjMFAGwn+k3Unw4T/2dsb2JhbABSglGkEXAHiHWgfJ86hicEjQ2JKIsb
Received: from outmx04.plus.net ([212.159.14.19])
  by relay.ptn-ipout01.plus.net with ESMTP; 16 Jun 2011 16:57:41 +0100
Received: from [80.229.182.94] (helo=web.21.co.uk)
            by outmx04.plus.net with esmtp (Exim) id 1QXEwu-0007pO-6b
            for ouremail@ourdomain.com; Thu, 16 Jun 2011 16:57:40 +0100
Received: from 21ST-.local ([fe80::7cb4:c07:dfd8:e2a2]) by
21ST-.local ([fe80::7cb4:c07:dfd8:e2a2%10]) with mapi;
Thu, 16 Jun 2011 16:57:38 +0100
From: <client.email@21.co.uk>
To: "ouremail@ourdomain.com; >
Date: Thu, 16 Jun 2011 16:57:37 +0100
Subject: Update
Thread-Topic: Update
Thread-Index: AcwsPh0aVwqF9MkTT+qUMmneQgjALg==
Message-ID: <FA7ADFF81491134884938FC6A556596B02E19EF888@21ST-.local>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
x-tm-as-product-ver: SMEX-8.6.0.1168-6.500.1024-18202.004
x-tm-as-result: No--39.002400-4.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-pp-processed: __PP2__aa9f8760-97c5-4183-a4d3-81798e8f1724
Content-Type: multipart/related;
            boundary="_005_FA7ADFF81491134884938FC6A556596B02E19EF88821STSBS200321_";
            type="multipart/alternative"
MIME-Version: 1.0
X-ourdomain-Services-Ltd-MailScanner: Found to be clean
X-ourdomain-Services-Ltd-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
            score=-1.598, required 5, BAYES_00 -2.60, EXTRA_MPART_TYPE 1.00,
            HTML_MESSAGE 0.00)
X-Spam-Status: No



if i use header analisis from mxtool

Hop      Delay      from      by      with      time (UTC)
1      *      21ST       21ST       mapi      6/16/2011 3:57:38 PM
2      2 seconds      [80.229.182.94] (helo=web.21.co.uk) 80.229.182.94      outmx04.plus.net       esmtp (Exim)      6/16/2011 3:57:40 PM
3      1 second      outmx04.plus.net 212.159.14.19      relay.ptn-ipout01.plus.net       ESMTP      6/16/2011 3:57:41 PM
4      36 minutes      relay.ptn-ipout01.plus.net 212.159.7.35      ourexternal-domain.co.uk       esmtp (Exim 4.69) (envelope-from <client.email@21.co.uk>)       6/16/2011 4:33:19 PM
5      6 seconds      ourexternal-domain.co.uk       OurInternal.domain.lan              6/16/2011 4:33:25 PM


 
so there is a36 minutes delay betwen  relay.ptn-ipout01.plus.net  to ourexternal-domain.co.uk

this is another one

Received: from ourexternal-mail-server ( [xx.xxx.0.xxx])
    by our-intenrnal-mail-server (SMTP Relay 11.4.4.12886)
    via ESMTP; Fri, 17 Jun 2011 15:21:38 +0100 (BST)
Received: from relay.pcl-ipout01.plus.net ([212.159.7.99])
            by ourexternal-mail-server with esmtp (Exim 4.69)
            (envelope-from <clientemailaddress@21.co.uk>)
            id 1QXZvF-0007wq-IO
            for ouremailaddress.co.uk; Fri, 17 Jun 2011 15:21:26 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjQFADom+k1UXeb6/2dsb2JhbAArGwyCUaQRcAeIdcA8AoMQCxCCegSNDYkoixs
Received: from outmx05.plus.net ([84.93.230.250])
  by relay.pcl-ipout01.plus.net with ESMTP; 16 Jun 2011 16:55:05 +0100
Received: from [80.229.182.94] (helo=web.21.co.uk)
            by outmx05.plus.net with esmtp (Exim) id 1QXEuM-00067T-AU
            for ouremailaddress@co.uk; Thu, 16 Jun 2011 16:55:05 +0100
Received: from 21ST-.local ([fe80::7cb4:c07:dfd8:e2a2]) by
21ST-.local ([fe80::7cb4:c07:dfd8:e2a2%10]) with mapi;
Thu, 16 Jun 2011 16:54:26 +0100
From: <client@21.co.uk>
To: "our@ourdomain.com"
CC: <client@21st.co.uk>
Importance: high
X-Priority: 1
Disposition-Notification-To:           <Cclient@21st.co.uk>
Date: Thu, 16 Jun 2011 16:54:25 +0100
Subject: 16.06.2011
Thread-Topic: 16.06.2011
Thread-Index: AcwsPapJlpgOO8eBSK29F8tGFNz2fA==
Message-ID: <FA7ADFF81491134884938FC6A556596B02E19EF885@21ST-SBS2003.21stcentury.local>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
x-tm-as-product-ver: SMEX-8.6.0.1168-6.500.1024-18202.004
x-tm-as-result: No--55.505000-4.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/related;
            boundary="_005_FA7ADFF81491134884938FC6A556596B02E19EF88521STSBS200321_";
            type="multipart/alternative"
MIME-Version: 1.0
X-ourdomain-Services-Ltd-MailScanner: Found to be clean
X-our-Services-Ltd-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
            score=-1.598, required 5, BAYES_00 -2.60, EXTRA_MPART_TYPE 1.00,
            HTML_MESSAGE 0.00)
X-Spam-Status: No






mxtool :

Hop      Delay      from      by      with      time (UTC)
1      *      21ST       21ST       mapi      6/16/2011 3:54:26 PM
2      39 seconds      [80.229.182.94] (helo=web.21.co.uk) 80.229.182.94      outmx05.plus.net       esmtp (Exim)      6/16/2011 3:55:05 PM
3      0 seconds      outmx05.plus.net 84.93.230.250      relay.pcl-ipout01.plus.net       ESMTP      6/16/2011 3:55:05 PM
4      22.4 hours      relay.pcl-ipout01.plus.net 212.159.7.99      ourexternal-mail-server       esmtp (Exim 4.69) (envelope-from <clientemailaddress@21.co.uk>)       6/17/2011 2:21:26 PM
5      12 seconds      ourexternal-mail-server       our-intenrnal-mail-server              6/17/2011 2:21:38 P



22 hours delay between  relay.pcl-ipout01.plus.net to our external mailserver

this cant be our fault!!

It looks very much that the system at fault is ourexternal-mail-server. The reason its receive time is so much later than that of the previous node relay.pcl-ipout01.plus.net is almost certainly due to the mechanism I detailed in http:#a35997432 . That's lucky in a way, at least you should be able to do something about it.
Mail servers do not, in general, hold on to mail for any longer than they have to. relay.pcl-ipout01.plus.net would have been trying to forward both mails to ourexternal-mail-server from a few seconds after they arrived. For some reason, ourexternal-mail-server rejected the first few attempts. If you check logs there, you may even see the rejects actually happening. You need to sort out the anti-spam policy.

So you saying  taht ..

ourexternalmailserver has been rejected due to antispam policy then eventually its allowed after 22 hrs ??


thats could be a reason because, i have seen the Ip address of relay.pcl-ipout01.plus.net is in universal block list

example :
BACKSCATTERER       127.0.0.2       "Sorry 212.159.7.99 is blacklisted at http://www.backscatterer.org/?ip=212.159.7.99"       http://www.backscatterer.org
SENDERSCORE                   http://sendersupport.senderscore.net/
SORBS DNSBL       127.0.0.2       "Aggregate zone See: http://www.sorbs.net/lookup.shtml?212.159.7.99"       http://www.de.sorbs.net/overview.shtml
SORBS-SPAM       127.0.0.6       "Spam Received See: http://www.sorbs.net/lookup.shtml?212.159.7.99"       http://www.au.sorbs.net/overview.shtml


and our mailscanner use rbl to block IPs..


but how can you be so sure that, there is not any problem of relay.pcl-ipout01.plus.net  ??

Like I said, relay system just don't hang on to stuff. I had a delay over 2 days once. "Spam received" was the same lame excuse then. Just white-list relay.pcl-ipout01.plus.net and you will be OK.

as i said..

We use, Mailscanner , Spamassign , kaspareky in the External Mailserver..

and i said that, the time stamp on the mailserver log is 15:21:38

Now what i want to know is :

When Email comes to our server via port 25 does it written to the log file ??

or

email comes to port 25 -~> check by spamassing ->mailscanner->kaspareski -> then write into the maillog ??

or   email comes to port 25 -> write into maillog -> then check by spamassing->mailscanner -kaspareski-> then go to user mail directory ??

which way its followed ??

I have no idea. Just stop rejecting them.

Your client should start tracing on his side.


You can write a script wrapper for kaspersky no not let it execute longer than 1 minute.
Clamav is also good as extra defence against 0-day viruses.

If you are running debian i am unlikely to help.
For all other cases send exom's configure file you are using.

our firewall3 (sonicwall ) was reject email from those Ip
as its listed SORBS DNSBL       127.0.0.2       "Aggregate zone See: http://www.sorbs.net/lookup.shtml?212.159.7.99"       http://www.de.sorbs.net/overview.shtml

as we using this rbl in our firewall!!!!

Problem is at source http://moensted.dk/spam/?addr=212.159.7.99&Submit=Submit
You cannot fix their misconfigured mailer. You can ask user politely to ask his mail provider politely to get out from mail blacklists.
You can whitelist this one host on your sonicwall (which is useless since exim can cover all of its mail functionality)