locked
Exchange 2010 / POP3 Security Issue - "Command is not valid in this state." RRS feed

  • Question

  • Hi Folks -

    Posted this in what may have been the wrong forum -- hopefully THIS is the right one.

    Having an issue with POP3 w/ our Exchange 2010 SP2 setup.  Using telnet to test connecting to port 110 of either of our CAS/Hub servers and entering a valid user and pass, the error '-ERR Command is not valid in this state.' is generated.

    Now, the common fix for this is to run the EMS command 'Set-PopSettings -LoginType PlainTextLogin' which we have done, as well as restarting the POP3 service.  This has not resolved the issue.

    It does not appear to matter if the mailbox lives on 2003 (as we are co-existing, for now) or a 2010 mailbox server.

    Any ideas?  What are we missing?

    Any help would be greatly appreciated.  THANK YOU!

    -Craig

    Friday, April 13, 2012 2:47 PM

Answers

  • Just a quick follow-up to all of this....

    Our issue is resolved.  SOMETHING changes w/ RU2, as our applications began working after applying that.  However, using Putty as a telnet client w/ Exchange 2010 absolutely was an issue, and we confirmed this with Microsoft as well.  Network traces showing that it was throwing some garbage characters upon first connecting to Exchange.  What's weird, is we use Putty to manage all sorts of stuff without issue -- Cisco gear, VMware ESXi servers, misc. appliances, etc.

    Thank you to everyone who offered assistance.  It is appreciated!

    -Craig

    • Marked as answer by Xiu Zhang Wednesday, April 25, 2012 6:09 AM
    Tuesday, April 24, 2012 12:22 PM

All replies

  • Hi,

    Please post the whole telnet process here.

    Please try to enable protocol logging for pop3 and then post the realted error information here.

    Configure Protocol Logging for POP3 and IMAP4

    http://technet.microsoft.com/en-us/library/aa997690.aspx

    By the way, how many Exchange Servers in the environment? Do you have Exchange 2003 included?


    Xiu Zhang

    TechNet Community Support

    Monday, April 16, 2012 8:31 AM
  • Hi Xiu -

    Fair enough, here we go:

    Telnet Process:

    +OK The Microsoft Exchange POP3 service is ready.
    user testuser
    -ERR Protocol error. 17
    pass testpassword
    -ERR Command is not valid in this state.

    POP3 Service Log:

    dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
    #Software: Microsoft Exchange Server
    #Version: 14.0.0.0
    #Log-type: POP3 Log
    #Date: 2012-04-16T12:10:04.176Z
    #Fields: dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
    2012-04-16T12:10:04.176Z,0000000000000001,0,10.160.20.229:110,10.160.34.55:57612,,-2147483648,0,51,OpenSession,,
    2012-04-16T12:10:08.139Z,0000000000000001,1,10.160.20.229:110,10.160.34.55:57612,,140,31,25,,,"R=""-ERR Protocol error. 17"""
    2012-04-16T12:10:10.401Z,0000000000000001,2,10.160.20.229:110,10.160.34.55:57612,,31,10,42,pass,,"R=""-ERR Command is not valid in this state."""
    2012-04-16T12:10:11.898Z,0000000000000001,3,10.160.20.229:110,10.160.34.55:57612,,0,0,25,InvalidCommand,,"R=""-ERR Protocol error. 20"""

    There are seven total Exchange servers -- 4 2010 and 3 2003.

    Thanks again for your help in advance!

    -Craig

    Monday, April 16, 2012 12:14 PM
  • Are these malibox servers in the same site as the CAS Box?

    Regards Herbert Zimbizi

    Monday, April 16, 2012 1:39 PM
  • Yes.  All of the 2010 and 2003 servers are in the same site as both CAS/Hub servers.

    -Craig

    Monday, April 16, 2012 1:44 PM
  • On Mon, 16 Apr 2012 12:14:59 +0000, cliess wrote:
     
    >
    >
    >Hi Xiu -
    >
    >Fair enough, here we go:
    >
    >Telnet Process:
    >
    >+OK The Microsoft Exchange POP3 service is ready. user testuser -ERR Protocol error. 17 pass testpassword -ERR Command is not valid in this state.
    >
    >POP3 Service Log:
    >
    >dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context #Software: Microsoft Exchange Server #Version: 14.0.0.0 #Log-type: POP3 Log #Date: 2012-04-16T12:10:04.176Z #Fields: dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context 2012-04-16T12:10:04.176Z,0000000000000001,0,10.160.20.229:110,10.160.34.55:57612,,-2147483648,0,51,OpenSession,, 2012-04-16T12:10:08.139Z,0000000000000001,1,10.160.20.229:110,10.160.34.55:57612,,140,31,25,,,"R=""-ERR Protocol error. 17""" 2012-04-16T12:10:10.401Z,0000000000000001,2,10.160.20.229:110,10.160.34.55:57612,,31,10,42,pass,,"R=""-ERR Command is not valid in this state.""" 2012-04-16T12:10:11.898Z,0000000000000001,3,10.160.20.229:110,10.160.34.55:57612,,0,0,25,InvalidCommand,,"R=""-ERR Protocol error. 20"""
    >
    >There are seven total Exchange servers -- 4 2010 and 3 2003.
    >
    >Thanks again for your help in advance!
     
    Where's the "USER" command? You can't supply a "PASS" command without
    having a USER!
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, April 16, 2012 9:50 PM
  • Hi,

    Please run 'Set-PopSettings -LoginType PlainTextLogin' from one CAS server

    Please restart pop3 services.

    Please try to use telnet 127.0.0.1 110 from that CAS server

    +OK The Microsoft Exchange POP3 service is ready

    USER user@domian.com

    +ok

    Pass Password

    +ok User successfully logged on.


    Xiu Zhang

    TechNet Community Support

    Tuesday, April 17, 2012 6:25 AM
  • Hi Rich -

    Re-check my post.. the user command is there ;)

    -Craig


    • Edited by cliess Tuesday, April 17, 2012 11:47 AM
    Tuesday, April 17, 2012 11:47 AM
  • Hi Xiu -

    As stated in my original post, I already ran that command, and that did not solve the issue.  I doubled-checked with the GUI to confirm that the setting had indeed been changed.

    Additionally, connecting locally and specifying the domain name still generates the error.

    -Craig

    Tuesday, April 17, 2012 11:51 AM
  • On Tue, 17 Apr 2012 11:47:44 +0000, cliess wrote:
     
    >
    >
    >Hi Rich -
    >
    >Re-check my post.. the user command is there ;)
     
    Where? I see "pass" in the server log but not "user". The "user"
    command was never accept4ed so the "pass" command is, as reported,
    "invalid in this state". That's what the subject of your posting
    claims to be the problem.
     
    #Software: Microsoft Exchange Server
    #Version: 14.0.0.0
    #Log-type: POP3 Log
    #Date: 2012-04-16T12:10:04.176Z
    #Fields:
    dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
    2012-04-16T12:10:04.176Z,0000000000000001,0,10.160.20.229:110,10.160.34.55:57612,,-2147483648,0,51,OpenSession,,
    2012-04-16T12:10:08.139Z,0000000000000001,1,10.160.20.229:110,10.160.34.55:57612,,140,31,25,,,"R=""-ERR
    Protocol error. 17"""
    2012-04-16T12:10:10.401Z,0000000000000001,2,10.160.20.229:110,10.160.34.55:57612,,31,10,42,pass,,"R=""-ERR
    Command is not valid in this state."""
    2012-04-16T12:10:11.898Z,0000000000000001,3,10.160.20.229:110,10.160.34.55:57612,,0,0,25,InvalidCommand,,"R=""-ERR
    Protocol error. 20"""
     
    How about using "domain\user" or the UPN "testuser@domain.com"? Once
    that "user" is accepted the 2nd error will go away.
     
    Is the "testuser" the samaccountname property value? Is it also the
    "alias" value"?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, April 17, 2012 9:55 PM
  • Hi Rich -

    That POP3 log output is from the telnet session output I pasted above, where you can see I did do the 'user' command.

    Perhaps its '-ERR Protocol error. 17' that I need to be researching, then......

    Trying both domain\user and UPN name yield identical results.  Yes, it is the alias and samaccountname value, as well.

    -Craig

    Wednesday, April 18, 2012 12:05 PM
  • I've made some progress in this based on some info I found from another thread.  Check THIS out:

    Telnet Output:

    +OK The Microsoft Exchange POP3 service is ready.
    user testuser
    -ERR Protocol error. 17
    user testuser
    +OK
    pass testpassword
    +OK User successfully logged on.

    The first command generates that '-ERR Protocol error. 17' message, but after that.. everything works fine.

    This almost feels like a bug.  What do you all think?  Worth opening a case about?

    UPDATE : Just installed RU2 in test and the issue still persists. 

    -Craig


    • Edited by cliess Wednesday, April 18, 2012 3:31 PM
    Wednesday, April 18, 2012 12:15 PM
  • On Wed, 18 Apr 2012 12:05:00 +0000, cliess wrote:
     
    >
    >
    >Hi Rich -
    >
    >That POP3 log output is from the telnet session output I pasted above, where you can see I did do the 'user' command.
     
    Yes, I saw the "user" in your "telnet" bit, but the "user" command
    wasn't accepted by the server. If the "user" command isn't accepted
    there's no point in sending the "pass" command because it simply
    cannot work!
     
    >Perhaps its '-ERR Protocol error. 17' that I need to be researching, then......
     
    That's correct. Until you get that command accepted you can go no
    further and expect to succeed.
     
    >Trying both domain\user and UPN name yield identical results. Yes, it is the alias and samaccountname value, as well.
     
    Are you doing this with telnet or from an e-mail client? If you're not
    using an e-mail client (e.g. Outlook Express or Windows Live Mail) you
    should try it. Telnet _looks_ like it works the same way, but if you
    put a network monitor on your machine you'll see that each keystroke
    is sent in a separate packet. Maybe there's something going on there
    that's no apparent by looking only at the stuff in the cmmand window?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, April 18, 2012 9:38 PM
  • On Wed, 18 Apr 2012 12:15:59 +0000, cliess wrote:
     
    >
    >
    >I've made some progress in this based on some info I found from another thread. Check THIS out:
    >
    >Telnet Output:
    >
    >+OK The Microsoft Exchange POP3 service is ready. user testuser -ERR Protocol error. 17 user testuser +OK pass testpassword +OK User successfully logged on.
    >
    >The first command generates that '-ERR Protocol error. 17' message, but after that.. everything works fine.
    >
    >This almost feels like a bug. What do you all think? Worth opening a case about?
     
    Maybe. Does it act that way if you use an actual POP client instead of
    telnet?
     
    >UPDATE : Just installed RU2 in test and the issue still persists.
     
    I'd watch the packets the telnet client's sending with a network
    monitor to be sure there's nothing hinky in there like a Unicode
    character or a "nul" (0x00)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, April 18, 2012 9:42 PM
  • Yes.  Using a standard POP client generates the identical result.

    Also, connecting to our Exchange 2003 setup via telnet (and POP3 clients) works perfectly.

    -Craig

    Thursday, April 19, 2012 11:40 AM
  • On Thu, 19 Apr 2012 11:40:26 +0000, cliess wrote:
     
    >Yes. Using a standard POP client generates the identical result.
    >
    >Also, connecting to our Exchange 2003 setup via telnet (and POP3 clients) works perfectly.
     
    Well, if you can see the correct credentials arriving at the CAS when
    the e-mail client sends them, and you still get an error 17, then it'd
    be worth a call to MS if your time is worth anything.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 19, 2012 9:50 PM
  • Hi. Today we are faced with the same problem. Have done all steps described here, but the problem remained. However, after two reboots the server Ehchange, the issue resolved. It remains unclear why this happened. In addition, one of the four servers Ehchange this issue has not arisen. Event logs are problematic servers did not show anything.

    Не умножайте сущности сверх необходимого.

    Saturday, April 21, 2012 2:55 AM
  • Just a quick follow-up to all of this....

    Our issue is resolved.  SOMETHING changes w/ RU2, as our applications began working after applying that.  However, using Putty as a telnet client w/ Exchange 2010 absolutely was an issue, and we confirmed this with Microsoft as well.  Network traces showing that it was throwing some garbage characters upon first connecting to Exchange.  What's weird, is we use Putty to manage all sorts of stuff without issue -- Cisco gear, VMware ESXi servers, misc. appliances, etc.

    Thank you to everyone who offered assistance.  It is appreciated!

    -Craig

    • Marked as answer by Xiu Zhang Wednesday, April 25, 2012 6:09 AM
    Tuesday, April 24, 2012 12:22 PM