none
Some External Email Not Being Delivered - HAREDDIRECTFAIL - No Suitable Shadow servers

    Question

  • Company has a 2013 Exchange server and a 2007 Exchange server.. They are using Modus for filtering.. Modus points to the 2013..

    A user got his quarantine report and released a message, however, he never received it.. Modus looked in the logs and showed that it was delivered to the 2013 server.

    Looked in the message tracking logs of the 2007 server as that's where this user's mailbox resides and the message is not there..

    Ran message tracking in the shell of the 2013 server and see the HAREDDIRECTFAIL - No Suitable Shadow servers followed by a AGENTINFO..

    Any idea what the issue can be and or what to look at?

    Thanks

    Monday, November 23, 2015 9:18 PM

Answers

  • The last one is the malware transport agent.

    EventData               : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.209.3168.0|name=|file=],
                              [CompCost, |AMA=0], [DeliveryPriority, Normal]}

    That mean there was no malware, however if there no other record, that could mean something happen in the agent pipeline. You can try disable the malware agent and /or the content filtering agent.


    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Tuesday, November 24, 2015 3:38 PM
  • So is that email lost forever then?

    I'll disable those agents being they are already using Modus..

    Thanks for all the help.

    Tuesday, November 24, 2015 3:43 PM

All replies

  • In exchange servers, Is external DNS servers IP address Placed?

    If Yes Please Remove and Restarted Microsoft Exchange Transport Service.


    Mani Bhushan

    Tuesday, November 24, 2015 2:41 AM
  • No, no external DNS servers..
    Tuesday, November 24, 2015 1:43 PM
  • HAREDDIRECTFAIL indicate the server wasn't able to replicate the email to another E2013 trough Shadow Redundancy, which is normal if you only have one E2013 server.

    AGENTINFO mean it was a transport agent, the mail probably get catch by Exchange antispam.

    You can check in powershell with Get-MessageTrackingLog against an email and also check which agent are enable trough Get-TransportAgent.


    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Tuesday, November 24, 2015 2:02 PM
  • I did check the via powershell using get-messagetrackinglog as that's how I got the messages I posted..

    I can post the full tracking info if you'd think it would help.

    Here are the results of the transport agent.

    [PS] C:\Windows\system32>Get-TransportAgent

    Identity                                           Enabled         Priority
    --------                                                -------         --------
    Transport Rule Agent                                True            1
    Malware Agent                                          True            2
    Text Messaging Routing Agent                  True            3
    Text Messaging Delivery Agent                  True            4
    Content Filter Agent                                 True            5
    Sender Id Agent                                    True            6
    Sender Filter Agent                                True            7
    Recipient Filter Agent                             True            8
    Protocol Analysis Agent                            True            9

    Wondering if they even need the content filter agent enabled being they are using Modus already for filtering.. 

    They are also having another issue, albeit unrelated, I think.. Getting these NDRs. Only reason I mention it is because it mentions the content filter agent.

    Delivery of this message to the following recipients or groups is quarantined:
    HealthMailboxced1722a72354388b929ad33ff375adb@theirdomain.com
    Subject: Inbound proxy probe


    Diagnostic information for administrators:
    Generating server: exchange2013.domain.com
    HealthMailboxced1722a72354388b929ad33ff375adb@theirdomain.com
    Remote Server returned '550 5.2.1 Content Filter agent quarantined this message'
    Original message headers:
    Received: from exchange2013.domain.com (192.168.1.24) by
     exchange2013.domain.com (192.168.1.24) with Microsoft SMTP Server (TLS) id
     15.0.847.32; Wed, 18 Nov 2015 14:02:36 -0500
    Received: from InboundProxyProbe (127.0.0.1) by exchange2013.domain.com
     (127.0.0.1) with Microsoft SMTP Server id 15.0.847.32 via Frontend Transport;
     Wed, 18 Nov 2015 14:02:36 -0500
    X-MS-Exchange-ActiveMonitoringProbeName: OnPremisesInboundProxy_4
    X-Exchange-Probe-Drop-Message: FrontEnd-CAT-250
    Subject: Inbound proxy probe
    Message-ID: <c208a2f2-cccd-45ac-89d5-88bc6be89772@exchange2013.domain.com>
    From: <inboundproxy@contoso.com>
    To: Undisclosed recipients:;
    Return-Path: inboundproxy@contoso.com
    Date: Wed, 18 Nov 2015 14:02:36 -0500
    MIME-Version: 1.0
    Content-Type: text/plain

    Tuesday, November 24, 2015 2:40 PM
  • Get the | FL for the AGENTINFO tracking record to get all attributes.

    Malware agents are enable on your E0213 server, they are probably faulty (but doing what we expect from them... stopping spam).


    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Tuesday, November 24, 2015 3:01 PM
  • Here you go..  So being they use Modus, does it make sense to just disable the Malware agents?

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 1
    TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.TransportRuleAgent.TransportRuleAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Rule\Microsoft.Exchange.Me
                            ssagingPolicies.TransportRuleAgent.dll
    Identity              : Transport Rule Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 2
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.Malware.MalwareAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Antimalware\Microsoft.Exchange.Transport.Agent.Malware.dll
    Identity              : Malware Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 3
    TransportAgentFactory : Microsoft.Exchange.TextMessaging.MobileDriver.TextMessagingRoutingAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.MobileDriver.dll
    Identity              : Text Messaging Routing Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 4
    TransportAgentFactory : Microsoft.Exchange.TextMessaging.MobileDriver.TextMessagingDeliveryAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.MobileDriver.dll
    Identity              : Text Messaging Delivery Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 5
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ContentFilter.ContentFilterAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll
    Identity              : Content Filter Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 6
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.SenderId.SenderIdAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll
    Identity              : Sender Id Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 7
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ProtocolFilter.SenderFilterAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll
    Identity              : Sender Filter Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 8
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ProtocolFilter.RecipientFilterAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll
    Identity              : Recipient Filter Agent
    IsValid               : True
    ObjectState           : New

    RunspaceId            : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Enabled               : True
    Priority              : 9
    TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ProtocolAnalysis.ProtocolAnalysisAgentFactory
    AssemblyPath          : C:\Program Files\Microsoft\Exchange 
                            Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll
    Identity              : Protocol Analysis Agent
    IsValid               : True
    ObjectState           : New


    Tuesday, November 24, 2015 3:04 PM
  • I mean the FL on the messagetrackinglog record :)

    You can disable "Content Filter Agent", there 99% chance it is the one stopping email release from quarantine.

    You don't want to disable the "Transport Rule Agent"

                               


    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Tuesday, November 24, 2015 3:14 PM
  • Oh sorry.. :) Here it is.. 



    RunspaceId              : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Timestamp               : 11/16/2015 10:40:46 AM
    ClientIp                : 
    ClientHostname          : 
    ServerIp                : 
    ServerHostname          : YNGEX02
    SourceContext           : No suitable shadow servers
    ConnectorId             : 
    Source                  : SMTP
    EventId                 : HAREDIRECTFAIL
    InternalMessageId       : 27960237097333
    MessageId               : <CAELtiJPj9ThFTCbgr4jTaMusqB_gGAONDj1dnM8Df0qorTKiLQ@mail.gmail.com>
    Recipients              : {user@mydomain.com}
    RecipientStatus         : {}
    TotalBytes              : 7023
    RecipientCount          : 1
    RelatedRecipientAddress : 
    Reference               : 
    MessageSubject          : Subject
    Sender                  : fromuser@usersdomain.com
    ReturnPath              : fromuser@usersdomain.com
    Directionality          : Incoming
    TenantId                : 
    OriginalClientIp        : 
    MessageInfo             : 
    MessageLatency          : 
    MessageLatencyType      : None
    EventData               : {[DeliveryPriority, Normal]}

    RunspaceId              : b70d38e5-d8a8-47dc-b8e2-cd781763d6d3
    Timestamp               : 11/16/2015 10:40:46 AM
    ClientIp                : 
    ClientHostname          : exchange2013
    ServerIp                : 
    ServerHostname          : 
    SourceContext           : 
    ConnectorId             : 
    Source                  : AGENT
    EventId                 : AGENTINFO
    InternalMessageId       : 27960237097333
    MessageId               : <CAELtiJPj9ThFTCbgr4jTaMusqB_gGAONDj1dnM8Df0qorTKiLQ@mail.gmail.com>
    Recipients              : {user@mydomain.com}
    RecipientStatus         : {}
    TotalBytes              : 7158
    RecipientCount          : 1
    RelatedRecipientAddress : 
    Reference               : 
    MessageSubject          : Subject
    Sender                  : fromuser@usersdomain.com
    ReturnPath              : fromuser@usersdomain.com
    Directionality          : Incoming
    TenantId                : 
    OriginalClientIp        : 192.168.1.24
    MessageInfo             : 
    MessageLatency          : 
    MessageLatencyType      : None
    EventData               : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.209.3168.0|name=|file=], 
                              [CompCost, |AMA=0], [DeliveryPriority, Normal]}


    Tuesday, November 24, 2015 3:24 PM
  • The last one is the malware transport agent.

    EventData               : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.209.3168.0|name=|file=],
                              [CompCost, |AMA=0], [DeliveryPriority, Normal]}

    That mean there was no malware, however if there no other record, that could mean something happen in the agent pipeline. You can try disable the malware agent and /or the content filtering agent.


    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Tuesday, November 24, 2015 3:38 PM
  • So is that email lost forever then?

    I'll disable those agents being they are already using Modus..

    Thanks for all the help.

    Tuesday, November 24, 2015 3:43 PM