locked
Edge AntiSpam mail flow to Quarantine Mailbox RRS feed

  • Question

  • Hi,

    Since we've migrated from Exchange 2010 (Edge + Mailbox Server) to Exchange 2016 (Edge + Mailbox Server) the Edge server is unable to deliver SPAM messages to SPAM Quarantine Mailbox.

    Error received:

    Source                  : SMTP
    EventId                 : FAIL

    RecipientStatus         : {[{LRT=5/16/2016 4:23:23 PM};{LED=550 5.7.53 SMTP; Command not authorized in current state};{FQDN=<Mailbox Server IP Address>};{IP=<Mailbox Server IP Address>}]}

    I've searched the internet for this error but no luck...

    Any ideas?

    Monday, May 16, 2016 5:06 PM

Answers

  • After a long period of tests we've found a workaround for this issue.

    The definition of the address spaces on the send connector created by Edge subscription from Outside to my organization was something like this:

    Type;Domain;Cost;
    smpt;<my domain>;100;

    If I change <my domain> to the default "--" (all accepted domains) it works fine!

    The Microsoft case is still open for evaluation and identify this as a Bug or not.

    • Marked as answer by Fernando MGR Wednesday, August 10, 2016 9:14 AM
    Wednesday, August 10, 2016 9:14 AM

All replies

  • I have same problem
    Monday, May 16, 2016 5:10 PM
  • Hi Fernando, 

    Welcome to our forum.

    Are there any other A/V software in organization?

    Are there any other application installed on Exchange Edge server?

    Please make sure you have configured spam quarantine mailbox by the following link:

    https://technet.microsoft.com/en-us/library/bb123746(v=exchg.160).aspx 

    If spam quarantine mailbox has been configured, please refer to the following link to troubleshoot:

    1. Make sure antispam feature are enabled: https://technet.microsoft.com/en-us/library/bb201691(v=exchg.160).aspx
    2. Check if content  filter is enabled: Get-ContentFilterConfig | Format-List Enabled
    3. Check the value for the SCL quarantine threshold

    Best Regard,

    Jim Xu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Tuesday, May 17, 2016 9:44 AM
  • Thank you Jim for your reply.

    The only AV we use is SCEP, no other 3rd party AV software in the Organization. Also no other software besides Exchange Edge 2016 Server is installed on our Edge.

    The spam quarantine mailbox exists and it was working with our old Exchange 2010 servers (Edge+Mailbox).

    The Transport Agents are enabled.

    [PS] C:\>Get-TransportAgent

    Identity                                           Enabled         Priority
    --------                                           -------         --------
    Connection Filtering Agent                         True            1
    Address Rewriting Inbound Agent                    True            2
    Edge Rule Agent                                    True            3
    Content Filter Agent                               True            4
    Sender Id Agent                                    True            5
    Sender Filter Agent                                True            6
    Recipient Filter Agent                             True            7
    Protocol Analysis Agent                            True            8
    Attachment Filtering Agent                         True            9
    Address Rewriting Outbound Agent                   True            10

    The Content Filter is enabled and configured

    [PS] C:\>Get-ContentFilterConfig | Format-List Enabled

    Enabled : True

    [PS] C:\>Get-ContentFilterConfig


    Name                                  : ContentFilterConfig
    RejectionResponse                     : Server rejected your message as spam by Content Filtering.
    OutlookEmailPostmarkValidationEnabled : True
    BypassedRecipients                    : {}
    QuarantineMailbox                     : spam.quarantine@<MyDomain>
    SCLRejectThreshold                    : 7
    SCLRejectEnabled                      : False
    SCLDeleteThreshold                    : 9
    SCLDeleteEnabled                      : False
    SCLQuarantineThreshold                : 7
    SCLQuarantineEnabled                  : True
    BypassedSenders                       : {}
    BypassedSenderDomains                 : {}
    Enabled                               : True
    ExternalMailEnabled                   : True
    InternalMailEnabled                   : False
    AdminDisplayName                      :
    ExchangeVersion                       : 0.1 (8.0.535.0)
    DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C8588207-0E3D-42D9-B301-3DAA8AFF5797}
    Identity                              : ContentFilterConfig
    Guid                                  : 7cff7013-2346-422d-86aa-e283c7e8ee8f
    ObjectCategory                        : CN=ms-Exch-Message-Hygiene-Content-Filter-Config,CN=Schema,CN=Configuration,CN={C8588207-0E3D-42D9-B301-3DAA8AFF5797}
    ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
    WhenChanged                           : 5/16/2016 4:05:21 PM
    WhenCreated                           : 3/10/2016 3:52:11 PM
    WhenChangedUTC                        : 5/16/2016 3:05:21 PM
    WhenCreatedUTC                        : 3/10/2016 3:52:11 PM
    OrganizationId                        :
    Id                                    : ContentFilterConfig
    OriginatingServer                     : localhost
    IsValid                               : True
    ObjectState                           : Unchanged

    Here the agent log:

    Timestamp               : 5/17/2016 9:39:41 AM
    ClientIp                :
    ClientHostname          :
    ServerIp                :
    ServerHostname          : <MyEdgeServer>
    SourceContext           : Quarantine
    ConnectorId             :
    Source                  : DSN
    EventId                 : DSN
    InternalMessageId       : 6983616823427
    MessageId               : <25056246861230.851kgo82701gn@gmacdonalddds.com>
    NetworkMessageId        : b1367d6a-b307-460f-efe3-08d37e2eca57
    Recipients              : {spam.quarantine@<MyDomain>}
    RecipientStatus         : {}
    TotalBytes              : 24031
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               : {<25056246861230.851kgo82701gn@gmacdonalddds.com>}
    MessageSubject          : Undeliverable: Spam Pfizer's caplet for me that want more.
    Sender                  : postmaster@<MyDomain>
    ReturnPath              : <>
    Directionality          : Originating
    TenantId                :
    OriginalClientIp        :
    MessageInfo             : <Hayes_Lynnette@cnahfs.com],
                              [AccountForest, localhost]}
    TransportTrafficType    : Email

    Timestamp               : 5/17/2016 9:39:46 AM
    ClientIp                :
    ClientHostname          :
    ServerIp                :
    ServerHostname          : <MyEdgeServer>
    SourceContext           :
    ConnectorId             :
    Source                  : DSN
    EventId                 : BADMAIL
    InternalMessageId       : 6983616823427
    MessageId               : <25056246861230.851kgo82701gn@gmacdonalddds.com>
    NetworkMessageId        : b1367d6a-b307-460f-efe3-08d37e2eca57
    Recipients              : {spam.quarantine@<MyDomain>}
    RecipientStatus         : {}
    TotalBytes              : 24031
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Undeliverable: Spam Pfizer's caplet for me that want more.
    Sender                  : postmaster@<MyDomain>
    ReturnPath              : <>
    Directionality          : Originating
    TenantId                :
    OriginalClientIp        :
    MessageInfo             :
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[BadmailReason, NDRing a mail recipient that requires a DSN], [DeliveryPriority, Normal],
                              [OriginalFromAddress, Hayes_Lynnette@cnahfs.com], [AccountForest, localhost]}
    TransportTrafficType    : Email

    Timestamp               : 5/17/2016 9:39:46 AM
    ClientIp                : <MyEdgeServerIPAddress>
    ClientHostname          : <MyEdgeServer>
    ServerIp                : <MyMailboxServerIPAddress>
    ServerHostname          : <MyMailboxServerIPAddress>
    SourceContext           :
    ConnectorId             : EdgeSync - Inbound to FirstSite
    Source                  : SMTP
    EventId                 : FAIL
    InternalMessageId       : 6983616823427
    MessageId               : <25056246861230.851kgo82701gn@gmacdonalddds.com>
    NetworkMessageId        : b1367d6a-b307-460f-efe3-08d37e2eca57
    Recipients              : {spam.quarantine@<MyDomain>}
    RecipientStatus         : {[{LRT=5/17/2016 8:39:41 AM};{LED=550 5.7.53 SMTP; Command not authorized in current state};{FQDN=<MyMailboxServerIPAddress>};{IP=<MyMailboxServerIPAddress>}]}
    TotalBytes              : 24031
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Undeliverable: Spam Pfizer's caplet for me that want more.
    Sender                  : postmaster@<MyDomain>
    ReturnPath              : <>
    Directionality          : Originating
    TenantId                :
    OriginalClientIp        :
    MessageInfo             : 2016-05-17T08:39:41.772Z;SRV=<MyEdgeServer>:TOTAL-EDGE=5.065|UTH=0.002|DSN=0.005|CAT=0.002|
                              SMSC=0.027|SMS=5.016
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[E2ELatency, 5.049], [ExternalSendLatency, 0.000], [ToEntity, Unknown], [FromEntity,
                              Hosted], [ToEntity, Internet], [FromEntity, Hosted],
                              [Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel, Opportunistic],
                              [DeliveryPriority, Normal], [OriginalFromAddress, Hayes_Lynnette@cnahfs.com],
                              [AccountForest, localhost]}
    TransportTrafficType    : Email

    Hope you can help me.

    Best regards,

    Fernando

    Tuesday, May 17, 2016 10:17 AM
  • Hi Fertnando, 

    Please post the “Header information” of this specific message to us for troubleshooting.

    By this issue, we also suggest you do the following steps for troubleshooting:

    1. Restart “Microsoft Exchange Transport” service on Edge server
    2. Rebuild Windows profile on Exchange 2016 Edge server

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, May 19, 2016 12:55 AM
  • Hi Jim,

    The NDR is discarded as soon as it fails to deliver the NDR.

    I've already restarted the service and the Server also and no luck.

    After searching the logs I've notice that the problem isn't with AntiSpam and the delivering of the NDR to the SPAM Quarantine mailbox.

    The problem is with all NDR's generated by the Edge server that aren't delivered to the organization with this same error: "BadmailReason, NDRing a mail recipient that requires a DSN" and "550 5.7.53 SMTP; Command not authorized in current state".

    I will open a case in Microsoft to see if they can help me sorting this out.

    Thank you for your help e if you have any more ideas please share!

    Best Regards,

    Fernando

    Friday, May 20, 2016 8:35 AM
  • I'm still waiting for Microsoft support has they wanted to apply the CU2 for Exchange Server but this didn't solve the problem also...

    I'll get back here as soon I've more news...

    Tuesday, July 5, 2016 4:57 PM
  • After a long period of tests we've found a workaround for this issue.

    The definition of the address spaces on the send connector created by Edge subscription from Outside to my organization was something like this:

    Type;Domain;Cost;
    smpt;<my domain>;100;

    If I change <my domain> to the default "--" (all accepted domains) it works fine!

    The Microsoft case is still open for evaluation and identify this as a Bug or not.

    • Marked as answer by Fernando MGR Wednesday, August 10, 2016 9:14 AM
    Wednesday, August 10, 2016 9:14 AM
  • hi, where did you get log error,

    I have the same issue like this,

    Saturday, October 6, 2018 4:18 PM
  • how can I collect log error like this

    timestamp               : 5/17/2016 9:39:41 AM

    ClientIp                :
    ClientHostname          :
    ServerIp                :
    ServerHostname          : <MyEdgeServer>
    SourceContext           : Quarantine
    ConnectorId             :
    Source                  : DSN
    EventId                 : DSN
    InternalMessageId       : 6983616823427
    MessageId               : <25056246861230.851kgo82701gn@gmacdonalddds.com>
    NetworkMessageId        : b1367d6a-b307-460f-efe3-08d37e2eca57
    Recipients              : {spam.quarantine@<MyDomain>}

    Saturday, October 6, 2018 5:59 PM
  • Hi Deby IT.

    Check the message tracking logs on your servers.

    The default path to their physical location is %ExchangeInstallPath%TransportRoles\Logs\MessageTracking.

    If it helps to understand the content of the log files:

    https://docs.microsoft.com/en-us/Exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019

    Best regards,

    Fernando

    Tuesday, October 9, 2018 10:28 PM