locked
Exchange 2003 giving occasional NDR's RRS feed

  • Question

  • We have an Exchange 2003 Server awaiting a migration to 2013.

    Before we can migrate we need to find out the reason for some occasional mail, sending NDR's to a sender of email. The mail that generates an NDR, will 'leak through' to the recipients with no listed names in the To and no subject. 

    The funny thing is, in the Exchange tracking log, I can see the mail inbound, accepted and delivery started, but then you see the NDR being send out.

    On the protocol logs on the Exchange server I am not seeing any issues.

    On the protocol logs on the Edge Server again, I am not seeing any issues.

    Not too sure where to go to next, or what to log next to find the issue.

    Logs, email headers etc following.

    Email header from mail that leaked through and NDR created.

    Microsoft Mail Internet Headers Version 2.0

    Received: from edge1.ReceiverDomain.com ([ReceiverDomainIP]) by mail.ReceiverDomain.com with Microsoft SMTPSVC(6.0.3790.1830);

    Received: from edge1.ReceiverDomain.com ([ReceiverDomainIP]) by mail.ReceiverDomain.com with Microsoft SMTPSVC(6.0.3790.1830);

                    Tue, 1 Oct 2013 15:59:26 +0100

    Content-Type: text/html; charset="us-ascii"

    Content-Transfer-Encoding: quoted-printable

    X-WatchGuard-AntiVirus: part scanned. clean action=allow

    From: SenderofEmail@SenderDomain.com

    Bcc:

    Return-Path: SenderofEmail@SenderDomain.com

    Message-ID: <MAIL1WE1QDNbntj069R000006e1@mail.ReceiverDomain.com>

    X-OriginalArrivalTime: 01 Oct 2013 14:59:26.0825 (UTC) FILETIME=[D2ADBD90:01CEBEB6]

    Date: 1 Oct 2013 15:59:26 +0100

    Email header from accepted email

    Microsoft Mail Internet Headers Version 2.0
    Received: from edge1.ReceiverDomain.com ([ReceiverDomainIP]) by mail.ReceiverDomain.com with Microsoft SMTPSVC(6.0.3790.1830);
                    Tue, 1 Oct 2013 16:01:04 +0100
    Received: from SENDERINTMAIL.prod.ds.SenderDomain.com (SenderDomainIP) by
    edge1.ReceiverDomain.com (ReceiverDomainIP) with Microsoft SMTP Server (TLS) id
    8.1.436.0; Tue, 1 Oct 2013 16:00:58 +0100
    Received: from SENDERINT2.prod.ds.SenderDomain.com ([169.254.1.152]) by
    SENDERINTMAIL.prod.ds.SenderDomain.com ([169.254.2.131]) with mapi id
    14.02.0298.004; Tue, 1 Oct 2013 16:01:00 +0100
    From: "Sender, of Email" <SenderofEmail@SenderDomain.com>
    To: "Sender, of Email" <SenderofEmail@SenderDomain.com>, Receiver1
                    <receiver1@ReceiverDomain.com>, "Receiver2" <Receiver2@SenderDomain.com>
    CC: SenderDomainFactsheets <SenderDomainFactsheets@ReceiverDomain.com>, Receiver3
                    <receiver3@ReceiverDomain.com>, Receiver4<receiver4@ReceiverDomain.com>
    Subject: RE: Subject line
    Thread-Topic: Subject line
    Thread-Index: Ac6+lzKxFtHC6ZksQlSoTTK2f8AezQAD2bEQAAFJwVAAARDjsAABYWnAAABGLHAAABXhwA==
    Date: Tue, 1 Oct 2013 15:00:59 +0000
    Message-ID: <4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1@SENDERINT2.prod.ds.SenderDomain.com>
    References: <7E790EB4ACD8134198784853E07E68A204CBABE2@mail1.ReceiverDomain.local>
    <4C2FB0C9647B0140A70CEEA1B0F99FCA091F1367@SENDERINT2.prod.ds.SenderDomain.com>
    <7E790EB4ACD8134198784853E07E68A204CBAD14@mail1.ReceiverDomain.local>
    <4C2FB0C9647B0140A70CEEA1B0F99FCA091F14A7@SENDERINT2.prod.ds.SenderDomain.com>
    <7E790EB4ACD8134198784853E07E68A204CBAD7E@mail1.ReceiverDomain.local> 
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    x-originating-ip: [SenderIntIP2]
    Content-Type: multipart/alternative;
                    boundary="_000_4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1LONEXH002PAprod_"
    MIME-Version: 1.0
    Return-Path: SenderofEmail@SenderDomain.com
    Received-SPF: Pass (edge1.ReceiverDomain.com: domain of SenderofEmail@SenderDomain.com
    designates SenderDomainIP as permitted sender)
    receiver=edge1.ReceiverDomain.com; client-ip=SenderDomainIP;
    helo=SENDERINTMAIL.prod.ds.SenderDomain.com;
    X-WatchGuard-Spam-ID: str=0001.0A0B0204.524AE3AE.00B3,ss=1,re=0.000,fgs=0
    X-WatchGuard-Spam-Score: 0, clean; 0, no virus
    X-WatchGuard-Mail-Client-IP: 169.254.1.152
    X-WatchGuard-Mail-From: SenderofEmail@SenderDomain.com
    X-WatchGuard-Mail-Recipients: receiver3@ReceiverDomain.com;receiver4@ReceiverDomain.com;receiver1@ReceiverDomain.com;SenderDomainFactsheets@ReceiverDomain.com
    X-OriginalArrivalTime: 01 Oct 2013 15:01:04.0215 (UTC) FILETIME=[0CBA4670:01CEBEB7]

    --_000_4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1LONEXH002PAprod_
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    X-WatchGuard-AntiVirus: part scanned. clean action=allow

    --_000_4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1LONEXH002PAprod_
    Content-Type: text/html; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    X-WatchGuard-AntiVirus: part scanned. clean action=allow


    --_000_4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1LONEXH002PAprod_--

    Exchange 2003 Tracking log

    Logs from Edge Server for the emails, both the received email that generated the NDR and the email that was resent and received in full


    Timestamp               : 01/10/2013 15:46:49
    ClientIp                : SenderDomainIP
    ClientHostname          : 
    ServerIp                : ReceiverDomainIP
    ServerHostname          : edge1
    SourceContext           : 08D0891A81DE4619;2013-10-01T14:46:48.159Z;0
    ConnectorId             : edge1\Default internal receive connector EDGE1
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 1348948
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F1559@internalmail2.prod.ds.SenderDomain.com>
    Recipients              : {receiver1@ReceiverDomain.com, SenderDomainFactsheets@receiverdomain.com, receiver3@ReceiverDomain.com, receiver4@receiverdomain.com}
    RecipientStatus         : {}
    TotalBytes              : 48832
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : 
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 00A:


    Timestamp               : 01/10/2013 15:46:49
    ClientIp                : ReceiverDomainIP
    ClientHostname          : edge1
    ServerIp                : 10.0.0.164
    ServerHostname          : 
    SourceContext           : 08D0891A81DE461A
    ConnectorId             : sendToExchange2003
    Source                  : SMTP
    EventId                 : SEND
    InternalMessageId       : 1348948
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F1559@senderintemail1.prod.ds.SenderDomain.com>
    Recipients              : {receiver3@ReceiverDomain.com, receiver4@ReceiverDomain.com, receiver1@ReceiverDomain.com, SenderDomainFactsheets@senderdomain.com}
    RecipientStatus         : {250 2.1.5 receiver3@ReceiverDomain.com , 250 2.1.5 receiver2@ReceiverDomain.com , 250 2.1.5 receiver1@recipientdomain.com , 250 2.1.5 SenderDomainFactsheets@ReceiverDomain.com }
    TotalBytes              : 48832
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : {, , , }
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 01/10/2013 15:46:48


    Timestamp               : 01/10/2013 15:59:23
    ClientIp                : SenderDomainIP
    ClientHostname          : 
    ServerIp                : ReceiverDomainIP
    ServerHostname          : edge1
    SourceContext           : 08D0891A81DE4680;2013-10-01T14:59:21.660Z;0
    ConnectorId             : edge1\Default internal receive connector EDGE1
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 1348977
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F1592@LON-EXH002P
                              A.prod.ds.SenderDomain.com>
    Recipients              : {receiver1@ReceiverDomain.com, SenderDomainFactsheets@receiverdomain.com, receiver3@ReceiverDomain.com, receiver4@receiverdomain.com}
    RecipientStatus         : {}
    TotalBytes              : 61503
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : 
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 00A:

    Timestamp               : 01/10/2013 15:59:23
    ClientIp                : ReceiverDomainIP
    ClientHostname          : edge1
    ServerIp                : 10.0.0.164
    ServerHostname          : 
    SourceContext           : 08D0891A81DE4681
    ConnectorId             : sendToExchange2003
    Source                  : SMTP
    EventId                 : FAIL
    InternalMessageId       : 1348977
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F1592@LON-EXH002P
                              A.prod.ds.SenderDomain.com>
    Recipients              : {receiver3@ReceiverDomain.com, receiver4@ReceiverDomain.com, receiver1@ReceiverDomain.com, SenderDomainFactsheets@receiverdomain.com}
    RecipientStatus         : {503 5.5.2 Need mail command., 503 5.5.2 Need mail command., 503 5.5.2 Need mail command., 503 5.5.2 Need mail command.}
    TotalBytes              : 61503
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : {<cdba64fe-f673-439a-afda-136c285acdf4>, <cdba64fe-f6 73-439a-afda-136c285acdf4>, <cdba64fe-f673-439a-afda- 136c285acdf4>, <cdba64fe-f673-439a-afda-136c285acdf4>}
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 

    Timestamp               : 01/10/2013 16:00:59
    ClientIp                : SenderDomainIP
    ClientHostname          : 
    ServerIp                : ReceiverDomainIP
    ServerHostname          : edge1
    SourceContext           : 08D0891A81DE4695;2013-10-01T15:00:57.647Z;0
    ConnectorId             : edge1\Default internal receive connector EDGE1
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 1348985
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1@senderintmail1.prod.ds.SenderDomain.com>
    Recipients              : {receiver1@ReceiverDomain.com, SenderDomainFactsheets@receiverdomain.com, receiver3@ReceiverDomain.com, receiver4@receiverdomain.com}
    RecipientStatus         : {}
    TotalBytes              : 62815
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : 
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 00A:

    Timestamp               : 01/10/2013 16:01:01
    ClientIp                : ReceiverDomainIP
    ClientHostname          : edge1
    ServerIp                : 10.0.0.164
    ServerHostname          : 
    SourceContext           : 08D0891A81DE4697
    ConnectorId             : sendToExchange2003
    Source                  : SMTP
    EventId                 : SEND
    InternalMessageId       : 1348985
    MessageId               : <4C2FB0C9647B0140A70CEEA1B0F99FCA091F15B1@SENDERINTMAIL2.prod.ds.SenderDomain.com>
    Recipients              : {receiver3@ReceiverDomain.com, receiver4@ReceiverDomain.com, eg
                              arciamartin@ReceiverDomain.com, SenderDomainFactsheets@FundAss
                              ist.com}
    RecipientStatus         : {250 2.1.5 receiver3@ReceiverDomain.com , 250 2.1.5 receiver3@ReceiverDomain.com , 250 2.1.5 receiver1@receiverdomain, 250 2.1.5 SenderDomainFactsheets@ReceiverDomain.com }
    TotalBytes              : 62815
    RecipientCount          : 4
    RelatedRecipientAddress : 
    Reference               : {, , , }
    MessageSubject          : RE: Subject line
    Sender                  : SenderofEmail@SenderDomain.com
    ReturnPath              : SenderofEmail@SenderDomain.com
    MessageInfo             : 01/10/2013 16:00:58



    Joe

    Wednesday, October 2, 2013 10:30 AM

Answers

  • Exchange 2003 SMTP protocol logs kinda suck, don't they? The 503 in that log isn't sent as a status to the BDAT in the 2010 log (the size is different).

    But, let's assume that the 503 5.5.2 status is what happened to the message as reported in the 2010 log.

    Is there anything between the 2010 server and the 2003 server? A SMTP proxy, perhaps?

    If not, I'd suggest creating a send connector on your 2010 edge server dedicated sending e-mail without using ESMTP. All you need to do is add the other organization's domain to the connector's "Address Spaces" tab and use the set-sendconnector with the -ForceHELO. That should cause the connector to use SMTP instead of ESMTP and not use the BDAT command -- because it looks like the problem is at the 2003 side (you can google the error and find reports of this from years ago) and it you're running the most recent SP for 2003 there's nothing that I can find that addresses this problem. Maybe someone else knows of a hotfix, but I kinda doubt it.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by Wobble Wobble Wednesday, January 22, 2014 2:39 PM
    Wednesday, November 27, 2013 10:27 PM

All replies

  • Hi,

    Are the problematic emails are S/MIME emails? If so, please see:

    http://support.microsoft.com/kb/843242

                                                   

    Thanks,


    Simon Wu
    TechNet Community Support

    Saturday, October 5, 2013 6:36 AM
  • Simon, Thanks for the reply. No, the mails are not s/mime nor TLS. Just random mails, maybe 1 or 2 every two to three weeks. Joe

    Joe

    Saturday, October 5, 2013 1:03 PM
  • Being looking some more and the issue seems to be between the Edge 2007 Servers and the Exchange 2003 Server.

    Most errors are "503 5.5.2 Need mail command" errors.



    I see that the exchange servers are quite behind in patching levels, whereas the edge servers are 2 to 3 months behind on patching.


    Joe

    Friday, November 8, 2013 1:10 PM
  • Those 503 errors should be in the protocol logs on both sender and receiver machines.

    Are there any 4xx status in the transaction, or some other 5xx status, before the 503?

    This may be associated with ESMTP PIPELINING where the sender exceeds some quota (like the maximum number of recipients) but doesn't get the 4xx status right away (or doesn't process it right away).


    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, November 9, 2013 10:10 PM
  • Rich,

    No, I'm not seeing any 4XX errors.

    Sometimes the mails are "leaking in" in that we get a from address and an image of some type, but no mail content.

    Joe



    Joe

    Wednesday, November 27, 2013 11:11 AM
  • Edge server 2007 to Exchange 2003

    2013-11-27T10:00:53.932Z,sendToExchange2003,08D0AFC938C280EE,14,10.11.0.164:56317,10.0.0.164:25,>,MAIL FROM:<sender@email.ie> SIZE=62314 AUTH=<>,
    2013-11-27T10:00:53.948Z,sendToExchange2003,08D0AFC938C280EE,15,10.11.0.164:56317,10.0.0.164:25,<,250 2.1.0 sender@email.ie....Sender OK,
    2013-11-27T10:00:53.948Z,sendToExchange2003,08D0AFC938C280EE,16,10.11.0.164:56317,10.0.0.164:25,>,RCPT TO:<receiver@email.com>,
    2013-11-27T10:00:53.948Z,sendToExchange2003,08D0AFC938C280EE,17,10.11.0.164:56317,10.0.0.164:25,<,250 2.1.5 receiver@email.com ,
    2013-11-27T10:00:53.948Z,sendToExchange2003,08D0AFC938C280EE,18,10.11.0.164:56317,10.0.0.164:25,>,BDAT 61973 LAST,
    2013-11-27T10:00:54.197Z,sendToExchange2003,08D0AFC938C280EE,19,10.11.0.164:56317,10.0.0.164:25,<,503 5.5.2 Need mail command.,
    2013-11-27T10:00:54.213Z,sendToExchange2003,08D0AFC938C280EE,20,10.11.0.164:56317,10.0.0.164:25,>,QUIT,
    2013-11-27T10:00:54.213Z,sendToExchange2003,08D0AFC938C280EE,21,10.11.0.164:56317,10.0.0.164:25,<,221 2.0.0 mail.Receiver.com Service closing transmission channel,


    Exchange 2003 Protocol log
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 EHLO +edge1.Receiver.com 250 0 SMTP
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 MAIL +FROM:<sender@email.ie> 250 0 SMTP
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 RCPT +TO:<receiver@email.com> 250 0 SMTP
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 BDAT <MAIL1f09qYbOzwdB9t100004012@mail.Receiver.com> 250 62 SMTP
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 BDAT +22244 503 0 SMTP
    2013-11-27 10:01:03 10.11.0.164 edge1.Receiver.com SMTPSVC1 MAIL1 10.0.0.164 0 QUIT edge1.Receiver.com 240 0 SMTP

    Joe

    Wednesday, November 27, 2013 11:25 AM
  • Exchange 2003 SMTP protocol logs kinda suck, don't they? The 503 in that log isn't sent as a status to the BDAT in the 2010 log (the size is different).

    But, let's assume that the 503 5.5.2 status is what happened to the message as reported in the 2010 log.

    Is there anything between the 2010 server and the 2003 server? A SMTP proxy, perhaps?

    If not, I'd suggest creating a send connector on your 2010 edge server dedicated sending e-mail without using ESMTP. All you need to do is add the other organization's domain to the connector's "Address Spaces" tab and use the set-sendconnector with the -ForceHELO. That should cause the connector to use SMTP instead of ESMTP and not use the BDAT command -- because it looks like the problem is at the 2003 side (you can google the error and find reports of this from years ago) and it you're running the most recent SP for 2003 there's nothing that I can find that addresses this problem. Maybe someone else knows of a hotfix, but I kinda doubt it.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by Wobble Wobble Wednesday, January 22, 2014 2:39 PM
    Wednesday, November 27, 2013 10:27 PM
  • Rich, Thanks for the reply. There is a Watchguard doing the routing, but antispam, AV etc is disabled on that route. The 2007 Edge server is in the DMZ with the Ex2003 in the LAN. The server is not fully patched, I'm looking into what is missing. I may connect a virtual nic on the Edge to the LAN for the mail traffic, change control may be simpler that the patching.

    Joe

    Wednesday, November 27, 2013 10:42 PM
  • Rich,

    I didn't want to say the error was fixed until at least a month passed!

    And it appears that forcing the HELO has worked.

    Of course now we have another issue, but thats another tail for another day.


    Joe

    Wednesday, January 22, 2014 2:41 PM