Exchange 2010 ReceiveConnector Event 1035

After migrating from Exchange 2007 to Exchange 2010 I made a big mistake not documenting my receive connector settings on Exchange 2007.  Both exchange 2007 and exchange 2010 ran together for about two weeks then I completely uninstalled and removed the 2007 exchange server.

Now on a regular basis I get event 1035

Type :            Warning
Date :            2/13/2015
Time :            8:14:05 PM
Event :            1035
Source :            MSExchangeTransport
Category :      SmtpReceive
User :            N/A
Computer :      SERV025.FQDN.com
Description:
The description for Event ID ( 1035 ) in Source ( MSExchangeTransport ) could not be found.
Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

The following information was included with the event (insertion strings):
LogonDenied
Default SERV025
Ntlm
203.125.141.216


The ip address given is foreign not an ip address known by my system.

This occurs regularly with different ip addresses.

I have been blocking countries in my router but this is crazy..

I believe my default serv025 receiver connector is not setup correctly.


This is my default receive connector

[PS] C:\Windows\system32>get-receiveconnector 'default serv025' |fl


RunspaceId                              : e062116f-832a-4908-adce-e055fa4830b4
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::25, 0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : SERV025.fqdn.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 8
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : AnonymousUsers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : SERV025
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default SERV025
DistinguishedName                       : CN=Default SERV025,CN=SMTP Receive Connectors,CN=Protocols,CN=SERV025,CN=Serv                        ers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxxx,DC=xxxx,DC=Mydomain,DC=com
Identity                                : SERV025\Default SERV025
Guid                                    : c7f72790-8ffa-4d59-8de2-59a919e8b5a1
ObjectCategory                          : our.network.tgcsnet.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 3/29/2015 10:16:42 PM
WhenCreated                             : 1/10/2015 5:46:30 PM
WhenChangedUTC                          : 3/30/2015 2:16:42 AM
WhenCreatedUTC                          : 1/10/2015 10:46:30 PM
OrganizationId                          :
OriginatingServer                       : serv011.fqdn.com
IsValid                                 : True

 


I think this is the cause
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

What should this be?  I am thinking I only need TLS

I have another receive connector for port 1025   and it only has TLS and it works I can receive email fro outside sources using port 1025.


Thoughts.
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
As you can see it in the details of the event message this is someone from an External IP that is trying to relay off your default receive connector. Because it is a foreign IP it is being blocked.

As long as this is being blocked and you are not having external IP's relaying from your Exchange server you can ignore these events.

However I would look at your perimeter firewall to see how you can harden it so that external IP's can not try and attempt to relay from you.

However you can disregard this event because it is blocking it successfully.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:
Will

I never had this issue on exchange 2007?

I really think it is the settings on the

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

What do you think will happen if I just leave TLS on?

Thoughts?
Will SzymkowskiSenior Solution ArchitectCommented:
If you have left the defaults for the default receive connector then you should be fine. I would not be changing the default receive connector settings. This is not so much an issue with Exchange but security from your firewall to the Exchange server.

Exchange is doing its job blocking the connection from relaying off the default receive connector.

I would not worry about this error message.

Harden your firewall settings.

Will.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Thomas GrassiSystems AdministratorAuthor Commented:
Will

If I start blocking all these addresses  that's all I will be doing is adding them one by one and they will just go to the next address and try.

What is the default receive connector settings look like.  I believe mine is not default reason I say that is because when I first brought up exchange 2010 with my exchange 2007 I was making a lot of changes on the receive connectors to get things to work.

Do you have a fresh default receive connector that I can compare mine to?

Thanks
Will SzymkowskiSenior Solution ArchitectCommented:
Here is my default receive connector for Exchange 2010
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity "Ex1\default ex1" | fl


RunspaceId                              : 878434cd-72f5-4baa-ba43-f8ad68c7e9d7
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::25, 0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : EX1.example.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : EX1
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default EX1
DistinguishedName                       : CN=Default EX1,CN=SMTP Receive Connectors,CN=Protocols,CN=EX1,CN=Servers,CN=E
                                          xchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Fi
                                          rst Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exampl
                                          e,DC=com
Identity                                : EX1\Default EX1
Guid                                    : 8559e25e-7f08-432e-8c68-bc5569278138
ObjectCategory                          : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 2/13/2015 8:01:13 PM
WhenCreated                             : 12/31/2014 10:43:36 AM
WhenChangedUTC                          : 2/14/2015 1:01:13 AM
WhenCreatedUTC                          : 12/31/2014 3:43:36 PM
OrganizationId                          :
OriginatingServer                       : DC.example.com
IsValid                                 : True

Open in new window


Will.
Thomas GrassiSystems AdministratorAuthor Commented:
Will

Thanks

Almost exactly the same

Yours
PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers

Mine
PermissionGroups                        : AnonymousUsers


What's the difference?

IF I do not use "AnonymousUsers" then I can not receive email from outside sources?

Thoughts
HariomExchange ExpertsCommented:
HariomExchange ExpertsCommented:
IF I do not use "AnonymousUsers" then I can not receive email from outside sources?

Yes , "AnonymousUsers" is required to receive e-mails from outside sources.

Have you checked if you server is open relay ?

Your Exchange  server is directly receiving e-mail or there is smart host configured (I'm asking as you are saying you are receiving e-mail from port 1025) ?
Thomas GrassiSystems AdministratorAuthor Commented:
I ran this

Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights

I have no open relays.

I also do not have a smart host defined.

Just do not know why I need all these on my default connector?
Only have one Exchange Server in my organization Do I really need Exchange Server as an authentication ?
What do I really require?

Default serv025                              Port 25
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

Port 1025
AuthMechanism                           : Tls

The port 1025 never receives the same error message I receive email on that port daily.


Ran the tests from  http://www.mailradar.com/openrelay/

All tested completed! No relays accepted by remote host!

Thoughts
HariomExchange ExpertsCommented:
OK so you have 2 receive connector one for external and one for internal

1) Default serv025 - For External E-mail Receive
2) Port 1025 - For Internal E-mail Receive

External connector is receiving e-mail on port 25
Internal Connector is receiving e-mail on port 1025.

It seems that both the AuthMechanism is set correctly .

I guess some one from 203.125.141.216 is trying to connect to your exchange server , and due to security exchange is not allowing us.

Do you have any external users OR partner who is using this external connector as relay.

This is information events which states that exchange server has blocked the connection , you can block this user or ignore.
Thomas GrassiSystems AdministratorAuthor Commented:
Sorry for the confusion

I have two External Receive Connectors one for port 25 the other port 1025
External connector is receiving e-mail on port 25
External Connector is receiving e-mail on port 1025.
I have another receive connector for internal only.

Yes 203.125.141.216 is trying to connect  and with my setup Exchange is rejecting this attempt.

No external partners no external users

All my external users you iphones tablets or outlook to connect using active sync.

I was trying to avoid having to manually block all of these attempts. It seems on certain days I get several who keep trying.

Most are one offs but some try over and over don't they get it?

Maybe I can write a script that will email me a list that I then can block or something like that

Know of any?
HariomExchange ExpertsCommented:
Yes there are powershell scripts available  to send an email when something happens in the Event Log.

http://sharepointjack.com/2013/powershell-to-send-an-email-when-something-happens-in-the-event-log/
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Thanks for the information

I will start working on a script that will email me a list daily of all the event 1035 errors with the ip address so I can block them if need be.

Thanks again
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.