Problem recieving certain emails from a particular user and random others from the same domain

Posted on 2012-09-19
Last Modified: 2012-09-24
The problem extends from just this particular email address, but I will just write about this particular email address for this problem.

There is a user from "client company" that just can't send to any of my users.  The client company has other users that send to us fine all of the time for the most part.  Tracking down to the loggin level here is what is happening.

Send (theirs)
2012-09-19T19:59:32.767Z,SMTP_Wooden,08CF4C3CB85CA699,0,,,*,,attempting to connect
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,2,,,<,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 15:59:32 -0400",
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,3,,,>,EHLO ***.***.com,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,4,,,<,250-woodenex1.woodmaclaw.local Hello [],
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,5,,,<,250-SIZE 10485760,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,7,,,<,250 AUTH,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,8,,,*,312547,sending message
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,9,,,>,MAIL FROM:<***@***.com> SIZE=1940,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,10,,,<,250 2.1.0 Sender OK,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,11,,,>,RCPT TO:<>,
2012-09-19T19:59:32.798Z,SMTP_Wooden,08CF4C3CB85CA699,12,,,<,250 2.1.5 Recipient OK,
2012-09-19T19:59:32.801Z,SMTP_Wooden,08CF4C3CB85CA699,14,,,<,354 Start mail input; end with <CRLF>.<CRLF>,
2012-09-19T19:59:40.075Z,SMTP_Wooden,08CF4C3CB85CA699,15,,,<,250 OK,
2012-09-19T19:59:45.081Z,SMTP_Wooden,08CF4C3CB85CA699,17,,,<,221 2.0.0 Service closing transmission channel,

Recieve (mine)
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,1,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,2,,,>,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 16:07:25 -0400",
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,3,,,<,EHLO ***.***.com,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,4,,,>,250-woodenex1.woodmaclaw.local Hello [],
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,5,,,>,250-SIZE 10485760,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,6,,,>,250-PIPELINING,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,7,,,>,250-DSN,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,8,,,>,250-ENHANCEDSTATUSCODES,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,9,,,>,250-STARTTLS,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,10,,,>,250-AUTH,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,11,,,>,250-8BITMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,12,,,>,250-BINARYMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,13,,,>,250 CHUNKING,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,14,,,<,MAIL FROM:<> SIZE=1950,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,15,,,*,08CF54DB59839F05;2012-09-19T20:07:25.726Z;1,receiving message
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,16,10.1.1.xx:25,,>,250 2.1.0 Sender OK,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,17,10.1.1.xx:25,,<,RCPT TO:<>,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,18,10.1.1.xx:25,,>,250 2.1.5 Recipient OK,
2012-09-19T20:07:28.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,19,,,<,RSET,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,20,,,>,250 2.0.0 Resetting,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,21,,,<,QUIT ,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,22,,,>,221 2.0.0 Service closing transmission channel,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,23,,,-,,Local

What it looks like is that something is getting burgered up where the RSET occurs, like my server is getting a premature RSET command.

Any thoughts?
Question by:getwidth28
    LVL 12

    Expert Comment

    by:Henk van Achterberg
    Is there a firewall in between with an ALG (Application Level Gateway) enabled for SMTP?

    Author Comment

    I should have put this part in the description of the problem.

    The party and I have setup a send and recieve connector between our exhchange server so that it would bypass my spam filter MTA all together, but the problem still persists.  

    Will you give me an example of the ALG's?  Are you reffering to things such as the Windows Firewall, or Symantec firewall, etc?
    LVL 12

    Accepted Solution

    A Cisco ASA for example has an Inspection Policy where it can inspect (E)SMTP traffic and can send RSET command's if the SMTP traffic does not follow certain rules thus ending mail conversations.

    So I am talking about a hardware firewalls, are there any present between both servers and if so which brand/SW version.

    Author Comment

    I at least know my side.  There is a Cisco 515pix on my side.

    Internet --> 515 --> exchange

    Cisco PIX Security Appliance Software Version 7.2(3)

    Author Comment

    defense# show config | grep inspect
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
     class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
      inspect pptp

    Author Comment

    That is my cisco.
    LVL 12

    Expert Comment

    by:Henk van Achterberg
    In your pix please take a look at the inspection policy and enable the inspection of SMTP and try again.

    Author Comment

    Per my previous post, doesn't look like smtp inpect is on right?
    LVL 12

    Expert Comment

    by:Henk van Achterberg
    When I posted the answer you replied with your config :).

    My experience is that when you have probs you have to disabled inspection, it seems disabled at your end. The RSET packet though is being send from a device, prob. a firwall in between.

    Can you discover what the other end is running?

    Author Comment

    I asked....
    "The consultant for xxx setup the current firewall, has been in place for months. It is possible but I don’t think it likely"

    So I'll see tomorrow.
    LVL 12

    Expert Comment

    by:Henk van Achterberg
    If you have the option you could monitor the traffic coming from the internet (place a hub and put the ASA/WAN/your PC in it) and listen with wireshark. Then you can see if the RSET command is comming from their end or it is being sent by the PIX.

    P.S. If you use a switch you will have to put the WAN port in montitor mode so a hub is much easier :)

    Author Comment

    Ok, problem solved.  Your tips were certainly in the right direction.  Here is what transpired.

    - I opened a MS ticket through technet.  They would support me only some because my excahgne server is VMWare.  They mentioned just as you, that it might be getting messed up by a firewall or something.  He had me change a couple of settings in the connector whic helped, however it wasn't the source of the problem and the problem in general was still there.

    - The other party opened a ticket with MS.  He done a packet capture on both ends.  He noticed that when telneting to my exchange server that my server was only retunring 4 banners instead of the 10 or so.

    - While MS was looking at the logs, the other IT person and I did some general testing on the banners, figureing out that for sure my side was blocking something because of the lack of banners.

    - I remember a Untangle web filter applicance type of machine that I have had setup for at least 2 years, probably longer.  The virus blocker was causing it.  After I turned the Virus Blocker off on the Untangle server it fixed the problem.

    My bad for a flag of it might being the problem, but I didn't even think of it because it had been setup for so long and I wasn't running a firewall on it that I didn't flag it as the possible problem.  

    The virus checker did have checkmarks inside of its setting to scan SMTP, so there it was.

    Argh, its always a turd type of answer for "major" problems.

    Featured Post

    Wish Marketing would stop bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Join & Write a Comment

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    This video discusses moving either the default database or any database to a new volume.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now