Exchange Messages not reaching the user


We use a McAfee SaaS mail filter that shows messages being delivered to an end user but Exchange 2013 simply has no record of it in message tracking. The Exchange 2013 Malware Filter is uninstalled. Where do I go from here to figure out why messages are simply not showing up?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
If the message is not in Message Tracking, then it didn't reach Exchange, simple as that. I believe message tracking over everything else.

Your mail filter cannot show the message being delivered to the user, but being delivered to the server.

Enable logging on the Receive Connectors to see whether Exchange rejected the message.

jeffersonnunnAuthor Commented:
It shows as received.

2015-06-08T21:44:24.144Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,25,,,*,
2015-06-08T21:44:24.222Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,26,,,*,,"TLS protocol SP_PROT_TLS1_0_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_RSA_KEYX with strength 2048 bits"
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,27,,,<,EHLO,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,28,,,*,,Client certificate chain validation status: 'EmptyCertificate'
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,29,,,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,30,,,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,31,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,32,,,>,250-Hello [],
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,33,,,>,250-SIZE 104857600,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,34,,,>,250-PIPELINING,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,35,,,>,250-DSN,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,36,,,>,250-ENHANCEDSTATUSCODES,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,37,,,>,250-AUTH NTLM LOGIN,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,38,,,>,250-X-EXPS GSSAPI NTLM,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,39,,,>,250-8BITMIME,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,40,,,>,250-BINARYMIME,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,41,,,>,250-CHUNKING,
2015-06-08T21:44:24.253Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,42,,,>,250 XRDST,
2015-06-08T21:44:24.300Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,43,,,<,MAIL FROM:<>,
2015-06-08T21:44:24.300Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,44,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2015-06-08T21:44:24.300Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,45,,,*,08D264C05233B2F7;2015-06-08T21:44:24.066Z;1,receiving message
2015-06-08T21:44:24.300Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,46,,,>,250 2.1.0 Sender OK,
2015-06-08T21:44:24.331Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,47,,,<,RCPT TO:<>,
2015-06-08T21:44:24.331Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,48,,,>,250 2.1.5 Recipient OK,
2015-06-08T21:44:24.363Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,49,,,<,DATA,
2015-06-08T21:44:24.363Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,50,,,>,354 Start mail input; end with <CRLF>.<CRLF>,
2015-06-08T21:44:24.566Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,51,,,*,,Proxy destination(s) obtained from OnProxyInboundMessage event
2015-06-08T21:44:24.769Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,52,,,>,"250 2.6.0 <E9A43BD6F639DE4BAAAB8BD1CD0CE4BD607843E6@exch10-mb1.ccbill-hq.local> [InternalId=7816840478924, Hostname=myhost.mydomain.local] Queued mail for delivery",
2015-06-08T21:44:24.800Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,53,,,<,QUIT,
2015-06-08T21:44:24.800Z,MAIL\Default Frontend MAIL,08D264C05233B2F7,54,,,>,221 2.0.0 Service closing transmission channel,

Open in new window

Simon Butler (Sembee)ConsultantCommented:
Does message tracking show other messages being received correctly?
AV software have the correct exclusions in it?

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jeffersonnunnAuthor Commented:

The message tracking does show other messages being received just fine. In fact, the McAfee SaaS Inbound Email shows that our mail server properly received all the messages. For some reason, the message documented above was not received. I do not know the reason and this is what I'm trying to find out. To Wit:

McAfee Cloud Email Filter -> Received, Processed, Delivered to Exchange Server
SMTP Transport Log -> Received
Message Tracking -> Shows Received

McAfee Cloud Email Filter -> Received, Processed, Delivered to Exchange Server
SMTP Transport Log -> Received
Message Tracking -> Not there at all

What are the steps between SMTP and Message Tracking?
Simon Butler (Sembee)ConsultantCommented:
The only thing that could get in the way between Transport and message tracking would be AV software scanning something it shouldn't be. Usually as soon as it has been received by the receive connector it hits transport and is in the message tracking logs.

jeffersonnunnAuthor Commented:

Well we did have "ESET" antivirus on there before. It has since been removed. How do I check to see if there are any random traces left behind for AV / Antispam?
jeffersonnunnAuthor Commented:
Well I n ever got a response back. I'm going to just leave it open and petition for admin support.
Simon Butler (Sembee)ConsultantCommented:
No one is paid to answer your questions, and not everyone operates in the same time zone as you.

Has the server been rebooted since the AV software was removed? Is there any other third party software installed on the server?

jeffersonnunnAuthor Commented:
Yes the server has been rebooted. There are no other third party software items on the server.
Please note my exchange experience is rather limited, however after reviewing the log sample you provided I noticed your message was "queued for delivery" however there is no "message sent status"

You might be able to verify this by checking your mail servers message queue

Veerappan SundaramSenior Technical ConsultantCommented:
If you are using "-EventID receive" with message tracking, please remove and try.
Also check your poison queue.

try checking your transport agents for any unwanted filtering/processing:
Get-TransportPipeline | Format-List

this will show all steps the message takes and may identify if ESET or any other programs have a say in the process.

other than that, go back to the SMTP logs. don't just look to see if it was received but look at more info. when you compare the ones that get through and the ones that dont, are there any differences? different sender or recipient? with or without an attachment for example.
Have you checked it's not just a specific recipient address/disty that's having an issue?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.