none
Exchange 2013 CU13 dont received mail from Hotmail

    Question

  • Hello friends, I need you guys help.
    My Exchanbge 2013 CU13 server running on Windows Server 2012 R2 does not receive mail only from hotmail.com and live.com and outlook.com

    I'm with this problem almost two months already opened several called to Hotmail support team, and believe me, even by phone I talked to them and explained the problem. But strangely enough they do not know explain what is happening and simply close the call.

    My IP is not listed in any blacklists, my SPF is correct, my reverse DNS is correct .....

    The email comes to my server, but from what I read in the receipt log, it enters a sort of a queue and is not delivered to the User.

    In my desperation, I even installed a enovo ambient, an Exchange zero and auditioned to believe, the same problem happens only see my receipt log:

    2016-09-15T22:47:12.639Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B8,20,127.0.0.1:25,127.0.0.1:19268,-,,Local
    2016-09-15T22:47:36.092Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,0,*********:25,65.55.116.103:64646,+,,
    2016-09-15T22:47:36.092Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,1,*********:25,65.55.116.103:64646,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
    2016-09-15T22:47:36.092Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,2,*********:25,65.55.116.103:64646,>,"220 SRV-EMAIL.*********.com.br Microsoft ESMTP MAIL Service ready at Thu, 15 Sep 2016 19:47:35 -0300",
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,3,*********:25,65.55.116.103:64646,<,EHLO BLU004-OMC3S28.hotmail.com,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,4,*********:25,65.55.116.103:64646,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,5,*********:25,65.55.116.103:64646,>,250-SRV-EMAIL.*********.com.br Hello [65.55.116.103],
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,6,*********:25,65.55.116.103:64646,>,250-SIZE 37748736,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,7,*********:25,65.55.116.103:64646,>,250-PIPELINING,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,8,*********:25,65.55.116.103:64646,>,250-DSN,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,9,*********:25,65.55.116.103:64646,>,250-ENHANCEDSTATUSCODES,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,10,*********:25,65.55.116.103:64646,>,250-STARTTLS,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,11,*********:25,65.55.116.103:64646,>,250-X-ANONYMOUSTLS,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,12,*********:25,65.55.116.103:64646,>,250-AUTH NTLM,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,13,*********:25,65.55.116.103:64646,>,250-X-EXPS GSSAPI NTLM,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,14,*********:25,65.55.116.103:64646,>,250-8BITMIME,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,15,*********:25,65.55.116.103:64646,>,250-BINARYMIME,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,16,*********:25,65.55.116.103:64646,>,250-CHUNKING,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,17,*********:25,65.55.116.103:64646,>,250 XRDST,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,18,*********:25,65.55.116.103:64646,<,STARTTLS,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,19,*********:25,65.55.116.103:64646,>,220 2.0.0 SMTP server ready,
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,20,*********:25,65.55.116.103:64646,*,,Sending certificate
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,21,*********:25,65.55.116.103:64646,*,CN=SRV-EMAIL,Certificate subject
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,22,*********:25,65.55.116.103:64646,*,CN=SRV-EMAIL,Certificate issuer name
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,23,*********:25,65.55.116.103:64646,*,69E1A67D7F03ADA6408BF42E947FCB89,Certificate serial number
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,24,*********:25,65.55.116.103:64646,*,5D91AA7DB66F81C48DE7C8C8AAB5365E238920FD,Certificate thumbprint
    2016-09-15T22:47:36.108Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,25,*********:25,65.55.116.103:64646,*,SRV-EMAIL;SRV-EMAIL.*********.com.br,Certificate alternate names
    2016-09-15T22:47:36.201Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,26,*********:25,65.55.116.103:64646,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,27,*********:25,65.55.116.103:64646,<,EHLO BLU004-OMC3S28.hotmail.com,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,28,*********:25,65.55.116.103:64646,*,,Client certificate chain validation status: 'EmptyCertificate'
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,29,*********:25,65.55.116.103:64646,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,30,*********:25,65.55.116.103:64646,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,31,*********:25,65.55.116.103:64646,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,32,*********:25,65.55.116.103:64646,>,250-SRV-EMAIL.*********.com.br Hello [65.55.116.103],
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,33,*********:25,65.55.116.103:64646,>,250-SIZE 37748736,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,34,*********:25,65.55.116.103:64646,>,250-PIPELINING,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,35,*********:25,65.55.116.103:64646,>,250-DSN,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,36,*********:25,65.55.116.103:64646,>,250-ENHANCEDSTATUSCODES,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,37,*********:25,65.55.116.103:64646,>,250-AUTH NTLM LOGIN,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,38,*********:25,65.55.116.103:64646,>,250-X-EXPS GSSAPI NTLM,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,39,*********:25,65.55.116.103:64646,>,250-8BITMIME,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,40,*********:25,65.55.116.103:64646,>,250-BINARYMIME,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,41,*********:25,65.55.116.103:64646,>,250-CHUNKING,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,42,*********:25,65.55.116.103:64646,>,250 XRDST,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,43,*********:25,65.55.116.103:64646,<,MAIL FROM:<tecnologiawell@outlook.com> SIZE=4798,
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,44,*********:25,65.55.116.103:64646,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,45,*********:25,65.55.116.103:64646,*,08D3DDA0C4CC52B9;2016-09-15T22:47:36.092Z;1,receiving message
    2016-09-15T22:47:36.217Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,46,*********:25,65.55.116.103:64646,>,250 2.1.0 Sender OK,
    2016-09-15T22:47:36.233Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,47,*********:25,65.55.116.103:64646,<,RCPT TO:<administrador@*********.com.br>,
    2016-09-15T22:47:36.233Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,48,*********:25,65.55.116.103:64646,>,250 2.1.5 Recipient OK,
    2016-09-15T22:47:36.233Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,49,*********:25,65.55.116.103:64646,<,BDAT 4798 LAST,
    2016-09-15T22:47:36.248Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,50,*********:25,65.55.116.103:64646,*,,Ignored X-OriginatorOrg header value 'outlook.com' because session capabilities do not allow it
    2016-09-15T22:47:36.264Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,51,*********:25,65.55.116.103:64646,*,,Proxy destination(s) obtained from OnProxyInboundMessage event
    2016-09-15T22:47:36.561Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,52,*********:25,65.55.116.103:64646,>,"250 2.6.0 <BN3PR0701MB113831B2F4857BFF5D3B86B5D1F00@BN3PR0701MB1138.namprd07.prod.outlook.com> [InternalId=38654705692, Hostname=SRV-EMAIL.*********.com.br] Queued mail for delivery",
    2016-09-15T22:47:36.577Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,53,*********:25,65.55.116.103:64646,<,QUIT,
    2016-09-15T22:47:36.577Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,54,*********:25,65.55.116.103:64646,>,221 2.0.0 Service closing transmission channel,
    2016-09-15T22:47:36.577Z,SRV-EMAIL\Default Frontend SRV-EMAIL,08D3DDA0C4CC52B9,55,*********:25,65.55.116.103:64646,-,,Local


    Silvio Tavares - Analista de Sistemas

    Thursday, September 15, 2016 11:04 PM

Answers

  • Personally, I found the problem.
    To serve as documentation for others who go through it.

    After 45 days fighting virtually alone, I found that Microsoft has put some security in Exchange 2016 Multi Tenant she uses in the fields hotmail.com, live.com and outlook.com

    The mail server from Microsoft now requires that the certificate of the other mail server that will receive e-mail these fields of microsoft is like this:

    Regardless if your server uses an internal or public certificaod, it has to be that way.

    If you try another type of encryption algorithm for your CA, there will be failure in manipulating the algorithm when Microsoft's email server is communicating with your mail server.

    I did several tests on Hyper-V that way, I installed Exchange 2013 and 2016, and every step was taking a snapshot of both AD as the exchange server and was testing each of my CA certificate algorithm, and the one who managed to communicate with the servers of Microsoft was that al.

    The why she did it I do not know, but she did not put this change of information anywhere and was caught by surprise with this change what she did.

    For my exchange server 2013 years was functioning normally, the nearly two months that communication stopped and today managed to find the solution.

    That's it, if you want more informations are talking here.


    Silvio Tavares - Analista de Sistemas

    Sunday, September 18, 2016 3:24 PM

All replies

  • Is it just one mailbox having the issue or all mailboxes?

    If it is just one mailbox, try disabling and re-connecting the mailbox.  I had this at another customer a few weeks back.


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx6, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com
    Employer: http://www.avantgardetechnologies.com.au

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, September 16, 2016 1:59 AM
  • Hi,

    I noticed some useful information in your logs.

    "250 2.6.0 <BN3PR0701MB113831B2F4857BFF5D3B86B5D1F00@BN3PR0701MB1138.namprd07.prod.outlook.com> [InternalId=38654705692, Hostname=SRV-EMAIL.*********.com.br] Queued mail for delivery",

    The log "Queued mail for delivery" indicated the email has arrived on your Exchange server and is queuing to deliver.

    About the issue, I suggest you refer to the following example and use message tracking log to track the email:

    Get-MessageTrackingLog -Server Mailbox01 -Start "09/13/2016 09:00:00" -End "09/15/2016 17:00:00" -Sender "john@contoso.com"

    Regards,

    David 


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 16, 2016 9:24 AM
    Moderator
  • Hello, this happens in all mail here within my organization.

    In this new Exchange 2013 server that CU13 set up and put into production, I received an error mail it in my email outlook.com I have tests, see the error:

    Informações de diagnóstico para administradores:

    Gerando servidor: SRV-EMAIL.********.com.br

    Servidor de recebimento: mailbox database 1207050029 (MY IP)

    administrador@*******.com.br

    Remote Server at mailbox database 1207050029 (MY IP) returned '400 4.4.7 Message delayed'

    16/09/2016 00:45:27 - Remote Server at mailbox database 1207050029 (MY IP) returned '441 4.4.1 Error encountered while communicating with primary target IP address: "Failed to connect. Winsock error code: 10061, Win32 error code: 10061." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was MY IP:475'

    Cabeçalhos de mensagem originais:


    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 10:29 AM
  • Davi, ran the command you asked me, but as you can see, the message arrives at my server, but for some reason it enters the delivery queue and is not delivered to the user.


    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 10:35 AM
  • What I can not understand is the logic of this problem, only the Microsoft domains, outlook.com, live.com and hotmail.com what happens this problem.

    The more than 8 years working with Exchange I've never seen a similar problem.

    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 10:42 AM

  • Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 12:33 PM

  • Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 12:33 PM
  • I asked for help to my ISP now to see if port 25 was closed, following their reply:


    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 12:44 PM
  • Have you double-checked to make sure there are no transport rules that affect these messages? Maybe someone else figured they were blocking spam by blocking these domains with a transport rule.

    Also, is there AV/Antispam software running on the Exchange server? If so, verify the configuration of that or logs for that software.


    Byron Wright (http://byronwright.blogspot.ca)

    Friday, September 16, 2016 1:17 PM
  • No, not anything I enabled Anti Spam in the new Exchange.
    And also do not have any antivirus installed.
    And also I disabled the Windows Firewall in AD and Exchange.

    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 1:23 PM
  • I can not really understand why only Microsoft domains is this happening.

    Gmail, Bol, Yahoo, Terra and dozens of domains can deliver emails usually it does not have logic.

    The worst that Hotmail support does not help at all, called it opens and after days they respond and when they do not know the answer, they simply close the call.

    I've installed a whole new server with new IP and still the problem continues ....

    Can not understand...

    Silvio Tavares - Analista de Sistemas

    Friday, September 16, 2016 3:36 PM
  • Good friends, more than 40 days with this problem and everything I read and everything that has been done, I am now looking for another point.

    By receiving logs, it seems that the Hotmail.com and Outlook.com and Live.com (microsoft has a server running Exchange 2016 multi tenant) and it seems that the mail server from Microsoft now does not accept that the server will receive the emails it, has not internal certificate issued by a certification authority reliable.

    For the tests I'm doing, if you let the Exchange certificates unchanged when just install Exchange, it appears that in this way the microsoft mail server accepts to communicate, but if you put your internal certificate, give the fields of microsoft to deliver the mail.

    I know I'm pretty much alone in the solution of this problem, as not to Hotmail support team can solve this real problem and what I've been noticing, nobody even went so because there is not record on the internet about this problem.

    Silvio Tavares - Analista de Sistemas

    Saturday, September 17, 2016 9:56 PM
  • Personally, I found the problem.
    To serve as documentation for others who go through it.

    After 45 days fighting virtually alone, I found that Microsoft has put some security in Exchange 2016 Multi Tenant she uses in the fields hotmail.com, live.com and outlook.com

    The mail server from Microsoft now requires that the certificate of the other mail server that will receive e-mail these fields of microsoft is like this:

    Regardless if your server uses an internal or public certificaod, it has to be that way.

    If you try another type of encryption algorithm for your CA, there will be failure in manipulating the algorithm when Microsoft's email server is communicating with your mail server.

    I did several tests on Hyper-V that way, I installed Exchange 2013 and 2016, and every step was taking a snapshot of both AD as the exchange server and was testing each of my CA certificate algorithm, and the one who managed to communicate with the servers of Microsoft was that al.

    The why she did it I do not know, but she did not put this change of information anywhere and was caught by surprise with this change what she did.

    For my exchange server 2013 years was functioning normally, the nearly two months that communication stopped and today managed to find the solution.

    That's it, if you want more informations are talking here.


    Silvio Tavares - Analista de Sistemas

    Sunday, September 18, 2016 3:24 PM
  • I did all these tests in two different versions of the exchange, the CU13 2013 and version 2016 CU2.

    And when you install the CA on the DC server and only choose the correct form of the algorithm, then it will happen this failure of communication and your mail server will not receive any emails from specific microsoft fields, the rest of the world domains usually gets .

    So the only thing I did was go in my Exchange 2013 CU13 server that is running several years was to remove it on my DC to AC and then installed my CA again with this encryption template and then went on my exchange 2013 CU13 and begot a new internal certificate, and from there all emails from microsoft fields began to get on my server.

    Amazing is not it?

    Silvio Tavares - Analista de Sistemas

    Sunday, September 18, 2016 3:31 PM