Logs show some email as queued, but not delivered |
Post Reply 
|
| Author | ||||||||||||
jortmann 
Newbie 
Joined: 13 November 2007 Location: Canada Status: Offline Points: 11 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Logs show some email as queued, but not deliveredPosted: 06 May 2010 at 12:09pm |
|||||||||||
|
Hello,
I'm experiencing some strange and frustrating email issues. Our spamfilter forwards to exchange 2007 network load balanced (nlb) CAS servers. CAS1 and CAS2. The NLB config seems correct. One issue is the CAS1 server does not handle any traffic from spamfilter - this may not be a question for this forum and might not have anything to do with the below issue. The other issue is using Sawmill to parse spamfilter logs, we see that a piece of email has arrived and was queued; either filtered and accepted or whitelisted BUT the user never gets it. Using exchange message tracking, which only shows spamfilter traffic on CAS2, we never the email as having been received. This issue is affecting a few users and it is seeming random, one time a gmail won't be received, hours later, it is. Any ideas? Any help will be greatly appreciated as this is becoming a big issue.
|
||||||||||||
 |
||||||||||||
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 May 2010 at 10:16pm |
|||||||||||
|
jortmann,
If you can please zip to our support @ logsat dot com email address SpamFilter's activity logfile for a day this happened, we'll check to see what is happening. Please let us know the to/from email addresses for one or two of these emails, so we can locate them in the logs. If the zip is over 8MB in size, please upload the file to our FTP site, for which I'll send you the login info via a PM.
|
||||||||||||
|
||||||||||||
|
jortmann
Newbie
Joined: 13 November 2007 Location: Canada Status: Offline Points: 11 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 May 2010 at 3:54pm |
|||||||||||
|
Hello, First another question: When spamfilter says an email is accepted or whitelisted and queued, does that mean it has been sent out the spamfilter infrastructure to the mail server? Here is a log snippet that might help with my accepted but not delivered emails: This sender is subject to filtering, he's not on any lists. 05/06/10 14:17:25:813 -- (1492) Sending email from TDesmarais@assante.com to sfraser@hialta.ca -- 05/06/10 14:17:41:141 -- (1492) EMail from: tdesmarais@assante.com to: sfraser@hialta.ca -- was returned to sender - server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- 05/06/10 14:17:51:266 -- (1492) Error-email from tdesmarais@assante.com to sfraser@hialta.ca -- was forwarded to 10.1.1.45 05/06/10 14:17:51:266 -- (1492) There was an error sending the NDR to: TDesmarais@assante.comThe remote server said:550 5.7.1 Unable to relay -- 05/06/10 14:17:51:266 -- (1492) server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- Here is a snippet from Sawmill after parsing.
My questions are: Is the server error Spamfilter or the CAS NLB 10.1.1.45???? Is it the CAS rejecting the spamfilter server or the email? I really want to know if this is a spamfilter issue or an exchange issue. Fighting a war on 2 fronts isn't fun. thank you.
|
||||||||||||
|
||||||||||||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 May 2010 at 8:22pm |
|||||||||||
Even if the logs say "is accepted" or "whitelisted", it's possible the sender disconnects before completing the email. The "sure" way of determining SpamFilter attempted to forward the email to your destination SMTP server is the line that contains "Sending email from .... to ..., as the following one: 05/06/10 14:17:25:813 -- (1492) Sending email from TDesmarais@assante.com to sfraser@hialta.ca -- The above is just an "attempt" to forward the email to your server. In this specific case, your destination server at 10.1.1.45 has rejected the above email from SpamFilter, and this is being logged with the entry, which shows in red the specific error string SpamFilter received when attempting to forward the email to 10.1.1.45: 05/06/10 14:17:41:141 -- (1492) EMail from: tdesmarais@assante.com to: sfraser@hialta.ca -- was returned to sender - server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- As SpamFilter accepted an email for delivery from TDesmarais@assante.com, but was unable to deliver it due to the above error, we must at this point send a non-delivery report (NDR) email back to the sender (TDesmarais@assante.com). This email is forwarded for delivery to your SMTP server at 10.1.1.45, as SpamFilter will never send emails out to the internet directly. When this NDR is sent however, your server 10.1.1.45 rejects this attempt with an "550 5.7.1 Unable to relay" error message: 05/06/10 14:17:51:266 -- (1492) Error-email from tdesmarais@assante.com to sfraser@hialta.ca -- was forwarded to 10.1.1.45 05/06/10 14:17:51:266 -- (1492) There was an error sending the NDR to: TDesmarais@assante.comThe remote server said:550 5.7.1 Unable to relay -- Please note that we pre-released in the registered user area a new build (4.2.4.830) that drastically changes the above NDR behavior, to prevent the generation of NDR emails as much as possible. In v4.2, SpamFilter verifies the existence of the recipient with your destination SMTP server after an email has passed all filtering tests and is about to be delivered. While it is being delivered to your destination SMTP server, SpamFilter puts "on hold" the incoming connection while it ensures that your server will accept the recipient. Should your server reject the "RCPT TO" command (due to a non-existent user, mailbox full, etc), then in this case SpamFilter will relay the same SMTP error back to the sender. This forces the remote server to send the NDR to their customers, and will avoid having SpamFilter generate an NDR email that needs to be sent. This said, you will need to ensure that your destination SMTP will accept all emails sent to it by SpamFilter, as if this is not done, you risk that emails won't be delivered.
I'm not sure what mail server software is running on 10.1.1.45. That mail server is however rejecting SpamFilter's connection attempts with the error "your IP has been found on a block list", and you will thus need to check your mail server's configuration to see what block list is being used that causes these connection attempts to be rejected.
|
||||||||||||
|
||||||||||||
|
jortmann
Newbie
Joined: 13 November 2007 Location: Canada Status: Offline Points: 11 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2010 at 2:08pm |
|||||||||||
|
Thank you for your replies Roberto, they were very helpful to my understanding of the Spamfilter process.
We do have the issue resolved HOWEVER it's not resolved in my mind. I'm not the exchange admin but have been poking around and see some settings that concern me, I don't fully understand them but understand enough that I think something is off. One of these settings, once disabled, 'fixed' the email issue. I will also be upgrading Spamfilter soon as we are out of date. Sorry the below is a little exchange heavy.
We run Exchange 2007 on Server 2008 servers. 10.1.1.45 is the IP for two network load balanced Client Access/Hub Transport servers, CAS1 and CAS2. Our Spamfilter server points to 10.1.1.45. From the exchange mgmt console: MS Exchange -> Organization Config -> Hub Transport -> AntiSpam tab ->IP Block list Providers. Disabling this setting resolved the issue. The properties of this settings are blacklist server providers, the same as spamfilter but spamfilter has 1 more. From Spamfilter: bl.spamcop.net, true zen.spamhaus.org, true dnsbl.njabl.org, true cbl.abuseat.org, true blackholes.mail-abuse.org, true From Exchange: bl.spamcop.net zen.spamhaus.org dnsbl.njabl.org dnsbl-1.uceprotect.net What I do find strange is how disabling this filtering stopped the issue. Again the issue was that about a group of 30-40 users couldn't receive email from perhaps 1 or 2 of their contacts only. Everything else worked, in some case other users received mail from the same contacts without issue. From the exchange mgmt console: MS Exchange -> Organization Config -> Hub Transport -> Global Settings -> Transport Settings The properties have General and Message Delivery. Under Message Delivery we have 10.1.1.0/24 10.1.1.177 - spamfilter server Concerns: First, 10.1.1.0/24 covers the range, so we don't need a separate entry for spamfilter. Second I noticed the DSN codes that have been entered do not include 5.7.1, that is the error code given in the spamlogs. From the exchange mgmt console: MS Exchange -> Server Config -> Hub Transport -> Receive Connectors There are 3 receive connectors set up; identical on both CAS servers. Client - Cas1server - not an issue here Default - Cas1server -> network settings specify 0.0.0.0.-255.255.255.255 port 25 Relay Connector -> network settings specify a bunch of individual servers within our 10.x.x.x internal scheme on port 25, or in other words, already covered by the DEFAULT connector. There are 3 server IPs that are in our DMZ - these seem like the only ones necessary to this connector given potential authentication configurations. (I did just tested this, our backup server was in this group, I removed it and it is still able to forward it's daily report to me.) ONE Difference is with Authentication. The Default has "Exchange server auth" and "Integrated windows auth" enabled, whereas the Relay only has "Externally Secured auth enabled". Roberto, I'm hoping all this makes sense, screenshots are easier to look at, I can upload some to the ftp site if you like. Thank you again. |
||||||||||||
|
||||||||||||
Topic Options
jortmann wrote:|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.125 seconds.