none
SMTP Protocol Log for outbound mail: Local-Endpoint field blank on many failed attempts

    Question

  • I was tracking mail for another user when I found that my SMTP Send Protocol Log has many many entries of all the same failed attempt:

    2017-03-17T00:14:38.401Z,Outbound to Internet - ExchangeServer,08D414762366C445,0,,75.126.101.248:25,*,,attempting to connect
    2017-03-17T00:14:39.448Z,Outbound to Internet - ExchangeServer,08D414762366C445,1,,75.126.101.248:25,*,,"Failed to connect. Winsock error code: 10061, Win32 error code: 10061, Error Message: No connection could be made because the target machine actively refused it 75.126.101.248:25"

    Now, I expect the beginning of the log to have an initial connection and blank Local-Endpoint but these entries are throughout the day, sometimes multiple times in a row and have been going on for the last week (that I can tell initially). From what I can tell, the IP address attempting to connect to is SoftLayers cloud solutions . . I do not have anything using that technology. How can I determine what device is attempting to make these connections?

    Friday, March 17, 2017 4:27 PM

All replies

  • Devices don't make connections through send connectors, your Exchange server makes connections through send connectors.  You can look in the SMTP queues for messages that are going to a domain whose MX record, or a send connector someone has defined, routes to that host.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, March 18, 2017 2:34 AM
    Moderator
  • Hi,

    You need to check the source server IP addresses of your connector "Outbound to Internet - ExchangeServer"

    Get-sendconnector “Outbound to Internet – ExchangeServer” | fl sourcetransport*

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 20, 2017 3:20 AM
    Moderator
  • Jason.Chao, I think you meant to say the source server names, not the IP addresses.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, March 20, 2017 3:46 AM
    Moderator
  • Ed is right, when we got the source server we can know the IP address of then easily.

    Then we should know if the sendconnector is frontendproxy is enabled with command: Get-sendconnector “Outbound to Internet – ExchangeServer” | fl *proxy*

    If it’s value is false, we can set the connectivity log via the command below on mailbox server:

    Set-TransportService Mailbox01 -ConnectivityLogPath "D:\Hub Connectivity Log" -ConnectivityLogMaxFileSize 20MB -ConnectivityLogMaxDirectorySize 1.5GB -ConnectivityLogMaxAge 45.00:00:00

    If it’s value is true, we need to run the following command on CAS server:

    Set-FrontEndTransportService Mailbox01 -ConnectivityLogPath "D:\Hub Connectivity Log" -ConnectivityLogMaxFileSize 20MB -ConnectivityLogMaxDirectorySize 1.5GB -ConnectivityLogMaxAge 45.00:00:00

    We need to compare the connectivity log with the protocol log with the closest time and check the source and destination, we should find the required information.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 20, 2017 8:27 AM
    Moderator
  • Jason, thank you

    I have connectivity logging enabled by default already. The time stamps seem way off from the Connectivity log to the SMTP protocol log; however, I was able to correlate the entries by target server IP in all entries. It is strange, as this appears to be related to emails being sent to a gamail account . . so I assumed the CloudHosting IP address I looked up (this 75.126.101.248 below) may have been some content delivery for Google but then I read they were competitors . . .. . Anyway, the log entry is below, note the GAMAIL.com . . . maybe a misconfigured client? How can I determine who? What is "marked unhealthy" mean?

    2017-03-16T19:14:55.915Z,08D414762366C10A,SMTP,gamail.com,+,DnsConnectorDelivery 4c3f09e4-32a9-4fe0-86b7-a4809c433eb7;QueueLength=TQ=1;RN=1;.
    2017-03-16T19:14:55.962Z,08D414762366C10A,SMTP,gamail.com,>,gamail.com[75.126.101.248]
    2017-03-16T19:14:57.025Z,08D414762366C10A,SMTP,gamail.com,>,Failed connection to 75.126.101.248:25 (ConnectionRefused:0000274D)[TargetHost:gamail.com:25|MarkedUnhealthy|FailureCount:180|NextRetryTime:2017-03-16T19:19:55.909Z][TargetIPAddress:75.126.101.248:25|MarkedUnhealthy|FailureCount:180|NextRetryTime:2017-03-16T19:19:55.909Z]
    2017-03-16T19:14:57.025Z,08D414762366C10A,SMTP,gamail.com,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)

    These email sit in queue until they time out and an NDR is generated for the sender. I'm just not sure why.

    Monday, March 20, 2017 2:16 PM
  • It seems we need to check further of the connectivity log with the session GUID 08D414762366C10A, it’s from mailbox transport to transport service.

    In the path:   %ExchangeInstallPath%TransportRoles\Logs\Mailbox\Connectivity

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 21, 2017 10:25 AM
    Moderator
  • I will review the GUID. .I was just in now and noticed another email in quequ that does not have a From Address and no one sent an email of that subject either . . the From Address looks like:

    From Address: <>

    .....I'm starting to wonder if I have a slow spam leak somewhere . .

    Wednesday, March 22, 2017 4:05 PM
  • okay . . I searched the submission and even delivery (just for GP) and found no entry for this session GUID in either for the period listed above on that date. I checked the entire day of the 16th . . .nothing. As a matter of fact, I cannot find any in that same sequence. It appears to be that of an older session . . .way older than a month? That is as far back as my log goes. This would have to go way back if I'm currently on "E" in hex . . if I'm reading this correctly . . .

    Session ID's for Submission of the oldest entry on 2/20/2017 is below. All following Session ID's up until today are of the same format with changes on the lower end.

    08D41476 E1D4789C


    Wednesday, March 22, 2017 4:25 PM
  • just to clarify, I've been pulling logs from transportroles\logs\hub\ Conectivity and Protocol

    not those from TransportRoles\Logs\Mailbox\Connectivity

    It appears the Session ID's do not match across these log locations.

    Wednesday, March 22, 2017 4:38 PM
  • Ok, it seems hard to find the root cause of the IPs of the connections.

    Have you checked if any third party Apps of devices sharing out exchange services?


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 28, 2017 8:34 AM
    Moderator