Exchange Server - Exchange Blocking Some External Emails

Asked By Lizza

20-Nov-09 12:14 PM

I have a server running Exchange 2007. Some external emails are being blocked. The senders receive the following email:



Your message could not be delivered for 0 days, 12 hours, 0 minutes.

It will be retried until it is 5 days, 0 hours, 0 minutes old.



For further assistance, please send mail to <postmaster>



If you do so, please include this problem report. You can delete your own text from the attached returned message.








I'm new to exchange..Could you please provide with some guidance on how to start troubleshooting/fixing this error.



Thanks for any help.

Exchange Setup Discussions

SMTPAcceptAuthoritativeDomainSender
(1)

SMTPAcceptAnySender
(1)

SMTPSubmit
(1)

AcceptRoutingHeaders
(1)

Report
(1)

SMTP
(1)

D360000000000000000000000000000000003683
(1)

E2D200000000000000000000000000000008D815
(1)

Lizza A replied to Lizza

20-Nov-09 02:27 PM

Sorry, I didnt copy the Diagnostic Code



Diagnostic-Code: smtp; 451 4.4.2 [internal] send HELO/EHLO failed

Ed Crowley [MVP] replied to Lizza A

20-Nov-09 03:45 PM

You can turn up protocol logging and then search the logs for the attempts
that fail.

Are these inbound or outbound messages you are talking about?
--
Ed Crowley MVP
.

Lizza A replied to Ed Crowley [MVP]

23-Nov-09 01:16 PM

Thanks for the reply.  The messages being blocked are inbound messages, but only the messages from certain domains are being blocked.



I enabled the protocol logging like you recomended and this is what I get, when Im send a message from the blocked domain...





2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,0,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,+,,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,1,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,2,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,"220 www.mydomain.com Microsoft ESMTP MAIL Service ready at Mon, 23 Nov 2009 08:47:41 -0500",

2009-11-23T13:47:41.C,MyMailServer\Pipeline-internet,08C0000000000008,3,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,<,EHLO this.mail.istheblocked.domain,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,4,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-www.mydomain.com Hello [100.00.000.00],

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,5,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-SIZE 52428800,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,6,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-PIPELINING,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,7,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-DSN,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,8,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-ENHANCEDSTATUSCODES,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,9,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-STARTTLS,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,10,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-AUTH LOGIN,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,11,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-8BITMIME,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,12,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250-BINARYMIME,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,13,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,250 CHUNKING,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,14,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,<,STARTTLS,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,15,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,>,220 2.0.0 SMTP server ready,

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,16,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,,Sending certificate

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,17,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,"CN=www.mydomain.com, DC=mydomain, DC=knox",Certificate subject

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,18,214.69.182.00:25,XXX.XX.XXX.XX:58117,*,"CN=www.mydomain.com, DC=mydomain, DC=knox",Certificate issuer name

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,19,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,XXXXXXXXXXXXXXXXXXXXXXXXXX,Certificate serial number

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,20,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,XXXXXXXXXXXXXXXXXXXXXXXXXX,Certificate thumbprint

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,21,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,*,www.mydomain.com,Certificate alternate names

2009-11-23T13:47:41.XXXX,MyMailServer\Pipeline-internet,08CC00000000000B8,22,XXX.XX.XXX.XX:25,XXX.XX.XXX.XX:58117,-,,Local

lizza replied to Ed Crowley [MVP]

30-Nov-09 01:44 PM

I ran the get-exchangecertificate and this is what I got ... The first
certificate (third party) listed is the one I had installed for OWA  and the
last one (self signed)  is the one that appears on the log I had posted
previously ... Can I use the same cert for both? SMTP and OWA ?

[PS] C:\Documents and Settings\Administrator.DOMAIN>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
34480000000000000000000000000000000C0C10  .IP.W      CN=www.mydomain.com,
OU=...
***  THIS CERTIFICATE IS A THIRD PARTY CERT AND IS INSTALLED FOR OWA
7891000000000000000000000000000000014D2E  .....      CN=www.mydomain.com
6D5300000000000000000000000000000005D421  .IP..      CN=servername, OU=Go to
ht...
9DC200000000000000000000000000000009E593  .....      CN=www.mydomain.com,
OU=...
1D0000000000000000000000000000000008FE12  .....      CN=www.mydomain.com,
OU=...
59A000000000000000000000000000000000E187  .....      CN=www.mydomain.com,
OU=...
D360000000000000000000000000000000003683  .IP..      CN=servername, OU=Go to
ht...
5EE00000000000000000000000000000000DD03F  S....
CN=servername.mydomain.knox...
3F300000000000000000000000000000000584B6  SIP..      CN=servername, OU=Go to
ht...
E2D200000000000000000000000000000008D815  S....      CN=www.mydomain.com,
DC=...
***  THIS IS THE CERT THAT IS DISPLAYED IN THE PROTOCOL LOG I HAD SENT  YOU
BEFORE

lizza replied to Ed Crowley [MVP]

30-Nov-09 04:29 PM

I enable the certificate for SMTP and it worked. Thanks a lot for your help I
really apreciate it.  One last question...why it blocked only some domains
and I was still able to receive emails from other domains (ie hotmail, gmail,
etc)  ?

Thanks again

Ed Crowley [MVP] replied to lizza

30-Nov-09 10:59 PM

You have a lot of certificates there.  You might want to go through them,
figure out which ones are valid, and delete the rest.

To your question, my guess would be that Hotmail, Gmail, etc. do not try to
use TLS so the certificate does not matter.
--
Ed Crowley MVP
.

Previous Discussion: Upgrade Custom email address policy address list

4.7.0 Timeout waiting for client input Exchange Server

receive connector myserver, 08CA51E4179C05C2, 1, xx.xx.xx.xx:25, 203.91.198.75:28664, *, SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders, Set Session Permissions 2008-03-18T07:02:47.218Z, myserver \ Default internal receive receive connector myserver, 08CA51E4179C05C2, 1, xx.xx.xx.xx:25, 203.91.198.75:28664, *, SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders, Set Session Permissions 2008-03-18T07:02:47.218Z, myserver \ Default internal receive my own, and not those of anyone associated with me. Exchange Admin Discussions SMTPAcceptAuthoritativeDomainSender (1) SMTPAcceptAnySender (1) SMTPSubmit (1) AcceptRoutingHeaders (1) ConnectionTimeout (1) ReceiveConnector (1) Identity (1) Abdulla (1) Try increasing your connector

421 4.4.1 Connection timed out Exchange Server

CTLMAIL01 \ Default CTLMAIL01, 08BB4878E631167F, 1, 192.168.10.5:25, 195.125.160.5:52588, *, SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders, Set Session Permissions 2010-02-22T02:57:32.211Z, CTLMAIL01 \ Default CTLMAIL01, 08BB4878E631167F 168.10.5:25, 195.125.160.5:52588, -, , Remote Exchange Admin Discussions SMTPAcceptAuthoritativeDomainSender (1) SMTPAcceptAnySender (1) SMTPSubmit (1) AcceptRoutingHeaders (1) SMTP (1) Sender (1) Luo (1) ENHANCEDSTATUSCODES (1) Do you have anything

Edge Transport Server Exchange Server

dbxchangeEdge \ Outbound-Connector, 08CA604EDD1A6A7C, 2, 192.168.0.12:25, 10.0.5.238:48594, *, SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPAcceptEXCH50 AcceptRoutingHeaders, Set Session Permissions 2008-03-30T08:41:16.203Z, dbxchangeEdge

Exchange 2007SP1 Hub Transport Receive Connector Problem Exchange Server

response> , 2008-01-24T11:58:01.448Z, HUBSERVER \ TestClient, 08CA2C977295CA87, 21, SERVERIP:587, CLIENTIP:1938, *, SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAuthoritativeDomainSender BypassAntiSpam AcceptRoutingHeaders, Set Session Permissions 2008-01-24T11:58:01.448Z, HUBSERVER \ TestClient Setup Discussions HUBSERVER.domain.local (1) SMTPAcceptAuthoritativeDomainSender (1) SMTPAcceptAnyRecipient (1) Exchange Server (1) Outlook (1) SMTPSubmit (1) AcceptRoutingHeaders (1) BypassAntiSpam (1) Hi, Did you configure the client to authenticate? Leif Yes