Remove From My Forums

Mails Lost Exchange 2007

Question
0

Sign in to vote

Hi,

I've some problems with the exchange server 2007. We are losing some mails and it looks like they getting lost between the Edge and the Hub role. All roles are installed on one physical device (no vms). I searched the one of the lost mails with the trouble shooting tool and found it after that i check the details with get-messagetrackinglog -internalmessageid "XXXX".

The result was that this "lost message" has just one entry with the eventID RECEIVE. Then I checked an email for the same sender which arrived the mailbox. This mail has two entries, one with eventID RECEIVE and another with the eventID DELIVER.

My question is how can I find and resend this lost emails. They can not be in the queue anymore bnecause they are deleted after the categorizer categorizes them.

Is there a shell command to resend them?

Where can I find the e-mails, are tehy still cached on the system?

Thanks for your Help

BR

MessageTrackingLog one Good and one BAd (from same Sender outside our oraginization)

BAD:

Timestamp               : 2011-07-19 10:21:30
ClientIp                : XXX.XXX.XXX.XXX
ClientHostname          :
ServerIp                : YYY.YYY.YYY.YYY
ServerHostname          : MX01
SourceContext           : 08CE0319BEFF6A57;2011-07-19T08:21:26.747Z;0
ConnectorId             : MX01\Default MX01
Source                  : SMTP
EventId                 : RECEIVE
InternalMessageId       : 30960401
MessageId               : <4E253E62.5040401@sender.com>
Recipients              : {john.dough@intern.com}
RecipientStatus         : {}
TotalBytes              : 3639154
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Lost Mail
Sender                  : office@sender.com
ReturnPath              : office@sender.com
MessageInfo             : 00A:

good:

Timestamp               : 2011-07-20 12:18:06
ClientIp                : XXX.XXX.XXX.XXX
ClientHostname          :
ServerIp                : YYY.YYY.YYY.YYY
ServerHostname          : MX01
SourceContext           : 08CE0319BEFFA713;2011-07-20T10:18:00.120Z;0
ConnectorId             : MX01\Default MX01
Source                  : SMTP
EventId                 : RECEIVE
InternalMessageId       : 32070502
MessageId               : <4E26AB56.3040007@sender.com>
Recipients              : {john.dough@intern.com}
RecipientStatus         : {}
TotalBytes              : 7731
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Mail
Sender                  : office@sender.com
ReturnPath              : office@sender.com
MessageInfo             : 00A:

Timestamp               : 2011-07-20 12:18:06
ClientIp                :
ClientHostname          : MX01
ServerIp                :
ServerHostname          : MX01
SourceContext           :
ConnectorId             :
Source                  : STOREDRIVER
EventId                 : DELIVER
InternalMessageId       : 32070502
MessageId               : <4E26AB56.3040007@sender.com>
Recipients              : {john.dough@intern.com}
RecipientStatus         : {}
TotalBytes              : 7926
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Mail
Sender                  : office@sender.com
ReturnPath              : office@sender.com
MessageInfo             : 2011-07-20 12:18:00

Thursday, July 21, 2011 9:08 AM

Answers

0

Sign in to vote
Hi,

thanks for your great help. I will enable the SMTP logs and see what happens/fails in the future. xD

The reason why the smtp logs were disable was that the former IT responsible for the mx structure has not configured smtp logging.

If someone still can give me an answere why this could have happened it would be great.

BR

Exit1337

/closed

..next time we eat bacon
- Marked as answer by exit1337 Monday, September 17, 2012 11:22 AM
Tuesday, July 26, 2011 8:48 AM

All replies

1

Sign in to vote

Do you see those emails in the queue?
Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

Thursday, July 21, 2011 9:56 AM
1

Sign in to vote

eventID Receive indicate that your server has received the mail, we need to check what happends after that, i suspect some filtering software installed on server.

Have you enabled, content filtering/spam/malware/antivirus filtering on EDG or HUB server.

if yes, check the that logs.

Check if the sender receive any NDR/Delayed response.

eventID DELIVER - willl generate when to delver to mbx server.
>>:::.... if you find it useful, mark this as answer ...:::<< Thanks & Regards, Sandheep [...:::""I can't do it" never yet accomplished anything; "I will try" has performed wonders ":::...]

Thursday, July 21, 2011 9:59 AM
0

Sign in to vote

The mail is not in the queue, I think that it already was there

Timestamp : 2011-07-19 10:21:30
ClientIp : XXX.XXX.XXX.XXX
ClientHostname :
ServerIp : YYY.YYY.YYY.YYY
ServerHostname : MX01
SourceContext : 08CE0319BEFF6A57;2011-07-19T08:21:26.747Z;0
ConnectorId : MX01\Default MX01
Source : SMTP
EventId : RECEIVE (received by edge and filled into the queue)

and the failure is somewhere between edge and hub.

The mail comes in ->edge puts it into the queue->categorizier checks it (smtp adr..) ->transferstarts + queue entry is removed

I think thats how it should work (in a very simple way), please correct me if i'm wrong.

To the other comment its not in quarantine, I checked it.

I'm still searching for where it can be and a way to resend it.

BR

THANKS FOR TEH QUICK REPLY
..next time we eat bacon

Thursday, July 21, 2011 11:07 AM
0

Sign in to vote

On Thu, 21 Jul 2011 09:08:49 +0000, exit1337 wrote:

>

>

>Hi,

>

>

>

>I've some problems with the exchange server 2007. We are losing some mails and it looks like they getting lost between the Edge and the Hub role. All roles are installed on one physical device (no vms). I searched the one of the lost mails with the trouble shooting tool and found it after that i check the details with get-messagetrackinglog -internalmessageid "XXXX".

>

>The result was that this "lost message" has just one entry with the eventID RECEIVE.

Check the agent logs and see if one of them did something with the

message.

>Then I checked an email for the same sender which arrived the mailbox. This mail has two entries, one with eventID RECEIVE and another with the eventID DELIVER.

If there's a DELIVER event then the messages were, well, delivered to

the mailbox.

>My question is how can I find and resend this lost emails. They can not be in the queue anymore bnecause they are deleted after the categorizer categorizes them.

That depends on what happened to the message. If, say, your AV deleted

it, well, then, it's gone. If it was quarantined, release it (it may

not be delivered if you rescan the message).

---

Rich Matheisen

MCSE+I, Exchange MVP

--- Rich Matheisen MCSE+I, Exchange MVP

Thursday, July 21, 2011 9:57 PM
0

Sign in to vote

Hi,

as you can see in my earlier post I checked two messages of the same sender, one good and one bad message.

Both were received from the system and one was acctually delivered.

I just called the one mail "Badmail" because it didn't went trough to the mailbox but it was recived and it still think it got lost on the way from teh queue to the mbx.

Trackinglog Bad mail (check out the full log in my first post)

>Timestamp : 2011-07-19 10:21:30
>ClientIp : XXX.XXX.XXX.XXX
>ClientHostname :
>ServerIp : YYY.YYY.YYY.YYY
>ServerHostname : MX01
>SourceContext : 08CE0319BEFF6A57;2011-07-19T08:21:26.747Z;0
>ConnectorId : MX01\Default MX01
>Source : SMTP
>EventId : RECEIVE (received by edge and filled into the queue)

>and the failure is somewhere between edge and hub.

>The mail comes in ->edge puts it into the queue->categorizier checks it (smtp adr..) ->transferstarts + queue entry is removed

Here is the Agentlog and as I've written the logs look fine.

Timestamp       : 2011-07-19 10:21:29
SessionId       : 08CE0319BEFF6A57
IPAddress       : XXX.XXX.XXX.XXX
MessageId       : <4E253E62.5040401@sender.com>
P1FromAddress   : office@sender.com
P2FromAddresses : {office@sender.com}
Recipients      : {john.dough@intern.com}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : AcceptMessage
SmtpResponse    :
Reason          : SCL
ReasonData      : 0
Diagnostics     :

Any solutions?

BR

..next time we eat bacon

Friday, July 22, 2011 7:43 AM
1

Sign in to vote

Hi,

Please check if the badmails are existing in the pickup folder under c\program files\exchange server\trasportroles\. The messages that are determined to be badmail are left in the pickup folder and are renamed from “.eml” to “.bad”, and if “.bad” message already there, it’ll rename to MessageName.Date.bad.

Friday, July 22, 2011 9:20 AM
0

Sign in to vote

Hi,

thanks for this hint but the folder C:\Program Files\Microsoft\Exchange Server\TransportRoles\Pickup is empty.

It's weird I can not explain what happend to this e mail. Have you seen the South Park Episode when they're opening a bank account to save some money?

They were asking the clerk if its possible to get back the money they gave him, and his answer was "Poof it's gone". (http://www.youtube.com/watch?v=RAKsMnAM8vk)

Its really unsatisfying to deal with such problems.

BR

..next time we eat bacon

Friday, July 22, 2011 10:54 AM
1

Sign in to vote

On Fri, 22 Jul 2011 07:43:47 +0000, exit1337 wrote:

>

>

>Hi,

>

>

>

>as you can see in my earlier post I checked two messages of the same sender, one good and one bad message.

>

>Both were received from the system and one was acctually delivered.

>

>I just called the one mail "Badmail" because it didn't went trough to the mailbox but it was recived and it still think it got lost on the way from teh queue to the mbx.

>

>Trackinglog Bad mail (check out the full log in my first post)

>

>>Timestamp : 2011-07-19 10:21:30 >ClientIp : XXX.XXX.XXX.XXX >ClientHostname : >ServerIp : YYY.YYY.YYY.YYY >ServerHostname : MX01 >SourceContext : 08CE0319BEFF6A57;2011-07-19T08:21:26.747Z;0 >ConnectorId : MX01\Default MX01 >Source : SMTP >EventId : RECEIVE (received by edge and filled into the queue)

>

>>and the failure is somewhere between edge and hub.

>

>>The mail comes in ->edge puts it into the queue->categorizier checks it (smtp adr..) ->transferstarts + queue entry is removed

Does that message ever show up in the SMTP send protocol log on the

edge, or the SMTP receive protocol log on the Hub Transport?

---

Rich Matheisen

MCSE+I, Exchange MVP

--- Rich Matheisen MCSE+I, Exchange MVP

Friday, July 22, 2011 2:16 PM
0

Sign in to vote

Hi,

thanks but this log can not help because its disabled by default. :(

Is there still a way to check out what happend?

What could be the problem for the lost e-mail(s)?

Or is this a known issue of exchange 07?

Fact is that this server is active since 3 years and it was the first time somebody reported a lost mail that was not captured by the Content/Spam Filter. So its was received by the edge and got lost somewhere between queue and transport. xD

BR

..next time we eat bacon

Monday, July 25, 2011 8:58 AM
1

Sign in to vote

On Mon, 25 Jul 2011 08:58:20 +0000, exit1337 wrote:

>thanks but this log can not help because its disabled by default. :(

So enable it! And enable the logging on the recieve connector, too!

>Is there still a way to check out what happend?

You're already tried and said that you can't figure it out. I'm just

asking if the message the edge accepted was ever sent to (or tried to

be sent to) the HT server. If the answer is "no" then the problem is

isolated to the edge server. If, OTOH, you see an attempt to send the

message you'd have some idea of why it failed.

>What could be the problem for the lost e-mail(s)?

That's what you're trying to discover.

>Or is this a known issue of exchange 07?

Not that I know of.

>Fact is that this server is active since 3 years and it was the first time somebody reported a lost mail that was not captured by the Content/Spam Filter. So its was received by the edge and got lost somewhere between queue and transport. xD

If this is something that's reproducible, you might try using pipeline

tracing to capture the message that fails.

---

Rich Matheisen

MCSE+I, Exchange MVP

--- Rich Matheisen MCSE+I, Exchange MVP

Monday, July 25, 2011 9:41 PM
0

Sign in to vote
Hi,

thanks for your great help. I will enable the SMTP logs and see what happens/fails in the future. xD

The reason why the smtp logs were disable was that the former IT responsible for the mx structure has not configured smtp logging.

If someone still can give me an answere why this could have happened it would be great.

BR

Exit1337

/closed

..next time we eat bacon
- Marked as answer by exit1337 Monday, September 17, 2012 11:22 AM
Tuesday, July 26, 2011 8:48 AM
0

Sign in to vote

I am experiencing this issue too. Recently two users raised complaints that messages appeared on iPhone and OWA, but was not visible in Outlook Client. Message tracking revealed on all three occasions two message threads had duplicate InternalMessageID's (while message ids remains unique). This happened to me today when I received an email on android phone - go to view it from workstation and it is not visible. When I look again on phone, the email client refreshes and message is gone! WTHeck!?

Hoping other's have encountered this and can give advice on how to fix InternalMessageID so different threads cannot share same InternalMessageID, assuming this is the problem.

Thanks - James

Wednesday, July 2, 2014 8:36 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Mails Lost Exchange 2007

Question

Answers

All replies