MCIT-Libya
asked on
POP3 not working with exchange 2016
i have two Exchange Server 2016 installed, i need to enable pop3 on ports 110 and 25, it keeps asking me username/password whereas i am giving right info.
My Exchange is not live yet, so i am using public IP to access it instead of hostname.
i can telnet to both ports from the internet on 110 and 995
On Remote connectivity Analyzer it's not allowing me to do the test since it does not allow me to enter IP of server only, instead of hostname.
On exchange shell, if i run test-popconnectivity the following will go success:
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential)
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential) -PortClientAccessServer 995
but following will fail:
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential) -PortClientAccessServer 110
The error is:
Microsoft.Exchange.Monitor ing.Protoc olExceptio n:
Authentication failed.
The connection is being
closed.
The handshake failed
due to an unexpected
packet format.Server
response while making
connection:[]. --->
System.IO.IOException:
The handshake failed
due to an unexpected
packet format.
My Exchange is not live yet, so i am using public IP to access it instead of hostname.
i can telnet to both ports from the internet on 110 and 995
On Remote connectivity Analyzer it's not allowing me to do the test since it does not allow me to enter IP of server only, instead of hostname.
On exchange shell, if i run test-popconnectivity the following will go success:
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential)
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential) -PortClientAccessServer 995
but following will fail:
Test-PopConnectivity -ClientAccessServer exchange-dr -lightmode -MailboxCredential (Get-Credential) -PortClientAccessServer 110
The error is:
Microsoft.Exchange.Monitor
Authentication failed.
The connection is being
closed.
The handshake failed
due to an unexpected
packet format.Server
response while making
connection:[]. --->
System.IO.IOException:
The handshake failed
due to an unexpected
packet format.
Check your settings for POP. What is LoginType set as? If SecureLogin, that would explain your issues. Remember that you're trying to go the insecure route, which I would never recommend.
check your POP settings:
that will show where you are using TLS/SSL and where you are using unencrypted connection.
Then use the relevant value for Test-PopConnectivity parameter:
References:
https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/test-popconnectivity?view=exchange-ps
get-popsettings -server yourserver| fl identity, UnencryptedOrTLSBindings, SSLBindings
that will show where you are using TLS/SSL and where you are using unencrypted connection.
Then use the relevant value for Test-PopConnectivity parameter:
-ConnectionType
The ConnectionType parameter specifies the type of connection that's used to connect to the POP3 service. Valid values are:
Plaintext
References:
https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/test-popconnectivity?view=exchange-ps
ASKER
Thanks for your prompt help, following are the settings for pop3 configured.
UnencryptedOrTLSBindings : {[::]:110, 0.0.0.0:110}
SSLBindings : {[::]:995, 0.0.0.0:995}
right now if i add -connectiontype PlainText in test-popconnectivity command even 110 port goes successful
So with test-popconnectivity both ports are working 110 with plaintext and 995 without, but still my pop client couldn't manage to connect.
if i try to connect on port 110 it keeps asking me for username/password, and if i try to connect with 995 it says that server not responding.
Please advise.
UnencryptedOrTLSBindings : {[::]:110, 0.0.0.0:110}
SSLBindings : {[::]:995, 0.0.0.0:995}
right now if i add -connectiontype PlainText in test-popconnectivity command even 110 port goes successful
So with test-popconnectivity both ports are working 110 with plaintext and 995 without, but still my pop client couldn't manage to connect.
if i try to connect on port 110 it keeps asking me for username/password, and if i try to connect with 995 it says that server not responding.
Please advise.
I suspect some sort of network/firewall issue
try this and check settings are what you expect
TELNETting form the internet does connect to 995? If no connection, pass the issue to whoever cares after network. If it's you, check you firewall settings. Also, check Exchange firewall rules (they should be set up automatically to allow for incoming connections.
If you get an answer from the 995 port, try setting the ip/fqdn association in your local host file.
Also, note you can enable protocollog with set-popsettings to get more info about the error.
try this and check settings are what you expect
get-exchangeserver yourserver | get-popsettings | fl identity, UnencryptedOrTLSBindings, SSLBindings, X509certificate, logintype, InternalConnectionSettings, ExternalConnectionSettings,*banner*
TELNETting form the internet does connect to 995? If no connection, pass the issue to whoever cares after network. If it's you, check you firewall settings. Also, check Exchange firewall rules (they should be set up automatically to allow for incoming connections.
If you get an answer from the 995 port, try setting the ip/fqdn association in your local host file.
Also, note you can enable protocollog with set-popsettings to get more info about the error.
ASKER
i can telnet to 110 port successfully but cannot on 995
i believe it is something with exchange server itself, i tried to telnet on the server itself but still could not manage on port 995
once i enable protocol logs where can i check those logs?
in the recieve connectors do i have to add ports 110 and 995?
i believe it is something with exchange server itself, i tried to telnet on the server itself but still could not manage on port 995
once i enable protocol logs where can i check those logs?
in the recieve connectors do i have to add ports 110 and 995?
ASKER
after enabling protocol logging, i found this in the logs:
ErrMsg=ProxyNotAuthenticat ed
ErrMsg=ProxyNotAuthenticat
ASKER
i am using wild card certificate, is it ok?
Never met that issue
have a look at a elevated cmd to your proxy settings (though they don't matter for local connections)
netsh winhttp show proxy
However, have a look at this thread and let us know any outcome you get
https://social.technet.microsoft.com/Forums/Azure/en-US/b14005e4-6416-463b-91db-a4f14620c9f2/imap-connection-failure-no-login-failed-proxynotauthenticated?forum=exchangesvrclients
it is suggested
have a look at a elevated cmd to your proxy settings (though they don't matter for local connections)
netsh winhttp show proxy
However, have a look at this thread and let us know any outcome you get
https://social.technet.microsoft.com/Forums/Azure/en-US/b14005e4-6416-463b-91db-a4f14620c9f2/imap-connection-failure-no-login-failed-proxynotauthenticated?forum=exchangesvrclients
it is suggested
- that X509CertificateName should be the common name of the certificate that's enabled for POP
- to check your certificates binding and login method (http://clintboessen.blogspot.com/2018/03/binding-certificate-breaks-imap-or-pop.html)
- and finally to change some keys
We finally engaged Microsoft support and we have been asked to perform the following:
Change the value of EnableGSSAPIAndNTLMAuth value on IMAPSettings on the Exchange 2013 servers to FALSE and restart both IMAP services: Set-IMAPSettings –EnableGSSAPIAndNTLMAuth:$FALSE -Server "<name of the Exchange server>"
If the issue persist, change the LogOn type of "MSExchangeIMAP4backend" service from "Network Service" to "Local System Account" on all Mailbox servers and restart the service
The issue has been resolved at step 2.
For more explanation, Microsoft suspect that the behaviour is related with the privileges of Network Service and Local System accounts:
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network.
Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account.
ASKER
Hi,
There is an update, my current findings are that since i have two exchange servers(but they are on different IP subnets) and incoming/outgoing of pop3 i am giving are for exchange 1 which is different for the client. the exchange 1 forwards that request to exchange 2 and both servers are having issue while communicating because of some SSL issue.
i shutdown other exchange, now i can logon incoming server successfully. but for outgoing if i use port 2525 it's working fine but i need to use 25 and 465 working. both of them are not working. for port 25 it is keep asking for password and for 465 it is giving me encryption setting error.
i have attached pics for my settings on 25 and 465, on port 2525 it's working fine. but i have to make it work on 25 and 465.
Please advise
set1.jpg
set2.jpg
There is an update, my current findings are that since i have two exchange servers(but they are on different IP subnets) and incoming/outgoing of pop3 i am giving are for exchange 1 which is different for the client. the exchange 1 forwards that request to exchange 2 and both servers are having issue while communicating because of some SSL issue.
i shutdown other exchange, now i can logon incoming server successfully. but for outgoing if i use port 2525 it's working fine but i need to use 25 and 465 working. both of them are not working. for port 25 it is keep asking for password and for 465 it is giving me encryption setting error.
i have attached pics for my settings on 25 and 465, on port 2525 it's working fine. but i have to make it work on 25 and 465.
Please advise
set1.jpg
set2.jpg
ASKER
Also after turning off Exchange 2, i have lost access to ecp and owa. it gives me http 503 error.
i enter https://mymailserver/ecp/?exchclientver=15 instead of just https://mymailserver/ecp it works fine
but owa is not working at all. i have already tried to fix the bindings of the certificate to Microsoft Exchange but nothing happened.
i enter https://mymailserver/ecp/?exchclientver=15 instead of just https://mymailserver/ecp it works fine
but owa is not working at all. i have already tried to fix the bindings of the certificate to Microsoft Exchange but nothing happened.
ASKER
So the final conclusion is that as soon as i turn off exchange 2. Everything, pop3 and owa/ecp are working fine but as soon as i switch that server ON things stop.
Any ideas what should i do for this?
Any ideas what should i do for this?
You have a custom setup which is not working and that is dependant both on your network setup and on the people who did that setup. For one You should not have ssl issues when proxying between exchanges and you should not use port 2525 to send emails. Chances are that Troubleshooting your setup would be lenghty and would involve your network team. Try to understand why you exchange was setup the way it is and come back.
ASKER
Well, This is fresh installation of exchange. The exchange servers are physically at different sites connected together using site to site vpn.
That's why there network range is different.
i want to make sure that when exchange 2 stops, exchange 1 keeps working.
now pop3 works fine but only if exchange 2 is online also. if that exchange stops than pop3 and owa both stops even on the other server.
how can i check this dependency and fix it.
That's why there network range is different.
i want to make sure that when exchange 2 stops, exchange 1 keeps working.
now pop3 works fine but only if exchange 2 is online also. if that exchange stops than pop3 and owa both stops even on the other server.
how can i check this dependency and fix it.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
https://docs.microsoft.com/en-us/exchange/clients/pop3-and-imap4/configure-pop3
?
I think it is not possible to use IP address instead of FQDN of your server, but you can add FQDN to the hosts file on client:
c:\Windows\System32\driver