• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Tracking Email into Exchange 2007 server

Can you advise on how i can troubleshoot/track why mail is failing to deliver to mailboxes once it hits my exchange server.

I am having issues getting external mails delivered to user's. I have spoke to the mail filtering company and they advise the mails are being sent to the exchange server. So i want to find out where they are gone and why they are not being delivered.

I am new to exchange2007. So any help is appreciated.

p.
0
Itomicltd
Asked:
Itomicltd
  • 7
  • 7
  • 4
  • +1
1 Solution
 
Raheman M. AbdulCommented:
Read : http://www.exchangeinbox.com/article.aspx?i=90
Under Toolbox -> Message Tracking

Look the columns: ServerHostname and RecipientStatus.

ServerHostname is the next jump for your email, depending on your setup, either the destination mail server, or a relay machine. Is this what you are looking for?

RecipientStatus gives the Error details from the Destination Mail Server.

Select your email from the list, Show all events for the message you are trying to track, Click Next then next.

See if helps
0
 
Madan SharmaConsultantCommented:
Please check your receive connector permissions groups. Anonymous User group must be selected to receive mails from outside. You can test your server for sending/receiving through https://www.testexchangeconnectivity.com/ 
0
 
Madan SharmaConsultantCommented:
there is also mail flow troubleshooter tool under toolbox in exchange2007. you can also try that.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
ItomicltdAuthor Commented:
It looks like it was a transport rule i had setup to block outside mail addresses being sent from inside our site. We had a spam issue and it was sending mails internally from gmail accounts to external addreses. I put in a rule to say any mail from outside the organisational email address to an outside address...drop silently. It appears to now be blocking external addresses coming in too..... Can anyone suggest a rule to drop these nuisance emails from going out as we are currently trying to find the problematic computer.... I need a rule to only allow addresses from our domain out. Its a HINET email address it's sending to
0
 
Madan SharmaConsultantCommented:
There is no need to create transports rules etc to block spam etc as exchange2007 has built in anti spam. you need to enable it on your HT server and server will be secured from spamming. Visit the following link to enable anti spam on your server :- http://technet.microsoft.com/en-us/library/bb201691.aspx
and recommend you please remove that rule to avoid mail flow issues.
0
 
gleekCommented:
Instead of trying to block this with rules close relays against your hub and prevent it from happening.  What are your recieve connectors permissions set to?  Anything that allows anonymous to connect should only have the IPs of allowed servers, not open to the whole company.  I would turn on logging on your custom connectors (not the default or client unless you modified them) and then look in the logs to see the source IP address of these spam mails.  You can turn on logging by clicking the properties of the connector and setting the logging to Verbose.


0
 
ItomicltdAuthor Commented:
Instead of trying to block this with rules close relays against your hub and prevent it from happening.  
How do i close Relays against my Hub ?
What are your recieve connectors permissions set to?
There are 3 recieve connectors (Client MAIL07, default MAIL07 and Internal Relay) Permission levels : Client (exchange users only) Default (All except partners) and Internal Relay(exchange servers only)
Anything that allows anonymous to connect should only have the IPs of allowed servers, not open to the whole company.  
How do i do this ?
I would turn on logging on your custom connectors (not the default or client unless you modified them) and then look in the logs to see the source IP address of these spam mails.  You can turn on logging by clicking the properties of the connector and setting the logging to Verbose.
I have done this but i am only seeing IP of Firewall and Exchange Server (no other IP's)


Thanks,

P.
0
 
gleekCommented:
Ok.

Let me see if I understand the issue first and then can help you track this down.

You have something internally that is sending spam/unwanted mail to the outside.
This mail is hitting an exchange server (are we sure this is the case?) and then being forwarded out to the internet (via your smtp appliance)
You want to stop this spam from being sent out without affecting normal mail flow.
* please let me know if the above is not correct *

So here's the deal.  If the only way to send mail out to the internet is from Exchange Hub transport there are things you can do to track or at least see this mail.

Receive Connectors - The default and client connectors are setup specifically to only allow traffic from clients(as in outlook) and other exchange servers or legacy (2003) servers.  Out of the box these are set to receive from any ip because the permissions on the connector itself requires the sender to be one of the above groups.
If you turn anonymous on, on a connector that allows ALL ip addresses to send to it, then you have an open unsecured relay.

You should have your 3rd 'internal relay' connector "locked down".  What i mean by this is since you have anonymous as a permission group you don't want to receive mail from every IP you want to recieve mail from ONLY the ips that you determine are allowed to relay in your environment.  This will prevent malicious software from simply looking up your exchange server and then sending mail to it.

Tracking down the message -
In order to track down the message you will need to be able to run through the logs.  
Do you know anything about the message?  
Who its trying to send to?  
If so you can turn on logging for your Send Connector and see all the outbound messages.
Mail leaving your org has to hit the exchange server unless you have open ports on your firewall that 25 traffic can get out.  There has to be something in one of the connectors if logging is on and an email was sent.  My guess is your default connector is your problem since all permissions groups are open and i'm assuming you have all ips allowed to relay to it.
0
 
ItomicltdAuthor Commented:
Thanks for replying....

You have something internally that is sending spam/unwanted mail to the outside.
This mail is hitting an exchange server (are we sure this is the case?) and then being forwarded out to the internet (via your smtp appliance)
I'm not sure if its internal first off. I am only presuming this as there appears to be no open relay (from what i can see anyway but i have never used exchange 2007 before

You want to stop this spam from being sent out without affecting normal mail flow.
Yes, Correct.

So here's the deal.  If the only way to send mail out to the internet is from Exchange Hub transport there are things you can do to track or at least see this mail.

Receive Connectors - The default and client connectors are setup specifically to only allow traffic from clients(as in outlook) and other exchange servers or legacy (2003) servers.  Out of the box these are set to receive from any ip because the permissions on the connector itself requires the sender to be one of the above groups.
If you turn anonymous on, on a connector that allows ALL ip addresses to send to it, then you have an open unsecured relay.
Anonymous was on (default connector) and the below is the IP range. I have turned Anonymous logon off but mail still flowing

 default connector



You should have your 3rd 'internal relay' connector "locked down".  What i mean by this is since you have anonymous as a permission group you don't want to receive mail from every IP you want to recieve mail from ONLY the ips that you determine are allowed to relay in your environment.  This will prevent malicious software from simply looking up your exchange server and then sending mail to it.
Can you explain further how choose the IP here , the IP range on connector is set to 192.168.0.0/20. What should i change it to ?

Tracking down the message -
In order to track down the message you will need to be able to run through the logs.  
Logs are not given me any address except for FIREWALL and EXCHANGE SERVER.Do you know anything about the message?  
Different messages from different addresses (often saying sender is <>)
We have also been told this is ASE spam. If that is any use

Who its trying to send to?  
Various ms34.hinet.com addresses (the number often changes but the HINET bit is always there)
If so you can turn on logging for your Send Connector and see all the outbound messages.
Mail leaving your org has to hit the exchange server unless you have open ports on your firewall that 25 traffic can get out.  There has to be something in one of the connectors if logging is on and an email was sent.
Is send connector not going from Exchange out to internet, Will i see IPs of internal devices here ?  
My guess is your default connector is your problem since all permissions groups are open and i'm assuming you have all ips allowed to relay to it.
I shut down the Anonymous logon before and it still sent out spam unless there is something else i need to change on the connector ?
0
 
gleekCommented:
well judging by your screen shot that connector is accepting mail from all IP addresses.  If you look in the bottom pane it shows 0.0.0.0-255.255.255.255.  That means if this was set to anonymous any IP internally could telnet/access that hub server and send mail.

When i say lock down by IP i mean creating a connector for anonymous access that has that bottom pane cleared and ONLY ip addresess in there from approved servers/machines that can

For example(and use the above picture to get a grasp of it).
Lets say i have 4 machines that I want to be allowed relay.
I would created a new connector.  i would allow anon access.  i would then goto the screen you are showing above and in the bottom portion remove the 0.0.0.0-255.255.255.255 address range and then put in the 4 ip addresses of the 4 machines i want to allow relay.  This is a more secure relay.  I would then modify both my default and client connectors to make sure they did not allow anonymous access.

As for the logs can you confirm where you are looking for these?  They should be Drive:\Program Files\Microsoft\Exchange Server\v14\TransportRoles\Logs\ProtocolLog\ and then the connector logs would be under SmtpRecieve and the one with the newest timestamp is the latest log.

In this log you should be able to see
-The connector being hit Server\Connector Identity
-The Endpoints (or IP addresses)
- Event
- Data
- Context.

Can you confirm that you see these logs and that the content i mentioned is in there?

The Send logs will be different.  But what you can do is match up the session ID if needed.
0
 
ItomicltdAuthor Commented:
I am not sure if i am fully understanding the relay part of this. I presume relay means mail can pass through ? I have only one exchange server in house and as such mail should only flow to it and then out. For example the IP address of the server is 192.168.0.252 , there are 3 connectors and they all appear to have a full range IP scope in the bottom part. Can i change this and tighten things up without effecting mailflow ? See below the screenshot from a few minutes ago also...

 INTERNAL RELAY
0
 
ItomicltdAuthor Commented:
Guys,

This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation (that's the only thing that is common, the mails are send from external address to external address)....there surely has to be someway to stop the mail flowing out first and foremost without effecting mail from domain addresses. I can find the problem after but this is vital i at least drop these mails before they get outside to interntet....

Cheers,

P.
0
 
gleekCommented:
the point is a transport rule is going to be a headache if the spammers change tactics.  you can write a rule that says:
sent to users Outside the orginization
  and when the From address contains Specific Words (hinet.net)
silently drop the message

i  dont know what your mail domain is but if it is hinet then you are out of luck.

How many actually applications should be relaying in your environment? If its none or a little just remove the all ip addresess. it will stop all anon mailflow through that server but not effect standard outlook/owa/activesync etc.. mail flow.  then anyone legitimate that has to relay can call the help desk or you and ask to put their ip on the relay.
0
 
gleekCommented:
the all ip addresses on the ip relay that is
0
 
ItomicltdAuthor Commented:
Have tried the first part,  mail still flowing in queues.

I can only presume that our exchange server should be the only device relaying, why would i need any other device relay ? Can you clarify this part of things as i am unsure about what should and should not be relaying..
0
 
gleekCommented:
only think of the term relay as "anything other than exchange, email clients(owa, outlook, active sync)" trying to send mail.

Your default and client connectors (assuming they do not have anonymous checked) are OK to have receive mail from all ip addresses.  

Lets say you have an application server in your environment.  It needs to send an automatic message every morning for some reason or another.  It can do this using a SMTP application on the server itself.  It doesn't use outlook. But in order to get it in the users mailboxes it needs to be able to first relay against the exchange server.  So this application server attempts to connect to the exchange server via telnet(for example) over port 25.  Hub Transport receives the request and sees if it has a receive connector that has this form of authentication (anonymous) for this IP address.  If it matches it allows the connection if not it refuses it.

So if you do not have non-exchange servers that need to be able to send mail directly to the hub transport servers you do not need to allow mail relay.  you can disable that connector or at the very least remove anonymous permissions.

If you do have servers that need this.  You should get the IP addresses from the server owners and remove the ALL ip addresses range and put in each IP individually.
0
 
ItomicltdAuthor Commented:
thanks for clearing that up. I therefore more than likely do have servers that need to relay.

Spam is still flowing though, is there nothing i can do , a rule even .....anything to stop the queus building up...?
0
 
gleekCommented:
if that rule didn't work  and you cant figure out from the logs where it is going then its very difficult to get you a resolution.

The thing about a rule is that yes, even if you can configure it right it will stop this spammer.  but the next one and the next one and the next one will still be able to access your unsecure open relay.  

I strongly advise to get some sort of handle on your connector(maybe all your application servers are on the same subnet, or something that you can at least lock that down) to make your environment secure.  Even if it meant removing the all from the connector and waiting until app owners complained and then adding them one by one.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 7
  • 7
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now