Problem recieving certain emails from a particular user and random others from the same domain

Posted on 2012-09-19
Medium Priority
Last Modified: 2012-09-24
The problem extends from just this particular email address, but I will just write about this particular email address for this problem.

There is a user from "client company" that just can't send to any of my users.  The client company has other users that send to us fine all of the time for the most part.  Tracking down to the loggin level here is what is happening.

Send (theirs)
2012-09-19T19:59:32.767Z,SMTP_Wooden,08CF4C3CB85CA699,0,,,*,,attempting to connect
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,2,,,<,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 15:59:32 -0400",
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,3,,,>,EHLO ***.***.com,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,4,,,<,250-woodenex1.woodmaclaw.local Hello [],
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,5,,,<,250-SIZE 10485760,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,7,,,<,250 AUTH,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,8,,,*,312547,sending message
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,9,,,>,MAIL FROM:<***@***.com> SIZE=1940,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,10,,,<,250 2.1.0 Sender OK,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,11,,,>,RCPT TO:<bpumphrey@woodmclaw.com>,
2012-09-19T19:59:32.798Z,SMTP_Wooden,08CF4C3CB85CA699,12,,,<,250 2.1.5 Recipient OK,
2012-09-19T19:59:32.801Z,SMTP_Wooden,08CF4C3CB85CA699,14,,,<,354 Start mail input; end with <CRLF>.<CRLF>,
2012-09-19T19:59:40.075Z,SMTP_Wooden,08CF4C3CB85CA699,15,,,<,250 OK,
2012-09-19T19:59:45.081Z,SMTP_Wooden,08CF4C3CB85CA699,17,,,<,221 2.0.0 Service closing transmission channel,

Recieve (mine)
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,1,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,2,,,>,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 16:07:25 -0400",
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,3,,,<,EHLO ***.***.com,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,4,,,>,250-woodenex1.woodmaclaw.local Hello [],
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,5,,,>,250-SIZE 10485760,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,6,,,>,250-PIPELINING,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,7,,,>,250-DSN,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,8,,,>,250-ENHANCEDSTATUSCODES,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,9,,,>,250-STARTTLS,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,10,,,>,250-AUTH,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,11,,,>,250-8BITMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,12,,,>,250-BINARYMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,13,,,>,250 CHUNKING,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,14,,,<,MAIL FROM:<semberton@prmic.com> SIZE=1950,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,15,,,*,08CF54DB59839F05;2012-09-19T20:07:25.726Z;1,receiving message
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,16,10.1.1.xx:25,,>,250 2.1.0 Sender OK,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,17,10.1.1.xx:25,,<,RCPT TO:<bpumphrey@woodmclaw.com>,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,18,10.1.1.xx:25,,>,250 2.1.5 Recipient OK,
2012-09-19T20:07:28.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,19,,,<,RSET,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,20,,,>,250 2.0.0 Resetting,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,21,,,<,QUIT ,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,22,,,>,221 2.0.0 Service closing transmission channel,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,23,,,-,,Local

What it looks like is that something is getting burgered up where the RSET occurs, like my server is getting a premature RSET command.

Any thoughts?
Question by:getwidth28
  • 7
  • 5
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38415602
Is there a firewall in between with an ALG (Application Level Gateway) enabled for SMTP?

Author Comment

ID: 38415620
I should have put this part in the description of the problem.

The party and I have setup a send and recieve connector between our exhchange server so that it would bypass my spam filter MTA all together, but the problem still persists.  

Will you give me an example of the ALG's?  Are you reffering to things such as the Windows Firewall, or Symantec firewall, etc?
LVL 12

Accepted Solution

Henk van Achterberg earned 2000 total points
ID: 38415631
A Cisco ASA for example has an Inspection Policy where it can inspect (E)SMTP traffic and can send RSET command's if the SMTP traffic does not follow certain rules thus ending mail conversations.

So I am talking about a hardware firewalls, are there any present between both servers and if so which brand/SW version.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 38415648
I at least know my side.  There is a Cisco 515pix on my side.

Internet --> 515 --> exchange

Cisco PIX Security Appliance Software Version 7.2(3)

Author Comment

ID: 38415651
defense# show config | grep inspect
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp

Author Comment

ID: 38415652
That is my cisco.
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38415655
In your pix please take a look at the inspection policy and enable the inspection of SMTP and try again.

Author Comment

ID: 38415664
Per my previous post, doesn't look like smtp inpect is on right?
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38415683
When I posted the answer you replied with your config :).

My experience is that when you have probs you have to disabled inspection, it seems disabled at your end. The RSET packet though is being send from a device, prob. a firwall in between.

Can you discover what the other end is running?

Author Comment

ID: 38415747
I asked....
"The consultant for xxx setup the current firewall, has been in place for months. It is possible but I don’t think it likely"

So I'll see tomorrow.
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38415756
If you have the option you could monitor the traffic coming from the internet (place a hub and put the ASA/WAN/your PC in it) and listen with wireshark. Then you can see if the RSET command is comming from their end or it is being sent by the PIX.

P.S. If you use a switch you will have to put the WAN port in montitor mode so a hub is much easier :)

Author Comment

ID: 38428634
Ok, problem solved.  Your tips were certainly in the right direction.  Here is what transpired.

- I opened a MS ticket through technet.  They would support me only some because my excahgne server is VMWare.  They mentioned just as you, that it might be getting messed up by a firewall or something.  He had me change a couple of settings in the connector whic helped, however it wasn't the source of the problem and the problem in general was still there.

- The other party opened a ticket with MS.  He done a packet capture on both ends.  He noticed that when telneting to my exchange server that my server was only retunring 4 banners instead of the 10 or so.

- While MS was looking at the logs, the other IT person and I did some general testing on the banners, figureing out that for sure my side was blocking something because of the lack of banners.

- I remember a Untangle web filter applicance type of machine that I have had setup for at least 2 years, probably longer.  The virus blocker was causing it.  After I turned the Virus Blocker off on the Untangle server it fixed the problem.

My bad for a flag of it might being the problem, but I didn't even think of it because it had been setup for so long and I wasn't running a firewall on it that I didn't flag it as the possible problem.  

The virus checker did have checkmarks inside of its setting to scan SMTP, so there it was.

Argh, its always a turd type of answer for "major" problems.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses
Course of the Month13 days, 18 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question