[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange mailflow issue

Posted on 2012-08-25
15
Medium Priority
?
786 Views
Last Modified: 2012-10-17
I've got an email message flow issue.  Most of the messages in the email queue have the error: Last error 421 4.4.2 connection dropped due to connection reset
In my research within my company, I found that the MX records and A records for the email servers had disappeared from DNS on our main DC so they have been added back in and DNS flushed and reregistered. That doesn't seem to have helped.
We are using MS Forefront as our AV, the server is configured with Windows 2008 R2 and Exchange 2010.  This is an Exchange cluster.
I haven't checked our firewall or router.  DNS has been fixed on our DC and replication has been forced so hopefully it's replicated through our domain.
I know there are similar questions posted on EE but none of the fixes I found pertained or they didn't work for me.
Any help would be greatly appreciated as I have many emails stuck in my queues.
0
Comment
Question by:skbarnard
  • 8
  • 4
  • 3
15 Comments
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38333317
Am I correct in my assumption that you are only being affected in sending emails outside and not receiving OR sending/receiving emails internally?

Also, I am assuming that you're 4.4.2 is for all the domains you are sending emails outside, so be it gmail / yahoo / AOL - emails are stuck for all of them.

So, how are you sending emails outside? Using DNS or Smarthost? If you've got Forefront I am assuming you are sending emails via Forefront, in other words you are sending emails to Forefront and it's sending emails to internet.

Clarify on my points please.

Regards,
Exchange_Geek
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38333897
You don't normally have MX records in your internal DNS for the Exchange server, as the internet doesn't query them.
Therefore the fact they were "missing" is normal.

This looks like interference of some kind if you are getting "connection reset". Firewall is the usual source. Not see the issue with Forefront on the server though - that is usually a well behaved application.

Simon.
0
 

Author Comment

by:skbarnard
ID: 38338194
To answer the questions posted by Exchange_Geek:
Only the external mail is being affected and it appears to be only when sending to external email.  We can receive external email without issue.
We use DNS to send email.
We're not using Forefront to send any emails, that's just our AV protection.
We have 2 Kemp 3600 Load Balance appliances so the email default gateway is set (on both Exchange servers) to be the shared IP address of the load balance appliances.  The load balance appliance is set to our domain default gateway and therefore should get to the internet.
I've run the mailflow troubleshooting assistant on both servers.  I'm attaching some screen prints from the runs of the troubleshooting assistant showing some of the errors it's finding  
I'm at a loss - I can ping other servers on my domain, I can ping servers outside my domain, I can use nslookup and names are resolved to IP and IP's are resolved to names.
When I telnet to any of the domains in queues, it either can't connect or will disconnect as soon as I try to type "HELO"
Node1-Example-Port25-and-more.pdf
Node2-port25-issues.pdf
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38338555
If you are using DNS to send emails outside, you're Kemp LB is the culprit. Check its setting and verify if SMTP is allowed to send emails outside from you're Exchange server.

Call up Kemp folks.

Regards,
Exchange_Geek
0
 

Author Comment

by:skbarnard
ID: 38338868
Right now, it appears the queues have cleared after running the mailflow troubleshooting assistant - weird - don't know why that would necessarily clear it, just glad it's cleared.  I'm going to monitor but may still need to call the Kemp folks.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38338901
OK, keep this post alive OR if you cannot close the thread and open a new one, when ever you have issues

Regards,
Exchange_Geek
0
 

Author Comment

by:skbarnard
ID: 38351841
Just to give a little more information, I ran the troubleshooting assistant on each server in our Exchange environment and after the troubleshooter finished running, that's when the messages began to flow again and the queues cleared up.
I'm still a little concerned as I still see the errors listed in the attached file (sorry to make it so small, I was going for as much information as I could).
Email is still flowing but I also am still receiving some delayed delivery notices.
I'll try to keep this thread alive but if I don't post here frequently, it will have to be shut down
EmailQueue-Node1.pdf
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38358291
Help me understand the mail flow diagram

Exchange 2010 Servers ==> Kemp LB ==> Internet?

Is this so?

Can we get Kemp out of the equation and check, most of the times - it is these firewalls / routers that play spoil-sport.

Regards,
Exchange_Geek
0
 

Author Comment

by:skbarnard
ID: 38364652
I'd have to schedule down time to take Kemp out of the equation, can't do that right now.
You are correct with the path - it goes from the Exchange 2010 servers to the Kemp load balancers then out.
I just thought of another piece - we have an email archive solution in place and therefore, we have a journaling mailbox.  Can that contribute to delays?
0
 

Author Comment

by:skbarnard
ID: 38387168
I'm still experiencing some delay with message delivery but not as severe as was reported earlier in this thread.
I'm also now having an issue getting emails in the queues for delivery that have a from address of <> (angle brackets - no email address)
I can clear those out pretty easily but I'm not sure what's causing them in the first place.  I'm assuming I have a spamming account since we ended up on 2 spam blacklists 2 days in a row.
Does anyone have a powershell command that will let me find accounts that are sending excessive amounts of email?
An additional question too is -  has anyone seen the attached error when using the queue viewer in Exchange 2010?
RemotePipelineError.pdf
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38392215
Messages with no senders <> are NDRs. Those should be blocked by recipient filtering.
That can be easily enabled on the Exchange server by running a script.
http://exchange.sembee.info/2010/hub/filter-unknown.asp

They are caused simply by spammers sending email to non-valid users. Exchange will accept the email if recipient filtering is not enabled, then attempt to reject them. With recipient email they are rejected at the point of delivery, but it must be enabled on whatever accepts the SMTP connection from the internet.

Simon.
0
 

Author Comment

by:skbarnard
ID: 38396275
Simon,
Reading through your supplied article, we don't have an Edge Transport server.  We do have 2 Exchange servers running in a clustered setup so I'd have to install the anti-spam agent on both servers?
Forgive my ignorance here - if I set the properties of the recipient filtering to "block messages sent to recipients not in the global address list", won't that prohibit me being able to send any email external to our network?
We have the third party tool TrendMicro ScanMail for Exchange installed on both servers are you familiar with this tool?
I've not done much with the content filtering portion of this tool so I've just created a policy that, if created correctly, will delete those <> NDR messages from the queues.
One last question for this posting - why would the queue for one database continually grow with the NDR's (<>)?  After I clear out the queue, it takes only a few minutes to be back up to 800 - 900 messages with no sender address.  Is there a PS command that can pinpoint which account might be generating these NDR's?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1000 total points
ID: 38396498
If you don't have an Edge, that isn't a problem. Just run the script on the servers with the Hub Transport server.
It needs to be run on all servers that are internet facing and has no effect on outbound email. it is an incoming setting only and shoudl really be enabled by default on all servers.

The reason the messages build up is because the queue viewer is lagging behind and unable to cope. If a spammer is using your server to do an NDR spam run, they may well have dumped 1000s of messages on to your server and you can only clear so many at a time. It will not be account that is sending the messages, just a spammer taking advantage of the default configuration of Exchange.

Simon.
0
 

Author Comment

by:skbarnard
ID: 38468981
I'm hoping this will be resolved when we install SP2 for Exchange.  I was going to close the question but I think I'll keep this one open until after the SP2 install.
0
 

Author Closing Comment

by:skbarnard
ID: 38507750
Nothing has actually resolved the issue but the problem appears to have slowed down.  The install of SP2 and the rollup update didn't resolve any of the email issues we're seeing.
I'd like to thank Simon for his input, he did help clarify some things that were a bit fuzzy for me.
One thing that may have contributed to this is an account that appears to have gotten corrupt. It happens to be the account we use for the journaling mailbox of our archive solution.
We've created a new account for that purpose and the NDR's have significantly reduced.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question