Exchange 2003 queue

We have an Exchange 2003 server, we receive emails without any problems, but we started having problems to send emails to some of our costumers with certain doamins, in the exchange queue I see only some of the emails stuck there, many others are sent correctly.
There is no change made recently on the firewall neither on the mailserver.
LVL 1
arefoneAsked:
Who is Participating?
 
R--RCommented:
Check if you public ip is blacklisted.
Enable diagnostics logging.
enable logging in default smtp virtual server.

Check the log for errors.
0
 
xDUCKxCommented:
Check if the exchange server can telnet to the mail server of the domain on port 25.  

telnet mail.companyname.com 25

You can get the Mail server by doing an online nslookup for companyname.com and look for MX records.

If you can't telnet then there is something blocking or their mail server isn't working correctly.  If you are able to telnet then there might be something wrong with your send connectors.
0
 
Jamie GillespieSenior IT ConsultantCommented:
Any particular errors shown?

Can you send via your ISPs smtp server? Sending through DNS or Smarthost?

DNS working correctly, any forwards used and checked if they are operational?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arefoneAuthor Commented:
I see in the queue windows in the buttom "SMTP Protocol error".
I don't know how to send by Smarthost, can you explain plz?
Yes DNS works correctly. When I send to my gmail account it goes without any problem, so the problem I have is only with some certain domains.
0
 
arefoneAuthor Commented:
I have checked my public ip on many sites, it is not blacklisted.
I enabled the logging, but I didn't see errors.
0
 
Jamie GillespieSenior IT ConsultantCommented:
Right click your SMTP virtual server and click properties

Click Delivery and then Advanced

You can enter your smarthost here. Try using your ISPs SMTP server, they don't need any authentication usually.

You may need to Google the details, for example Eclipse (ISP) use smtp.eclipse.co.uk.

Once entered, click OK and restart SMTP.

Normally if your blacklisted, google mail will pick up on this pretty quickly.

Also, if your server is spamming out your ISP will probably let you know pretty quickly.
0
 
arefoneAuthor Commented:
here is the result of the telnet:
554 server.ad.domain-name.it bizsmtp qHs61j02L4GBcGV01 Connection refused from 9x.xx.
xxx.xx7. See http://csi.cloudmark.com/reset-request for more information.

**Edited to remove company specific information**-JARmod101
0
 
Jamie GillespieSenior IT ConsultantCommented:
It could possibly be one of your client machines spamming out email on your IP. I normally lock SMTP on my firewall to only allow my Exchange server to send.

The above suggests blacklisting, you will need to try and look for the cause. Once your confident everything is locked down I would apply for delisting using the link above.

In the mean time whilst you wait for all this to go ahead, you can use a smarthost as mentioned above to get mail flowing.
0
 
arefoneAuthor Commented:
Jamie, I put the smarthost and now the queue is ok, all those emails are gone correctly.
what that is mean?
and how can I verify if there is a host spamming on my ip?
0
 
Jamie GillespieSenior IT ConsultantCommented:
I would start by adding a firewall rule to only allow SMTP traffic from your Exchange server.

You can use network monitoring tools to see if you can see anything suspicious going across the network. I would also start scanning your client machines for malicious software and make sure they are up-to-date.

If you still have smtp issues once locking down your firewall, the issue could be with your Exchange configuration, I would check this later once you do some initial digging.
0
 
Jamie GillespieSenior IT ConsultantCommented:
Also if the issue is with your server, it's normally pretty obvious when you look at hundreds of connections trying to go through your queues. As this wasn't the case in the first place, it sounds like something on your network that isn't going through Exchange.
0
 
arefoneAuthor Commented:
and how can you explain that I can send emails to some and to others no?
What is the difference between using smarthost and not?
0
 
arefoneAuthor Commented:
but even if there is some machines not going through exchange, how can they affect the pubblic ip of the exchange server? I use that one only for exchange server.
0
 
Jamie GillespieSenior IT ConsultantCommented:
Here's a useful article I found online;

http://www.sbslinks.com/DNS_Smarthost.htm

This is really a temporary measure until you can delist your IP.
0
 
arefoneAuthor Commented:
jamie, I added the rule on the firewall to allow only smtp traffic from mailserver, in fact I still see some droped packet on the access list so I need to know from where they are coming.
What is the next step?
0
 
Jamie GillespieSenior IT ConsultantCommented:
Enable logging on the firewall to see where the packets are coming from, if possible..
0
 
arefoneAuthor Commented:
how can I allow only the authenticated users to use exchange smtp?
0
 
Jamie GillespieSenior IT ConsultantCommented:
I dont think its a problem with the Exchange configuration just yet. I would try and determine where the problem has originated from first.

There are quite a lot of steps you will need to go through to make sure your server is locked down sufficiently. The most common issue I reckon is insecure user passwords on the network. If these details are guessed, this is how the outside world can authenticate and relay through your server.
0
 
arefoneAuthor Commented:
From the access list details on my firewall, I am seeing another server sends packets via port 25, I will block it.
You told me before that you would delete my pubblic ip from the blacklist?
0
 
Jamie GillespieSenior IT ConsultantCommented:
I would use the following tool to see where you may be listed;

http://www.mxtoolbox.com/blacklists.aspx

I would then apply for delisting.

It's also important to investigate why this server is trying to send out on port 25. It may have malicious software on there, it also will cause unnecessary bandwidth on your internal network.

Once you have applied, it may take a good few days for things to clear up with your IP. In the mean time, continue sending mail using that smarthost and keep a close eye on mail flow. When the time comes, try an remove the smarthost settings and try sending mail out via DNS again.

If you have a further problem, I'd repost.
0
 
arefoneAuthor Commented:
I used the mxtoolbox, my public ip is not listed. What it was this error?
554 server.ad.domain-name.it bizsmtp qHs61j02L4GBcGV01 Connection refused from 9x.xx.
xxx.1xx. See http://csi.cloudmark.com/reset-request for more information.

**Edited to remove company specific information.**-JARmod101
0
 
arefoneAuthor Commented:
Jamie, I have something unclear, the public ip who has the issue is aaa.aaa.aaa.aaa, the other server I told you is sending packets via port 25 is using another public ip let say bbb.bbb.bbb.bbb so the question is how does it affect the aaa.aaa.aaa.aaa ip address?
0
 
arefoneAuthor Commented:
Would this test result be helpful:

Connecting to aaa-aaa-aaa-aaa.server.domain-name.it... OK
156ms
220 **********************************************************************************************************************
 124.8ms
HELO aaa-aaa-aaa-aaa.server.domain-name.it
250 aaa.aaa.aaa.aaa Hello [2xx.xx.xxx.1xx]
124.8ms
MAIL FROM: <support@e-dns.org>
250 2.1.0 support@e-dns.org....Sender OK
109.2ms
RCPT TO: <smtp.test@example.com>
550 5.7.1 Unable to relay for smtp.test@example.com
124.8ms
QUIT
221 2.0.0 aaa.aaa.aaa.aaa Service closing transmission channel

**Edited to remove company specific information.**-JARmod101
0
 
HonezCommented:
Please check the following:

open Exchange System Manager --> Administrative Groups --> first Administrative Group --> Server Name --> Protocols --> smtp --> current sessions

Are there any server currently connected to your server?  If there are, and you are not aware of them, disconnect them.

Then, Look at this article: http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

It will explain relaying and some setting in your Exchange environment.  Since you are not on a black list now, you may be soon.  If someone is relaying off of you, they may be doing it gracefully.

Also from the exchange server, goto whatismyipaddress.com, and ensure that it is in fact using the address you think it is.

Check your reverse DNS record from that IP.  Ensure that the rdns lookup exists and is correct.

Please, keep out a pen and paper.  If you make any changes to your environment, log it on the paper so that you know exactly what was changed, in what order.  Please be cautious with any changes.

Also consider an Email GW service.  It will help scan for Viruses, accept email when you are down, and effectively resolve DNS.  
Dynamic DNS has a service for $49 a year.  Well worth it.
0
 
arefoneAuthor Commented:
the link show how to stop from relaying, so the server will not receive any email anymore.

How can I ensure the rdns configuration on the exchange server?
0
 
Simon Butler (Sembee)ConsultantCommented:
It looks like you have  Cisco PIX or ASA device.
This is well known for causing email delivery issues due to a feature called FIXUP SMTP (it may have a new name in the later OS). It needs to be disabled.
http://support.microsoft.com/kb/320027

RDNS (aka PTR) is not an Exchange setting, it is configured by your ISP if you have a static IP address.
http://exchange.sembee.info/network/dnsconfig.asp

Also to correct a posting above - DO NOT set a smart host on the SMTP Virtual Server. That is againspracticesactises and can cause significant issues if you migrate or have multiple servers. If you must use a smart host (your ISP is the usual choice) then you should use an SMTP Connector.
http://exchange.sembee.info/2003/smtp/smtp-connector.asp

Simon.
0
 
arefoneAuthor Commented:
Hi Sembee2,
In the new IOS version there is no "fixup" command, they replaced it with "inspect", and I think if I disable inspect smtp I'll not be able to receive emails anymore, isn't it?

I asked my ISP to modify the rDNS record like this:
IP address aaa.bbb.ccc.ddd is reversed to mail.mymailserver.com
is it correct?
0
 
arefoneAuthor Commented:
I solved the problem with the help of you all.
What I did was:
1. Added a rule on the firewall to allow anly emailserver to use port 25
2. Delist my public ip from cloudmark.com
3. Asked the ISP to modify the wrong "old" RDNS
4. Change the password of three accounts I think was broken o hacked.

Thank you so much again.
0
 
Simon Butler (Sembee)ConsultantCommented:
No, disabling inspect will not cause a problem with email delivery. It just means the email goes straight through the firewall and you don't get the ********** in the banner which can cause email delivery issues.

Simon.
0
 
arefoneAuthor Commented:
Ok, I will try it in 10 minutes and get back to you with the result.
0
 
arefoneAuthor Commented:
Done, it is still working as you mentioned.

Do you know what that command was for on firewall?
0
 
Simon Butler (Sembee)ConsultantCommented:
I don't quite understand - what command are you referring to?

Simon.
0
 
arefoneAuthor Commented:
Sorry for my weak english Simon.
I am referring to "inspet smtp" command on the firewall.
0
 
arefoneAuthor Commented:
Simon, I am checking my exchange 2003 queue right now, and there is still be a strange thing, there is a message from a valid account in company try to send a message to an address at chemin-info.com.br domain, I am sure that my colleague is not sending this message as he is in vacation, do I still have to do something on my emailserver?
0
 
Simon Butler (Sembee)ConsultantCommented:
Inspect SMTP is a feature of the Cisco that claims to protect the email against malformed messages. Unfortuantely it does that by blocking certain commands that it considers to be "risky" which can cause problems with Exchange.

Are you sure the message in the queue is not just an Out of Office message? If it is replying to spam, then the destination is probably bogus and the message can be removed from the queue.

Simon.
0
 
arefoneAuthor Commented:
Maybe as he set the out-of-office rule, I'll keep an eye and see if there will be more ambigous messages in the queue.

Simon, can you explain the function of "allow all authenticated computers and users to be able to relay"?

One more thing, today I changed some passwords for some accounts, after, I saw again some events id 1708 in application events with same describtion message you mentioned as a ndr on your site, have I to be worry about that?
0
 
Simon Butler (Sembee)ConsultantCommented:
That feature means what it says - if something authenticates, it can relay. I usually disable that feature as it can be abused.

If you have changed passwords then it could be that information is still cached somewhere or something is still using it. It could also be that a spammer is trying to use the account.

Simon.
0
 
arefoneAuthor Commented:
Tomorrow I'll check and let you know!

Are you able to train me if I request it?
0
 
Simon Butler (Sembee)ConsultantCommented:
I don't provide training. Not my thing - I haven't got the patience.

Simon.
0
 
arefoneAuthor Commented:
Same as me, I haven't got the patience to teach! ;)

Will let you know the queue's status tomorrow.
0
 
arefoneAuthor Commented:
Hi Simon,

I checked the queue, seems to be ok, the messages in error I have, I think as you told are the replies of the out-of-office rule message, because are from the accounts who are actually in vacation to varied email account of chez-celine.org domain.

Aref
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.