locked
Problem receiving from sender, showing in SmtpReceive log but not Message Tracking RRS feed

  • Question

  • Our Exchange 2007 server (SBS2k8 really) has had problems receiving mail from a certain sender the last few weeks.  With the SMTPReceive set to verbose, I can see the mail coming in but it never shows up in the message tracking logs.  

    Looking at similar issues, I thought maybe the content filtering agent might have been grabbing it, so I set up a transport rule to take any mail from this particular domain and set the SCL to 0 as well as bcc a copy of it to myself.  But I just noticed another entry in yesterday's smtpreceive log and that didn't do the trick (or forward a copy to me for that matter).

    I'm including some samples from our SMTP log.  I can see that when it works, after the 354 Start mail input line, our server sends a 250 2.6.0 code confirming the message has been queued for delivery, at which point the remote server sends a QUIT and we close it.  But when it fails, there's nothing after the 354 line.

    Example of good transmission:

    2014-04-23T15:00:49.636Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,0,10.0.100.3:25,50.xxx.xxx.xxx:9100,+,,
    2014-04-23T15:00:49.636Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,1,10.0.100.3:25,50.xxx.xxx.xxx:9100,*,SMTPSubmit SMTPAcceptAnySender AcceptRoutingHeaders,Set Session Permissions
    2014-04-23T15:00:49.636Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,2,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,"220 xxx.xxx.com Microsoft ESMTP MAIL Service ready at Wed, 23 Apr 2014 11:00:49 -0400",
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,3,10.0.100.3:25,50.xxx.xxx.xxx:9100,<,EHLO other.domain.com,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,4,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-xxx.xxx.com Hello [50.xxx.xxx.xxx],
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,5,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-SIZE 26091520,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,6,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-PIPELINING,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,7,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-DSN,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,8,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-ENHANCEDSTATUSCODES,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,9,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-STARTTLS,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,10,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-AUTH,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,11,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-8BITMIME,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,12,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250-BINARYMIME,
    2014-04-23T15:00:49.948Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,13,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250 CHUNKING,
    2014-04-23T15:00:50.026Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,14,10.0.100.3:25,50.xxx.xxx.xxx:9100,<,MAIL FROM:<DDE@xxx.com> SIZE=3497,
    2014-04-23T15:00:50.026Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,15,10.0.100.3:25,50.xxx.xxx.xxx:9100,*,08D11000FE2BD02F;2014-04-23T15:00:49.620Z;1,receiving message
    2014-04-23T15:00:50.026Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,16,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250 2.1.0 Sender OK,
    2014-04-23T15:00:50.073Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,17,10.0.100.3:25,50.xxx.xxx.xxx:9100,<,RCPT TO:<data@xxxx.com>,
    2014-04-23T15:00:50.291Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,18,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250 2.1.5 Recipient OK,
    2014-04-23T15:00:50.338Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,19,10.0.100.3:25,50.xxx.xxx.xxx:9100,<,DATA,
    2014-04-23T15:00:50.338Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,20,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,354 Start mail input; end with <CRLF>.<CRLF>,
    2014-04-23T15:00:50.525Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,21,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,250 2.6.0 <4E393B56482240F2823EF535832F45E5@autosystems.decoma.com> Queued mail for delivery,
    2014-04-23T15:00:50.556Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,22,10.0.100.3:25,50.xxx.xxx.xxx:9100,<,QUIT,
    2014-04-23T15:00:50.556Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,23,10.0.100.3:25,50.xxx.xxx.xxx:9100,>,221 2.0.0 Service closing transmission channel,
    2014-04-23T15:00:50.556Z,SBS2k8srv\SBS Receive,08D11000FE2BD02F,24,10.0.100.3:25,50.xxx.xxx.xxx:9100,-,,Local

    and an example of the message not being successfully received:

    2014-04-24T11:57:37.236Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,0,10.0.100.3:25,50.xxx.xxx.xxx:10131,+,,
    2014-04-24T11:57:37.236Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,1,10.0.100.3:25,50.xxx.xxx.xxx:10131,*,SMTPSubmit SMTPAcceptAnySender AcceptRoutingHeaders,Set Session Permissions
    2014-04-24T11:57:37.236Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,2,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,"220 xxx.xxx.com Microsoft ESMTP MAIL Service ready at Thu, 24 Apr 2014 07:57:36 -0400",
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,3,10.0.100.3:25,50.xxx.xxx.xxx:10131,<,EHLO other.domain.com,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,4,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-xxx.xxx.com Hello [50.xxx.xxx.xxx],
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,5,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-SIZE 26091520,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,6,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-PIPELINING,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,7,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-DSN,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,8,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-ENHANCEDSTATUSCODES,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,9,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-STARTTLS,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,10,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-AUTH,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,11,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-8BITMIME,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,12,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250-BINARYMIME,
    2014-04-24T11:57:37.532Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,13,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250 CHUNKING,
    2014-04-24T11:57:37.579Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,14,10.0.100.3:25,50.xxx.xxx.xxx:10131,<,MAIL FROM:<DDE@xxx.com> SIZE=3481,
    2014-04-24T11:57:37.579Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,15,10.0.100.3:25,50.xxx.xxx.xxx:10131,*,08D11000FE2BD40D;2014-04-24T11:57:37.220Z;1,receiving message
    2014-04-24T11:57:37.579Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,16,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250 2.1.0 Sender OK,
    2014-04-24T11:57:37.610Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,17,10.0.100.3:25,50.xxx.xxx.xxx:10131,<,RCPT TO:<data@xxxx.com>,
    2014-04-24T11:57:37.719Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,18,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,250 2.1.5 Recipient OK,
    2014-04-24T11:57:37.750Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,19,10.0.100.3:25,50.xxx.xxx.xxx:10131,<,DATA,
    2014-04-24T11:57:37.750Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,20,10.0.100.3:25,50.xxx.xxx.xxx:10131,>,354 Start mail input; end with <CRLF>.<CRLF>,
    2014-04-24T11:57:37.875Z,SBS2k8srv\SBS Receive,08D11000FE2BD40D,21,10.0.100.3:25,50.xxx.xxx.xxx:10131,-,,Remote


    Interestingly, we used to receive email from this sender in the past.  When it stopped working, it didn't quite stop working outright - at some point after the deliveries stopped, 2 made it in, but nothing again since then.

    Friday, May 30, 2014 9:43 PM

Answers

  • Is it possible that you have anti-spam software or filtering that is rejecting email from that recipient?


    Jim McBee - MVP, MCT, MCSE Using Exchange since the v4.0 beta in 1995 - Blog http://mostlyexchange.blogspot.com

    • Marked as answer by cara chen Saturday, June 7, 2014 5:19 AM
    Friday, May 30, 2014 9:54 PM
  • Check the agent logs on the machine. The Exchange anti-spam agents log files are found here:

    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

    If you use Forefront, its agent log files are usually here:

    C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\FSEAgentLog

    Other software may have its log files elsewhere.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by cara chen Saturday, June 7, 2014 5:18 AM
    Monday, June 2, 2014 1:42 AM

All replies

  • Is it possible that you have anti-spam software or filtering that is rejecting email from that recipient?


    Jim McBee - MVP, MCT, MCSE Using Exchange since the v4.0 beta in 1995 - Blog http://mostlyexchange.blogspot.com

    • Marked as answer by cara chen Saturday, June 7, 2014 5:19 AM
    Friday, May 30, 2014 9:54 PM
  • Check the agent logs on the machine. The Exchange anti-spam agents log files are found here:

    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

    If you use Forefront, its agent log files are usually here:

    C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\FSEAgentLog

    Other software may have its log files elsewhere.


    --- Rich Matheisen MCSE&I, Exchange MVP

    • Marked as answer by cara chen Saturday, June 7, 2014 5:18 AM
    Monday, June 2, 2014 1:42 AM