[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2003 queue

Posted on 2012-08-23
42
Medium Priority
?
746 Views
Last Modified: 2012-08-26
We have an Exchange 2003 server, we receive emails without any problems, but we started having problems to send emails to some of our costumers with certain doamins, in the exchange queue I see only some of the emails stuck there, many others are sent correctly.
There is no change made recently on the firewall neither on the mailserver.
0
Comment
Question by:arefone
  • 23
  • 9
  • 6
  • +3
41 Comments
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38326013
Check if the exchange server can telnet to the mail server of the domain on port 25.  

telnet mail.companyname.com 25

You can get the Mail server by doing an online nslookup for companyname.com and look for MX records.

If you can't telnet then there is something blocking or their mail server isn't working correctly.  If you are able to telnet then there might be something wrong with your send connectors.
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326015
Any particular errors shown?

Can you send via your ISPs smtp server? Sending through DNS or Smarthost?

DNS working correctly, any forwards used and checked if they are operational?
0
 
LVL 19

Accepted Solution

by:
R--R earned 600 total points
ID: 38326036
Check if you public ip is blacklisted.
Enable diagnostics logging.
enable logging in default smtp virtual server.

Check the log for errors.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:arefone
ID: 38326046
I see in the queue windows in the buttom "SMTP Protocol error".
I don't know how to send by Smarthost, can you explain plz?
Yes DNS works correctly. When I send to my gmail account it goes without any problem, so the problem I have is only with some certain domains.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326054
I have checked my public ip on many sites, it is not blacklisted.
I enabled the logging, but I didn't see errors.
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326111
Right click your SMTP virtual server and click properties

Click Delivery and then Advanced

You can enter your smarthost here. Try using your ISPs SMTP server, they don't need any authentication usually.

You may need to Google the details, for example Eclipse (ISP) use smtp.eclipse.co.uk.

Once entered, click OK and restart SMTP.

Normally if your blacklisted, google mail will pick up on this pretty quickly.

Also, if your server is spamming out your ISP will probably let you know pretty quickly.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326114
here is the result of the telnet:
554 server.ad.domain-name.it bizsmtp qHs61j02L4GBcGV01 Connection refused from 9x.xx.
xxx.xx7. See http://csi.cloudmark.com/reset-request for more information.

**Edited to remove company specific information**-JARmod101
0
 
LVL 7

Assisted Solution

by:Jamie Gillespie
Jamie Gillespie earned 800 total points
ID: 38326153
It could possibly be one of your client machines spamming out email on your IP. I normally lock SMTP on my firewall to only allow my Exchange server to send.

The above suggests blacklisting, you will need to try and look for the cause. Once your confident everything is locked down I would apply for delisting using the link above.

In the mean time whilst you wait for all this to go ahead, you can use a smarthost as mentioned above to get mail flowing.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326189
Jamie, I put the smarthost and now the queue is ok, all those emails are gone correctly.
what that is mean?
and how can I verify if there is a host spamming on my ip?
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326228
I would start by adding a firewall rule to only allow SMTP traffic from your Exchange server.

You can use network monitoring tools to see if you can see anything suspicious going across the network. I would also start scanning your client machines for malicious software and make sure they are up-to-date.

If you still have smtp issues once locking down your firewall, the issue could be with your Exchange configuration, I would check this later once you do some initial digging.
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326240
Also if the issue is with your server, it's normally pretty obvious when you look at hundreds of connections trying to go through your queues. As this wasn't the case in the first place, it sounds like something on your network that isn't going through Exchange.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326248
and how can you explain that I can send emails to some and to others no?
What is the difference between using smarthost and not?
0
 
LVL 1

Author Comment

by:arefone
ID: 38326268
but even if there is some machines not going through exchange, how can they affect the pubblic ip of the exchange server? I use that one only for exchange server.
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326271
Here's a useful article I found online;

http://www.sbslinks.com/DNS_Smarthost.htm

This is really a temporary measure until you can delist your IP.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326395
jamie, I added the rule on the firewall to allow only smtp traffic from mailserver, in fact I still see some droped packet on the access list so I need to know from where they are coming.
What is the next step?
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326444
Enable logging on the firewall to see where the packets are coming from, if possible..
0
 
LVL 1

Author Comment

by:arefone
ID: 38326449
how can I allow only the authenticated users to use exchange smtp?
0
 
LVL 7

Expert Comment

by:Jamie Gillespie
ID: 38326488
I dont think its a problem with the Exchange configuration just yet. I would try and determine where the problem has originated from first.

There are quite a lot of steps you will need to go through to make sure your server is locked down sufficiently. The most common issue I reckon is insecure user passwords on the network. If these details are guessed, this is how the outside world can authenticate and relay through your server.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326510
From the access list details on my firewall, I am seeing another server sends packets via port 25, I will block it.
You told me before that you would delete my pubblic ip from the blacklist?
0
 
LVL 7

Assisted Solution

by:Jamie Gillespie
Jamie Gillespie earned 800 total points
ID: 38326549
I would use the following tool to see where you may be listed;

http://www.mxtoolbox.com/blacklists.aspx

I would then apply for delisting.

It's also important to investigate why this server is trying to send out on port 25. It may have malicious software on there, it also will cause unnecessary bandwidth on your internal network.

Once you have applied, it may take a good few days for things to clear up with your IP. In the mean time, continue sending mail using that smarthost and keep a close eye on mail flow. When the time comes, try an remove the smarthost settings and try sending mail out via DNS again.

If you have a further problem, I'd repost.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326581
I used the mxtoolbox, my public ip is not listed. What it was this error?
554 server.ad.domain-name.it bizsmtp qHs61j02L4GBcGV01 Connection refused from 9x.xx.
xxx.1xx. See http://csi.cloudmark.com/reset-request for more information.

**Edited to remove company specific information.**-JARmod101
0
 
LVL 1

Author Comment

by:arefone
ID: 38326609
Jamie, I have something unclear, the public ip who has the issue is aaa.aaa.aaa.aaa, the other server I told you is sending packets via port 25 is using another public ip let say bbb.bbb.bbb.bbb so the question is how does it affect the aaa.aaa.aaa.aaa ip address?
0
 
LVL 1

Author Comment

by:arefone
ID: 38326668
Would this test result be helpful:

Connecting to aaa-aaa-aaa-aaa.server.domain-name.it... OK
156ms
220 **********************************************************************************************************************
 124.8ms
HELO aaa-aaa-aaa-aaa.server.domain-name.it
250 aaa.aaa.aaa.aaa Hello [2xx.xx.xxx.1xx]
124.8ms
MAIL FROM: <support@e-dns.org>
250 2.1.0 support@e-dns.org....Sender OK
109.2ms
RCPT TO: <smtp.test@example.com>
550 5.7.1 Unable to relay for smtp.test@example.com
124.8ms
QUIT
221 2.0.0 aaa.aaa.aaa.aaa Service closing transmission channel

**Edited to remove company specific information.**-JARmod101
0
 
LVL 5

Expert Comment

by:Honez
ID: 38326794
Please check the following:

open Exchange System Manager --> Administrative Groups --> first Administrative Group --> Server Name --> Protocols --> smtp --> current sessions

Are there any server currently connected to your server?  If there are, and you are not aware of them, disconnect them.

Then, Look at this article: http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

It will explain relaying and some setting in your Exchange environment.  Since you are not on a black list now, you may be soon.  If someone is relaying off of you, they may be doing it gracefully.

Also from the exchange server, goto whatismyipaddress.com, and ensure that it is in fact using the address you think it is.

Check your reverse DNS record from that IP.  Ensure that the rdns lookup exists and is correct.

Please, keep out a pen and paper.  If you make any changes to your environment, log it on the paper so that you know exactly what was changed, in what order.  Please be cautious with any changes.

Also consider an Email GW service.  It will help scan for Viruses, accept email when you are down, and effectively resolve DNS.  
Dynamic DNS has a service for $49 a year.  Well worth it.
0
 
LVL 1

Author Comment

by:arefone
ID: 38326860
the link show how to stop from relaying, so the server will not receive any email anymore.

How can I ensure the rdns configuration on the exchange server?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 600 total points
ID: 38327567
It looks like you have  Cisco PIX or ASA device.
This is well known for causing email delivery issues due to a feature called FIXUP SMTP (it may have a new name in the later OS). It needs to be disabled.
http://support.microsoft.com/kb/320027

RDNS (aka PTR) is not an Exchange setting, it is configured by your ISP if you have a static IP address.
http://exchange.sembee.info/network/dnsconfig.asp

Also to correct a posting above - DO NOT set a smart host on the SMTP Virtual Server. That is againspracticesactises and can cause significant issues if you migrate or have multiple servers. If you must use a smart host (your ISP is the usual choice) then you should use an SMTP Connector.
http://exchange.sembee.info/2003/smtp/smtp-connector.asp

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38328601
Hi Sembee2,
In the new IOS version there is no "fixup" command, they replaced it with "inspect", and I think if I disable inspect smtp I'll not be able to receive emails anymore, isn't it?

I asked my ISP to modify the rDNS record like this:
IP address aaa.bbb.ccc.ddd is reversed to mail.mymailserver.com
is it correct?
0
 
LVL 1

Author Closing Comment

by:arefone
ID: 38329319
I solved the problem with the help of you all.
What I did was:
1. Added a rule on the firewall to allow anly emailserver to use port 25
2. Delist my public ip from cloudmark.com
3. Asked the ISP to modify the wrong "old" RDNS
4. Change the password of three accounts I think was broken o hacked.

Thank you so much again.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38329655
No, disabling inspect will not cause a problem with email delivery. It just means the email goes straight through the firewall and you don't get the ********** in the banner which can cause email delivery issues.

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38329663
Ok, I will try it in 10 minutes and get back to you with the result.
0
 
LVL 1

Author Comment

by:arefone
ID: 38329713
Done, it is still working as you mentioned.

Do you know what that command was for on firewall?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38330107
I don't quite understand - what command are you referring to?

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38330132
Sorry for my weak english Simon.
I am referring to "inspet smtp" command on the firewall.
0
 
LVL 1

Author Comment

by:arefone
ID: 38330227
Simon, I am checking my exchange 2003 queue right now, and there is still be a strange thing, there is a message from a valid account in company try to send a message to an address at chemin-info.com.br domain, I am sure that my colleague is not sending this message as he is in vacation, do I still have to do something on my emailserver?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38331074
Inspect SMTP is a feature of the Cisco that claims to protect the email against malformed messages. Unfortuantely it does that by blocking certain commands that it considers to be "risky" which can cause problems with Exchange.

Are you sure the message in the queue is not just an Out of Office message? If it is replying to spam, then the destination is probably bogus and the message can be removed from the queue.

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38331176
Maybe as he set the out-of-office rule, I'll keep an eye and see if there will be more ambigous messages in the queue.

Simon, can you explain the function of "allow all authenticated computers and users to be able to relay"?

One more thing, today I changed some passwords for some accounts, after, I saw again some events id 1708 in application events with same describtion message you mentioned as a ndr on your site, have I to be worry about that?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38331301
That feature means what it says - if something authenticates, it can relay. I usually disable that feature as it can be abused.

If you have changed passwords then it could be that information is still cached somewhere or something is still using it. It could also be that a spammer is trying to use the account.

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38331340
Tomorrow I'll check and let you know!

Are you able to train me if I request it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38331451
I don't provide training. Not my thing - I haven't got the patience.

Simon.
0
 
LVL 1

Author Comment

by:arefone
ID: 38331478
Same as me, I haven't got the patience to teach! ;)

Will let you know the queue's status tomorrow.
0
 
LVL 1

Author Comment

by:arefone
ID: 38332700
Hi Simon,

I checked the queue, seems to be ok, the messages in error I have, I think as you told are the replies of the out-of-office rule message, because are from the accounts who are actually in vacation to varied email account of chez-celine.org domain.

Aref
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question