none
Added Proofpoint SPAM Filter, now certain domains are not being delivered to users

    Question

  • Hi, 

    So, we have a new client that recently got Proofpoint.  We created the account in Proofpoint, loaded up all the users, and placed the proofpoint IP's in the receive connector named mail.XXXXX.org frontend transpoort

    Emails are passing through the filter (as clean, and listed as delivered by the proofpoint service).  Most emails are making to the end user, however, certain domains are not (any user from that domain, not just certain ones).

    I am puzzled, but I am also not a in-depth exchange guy.

    The fear is there are other domains that the client is not receiving, and we just don't know it yet.  

    Any suggestions? Please.

    Monday, April 18, 2016 6:13 PM

All replies

  • Hey USherCTSI,

    So to confirm, messages that aren't being received in Exchange show up in the ProofPoint logs as being delivered?

    If so, have you check Exchange Message Tracking to see if it has any evidence of message rejection? Typically when ProofPoint marks a message as delivered it is indicating a successful handoff of the message to Exchange.


    Blog | Find me on Twitter | Find me on LinkedIn

    Monday, April 18, 2016 6:18 PM
  • Yes, and while I am not a PowerShell guy, I did run one script and it said Fail SMTP.  I am sure there is more information, but I don't know what commands will show it to me.


    Monday, April 18, 2016 6:24 PM
  • Hi USher,

    You can consider enabling protocol logs and that will show more information to you.

    The following links show more details about protocol logs for your reference:

    Protocol logging

    Protocol logging records the SMTP conversations that occur between messaging servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors that exist in the Front End Transport service on Client Access servers, the Transport service on Mailbox servers, and the Mailbox Transport service on Mailbox servers. You can use protocol logging to diagnose mail flow problems. By default, protocol logging is disabled on all Send connectors and Receive connectors

    Analyzing the protocol logs and Message tracking logs in Exchange 2013

    In this article we will be looking at how to enable protocol logging and Message tracking in Exchange 2013 and analyzing the protocol and message tracking logs as well in a little bit different way through Excel.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Tuesday, April 19, 2016 8:14 AM
    Moderator

  • Did you update all of the MX records for those domains to point to Proofpoint?  Use http://www.mxtoolbox.com and check that each domain is pointing to the correct servers.

    Are all of the domains listed in Proofpoint under System > Inbound Mail?  They all need to have the correct destination IP listed.

    In Exchange, are all of the domains listed on the Mail Flow tab > Accepted Domains?

    If all of those items are in order I would use the Microsoft Remote Connectivity Analyzer to look for additional clues:

    https://testconnectivity.microsoft.com/


    Crystal Chadwick Sr. Exchange Administrator

    Tuesday, April 19, 2016 7:32 PM
  • Thanks for the information: Here is the log results for one of the undelivered emails:

    MAIL FROM:<Bill@ctsioutsourcing.com> SIZE=0 AUTH=<>
    SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe
    08D369472DB29327;2016-04-20T18:14:11.391Z;2
    RCPT TO:<sherrie.Doyal@sowegacoa.org>
    250 2.1.0 Sender OK
    250 2.1.5 Recipient OK
    DATA
    354 Start mail input; end with <CRLF>.<CRLF>


    250 2.6.0 <1E0F7270-605A-4D84-A4BC-C3553EDF50DC@ctsioutsourcing.com> Queued mail for delivery

    SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders
    220 Mail.Sowegacoa.org
    EHLO SOWEGA-SRV.SOWEGACOA.ORG
    250-SOWEGA-SRV.SOWEGACOA.ORG Hello [172.16.5.5]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250-XRDST
    250 XSHADOWREQUEST
    X-ANONYMOUSTLS
    220 2.0.0 SMTP server ready

    CN=mail.sowegacoa.org
    CN=mail.sowegacoa.org
    110E63A67056B1884D2E09FF95CF565C
    13356421FC7E476D6352938BC60942135CA85FA6
    mail.sowegacoa.org;sowega-srv.sowegacoa.org;AutoDiscover.SOWEGACOA.ORG;SOWEGA-SRV;SOWEGACOA.ORG

    I tried to look a lot of this stuff up, but kept seeing things about MTU on the router/firewall....

    Wednesday, April 20, 2016 7:43 PM
  • MX records are good.

    The proofpoint filter we are using is cloud based....but that said, the domain is listed (recipient domain)

    Accepted domain are correct.

    Testconnectivity.microsoft.com yielded no results that showed anything that was wrong.

    Wednesday, April 20, 2016 7:45 PM
  • Also, to explain further.

    Email was flowing and being delivered completely fine up until we changed the MX records, and the Mail recieve connector (to which we added the proofpoint IP's).

    After making the changes, email was being delivered, but certain domains, that were clean and passed by the proofpoint solution, were not delivered.

    NOt sure if it was clear that this was a working exchange with no issues prior to implementing the proofpoint filter.

    Wednesday, April 20, 2016 7:49 PM
  • Looks like Exchange is receiving the message and has queued for delivery.

    If you open the Exchange Toolbox and check the Queue Viewer, are you seeing anything other than zeroes in the message queues?

    Also, see if you locate the missing email in the Exchange Admin Center under Mail Flow --> Delivery Reports tabs.


    Blog | Find me on Twitter | Find me on LinkedIn

    Wednesday, April 20, 2016 8:06 PM
  • In the mailbox database (delivery type SMTP Delivery to Mailbox) the message count is 0.

    I searched the Delivery report and it yielded two emails that were not part of the ones from the domains that were not delivered.

    I am at a loss.  not sure what the next steps are, but in order to restore flow, we have removed the changes that inacted the Proofpoint filter and are dropping back to punt.

    Wednesday, April 20, 2016 9:08 PM
  • you said you have changed the MX records , did you also create the SPF record?

    The emails are not delivered, are they from a specific domain?


    Where Technology Meets Talent

    Wednesday, April 20, 2016 9:11 PM
  • Yes, SPF records were changed according to proofpoints documentation. The emails not being received are from specific domains. Most email is flowing normally.
    Thursday, April 21, 2016 1:54 PM