Unable to send TLS mails to external domains – E2k7

Topology: Exchange 2007 > Watch Guard firewall > Microsoft ForeFront > Internet

Send connector is smart-hosted to Microsoft ForeFront

Exchange 2007 exhibits a feature known as ‘Opportunistic TLS’ > if the remote domain accepts TLS mails Exchange would send in TLS, else Exchange will send in non-TLS format

Inspite of this, his Exchange server is sending non-TLS mails to remote domains which accept TLS

Troubleshooting:

–          From the Exchange server, ran a telnet to ForeFront (mail.messaging.microsoft.com) on port 25, and there was no STARTTLS verb/blob advertised

–          So ideally, Exchange would send mail only in non-TLS format

–          However, when we do a telnet to ForeFront (elnet mail.messaging.microsoft.com 25), we see STARTTLS verb

–          Thus, though ForeFront advertises STARTTLS verb, it’s not seen when running a telnet from the Exchange server

Suspected Watch Guard to be running ESMTP Proxy, which is stripping off the verbs from being displayed

Though Cx confirmed that the firewall did not proxy any SMTP, logged in to the console and found ESMTP outbound settings

ESMTP was enabled, and there was a check mark for 8-BITMIME (this was the only verb displayed when Cx ran a telnet to ForeFront)

We checked BINARYMIME (from that list), saved the firewall config, and then ran a telnet to ForeFront > now we could see BINARYMIME verb also displayed (along with 8-BITMIME)

Thus it was confirmed that it was indeed the firewall which was stripping off the verbs, the following link which discusses about issues with TLS and Encryption caused by Watchguard Firebox Firewall:

http://www.google.com/support/appsecurity/bin/answer.py?hl=en&answer=138468

Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.

Mail flow between server is not working – E2K7

Problem

Recently i’ve encountered a problem that i was not able to send and receive emails between two sites where E2K7 is installed
Symptom
  • You would get the following error
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Description:
Inbound authentication failed with error LogonDenied for Receive  connector Default XXXXXXXXX. The authentication mechanism is  Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is
  • Enable the verbose logging for the receive connector on the receiving site and send a test email from the other site.
If the SMTP-Receive log shows “235 Authenication failed”
Reason
  • The Time difference between the DC and Exchange server
  • Authenticated users is not listed in the local security group on the Exchange server
Solution
  • Synchronize the time between the DC and the exchange server
  • Add the authenticated users to the “Access this computer from the network” under local security policy

How to drop an email using telnet

Step 1. Telnet “Ip address or mx record” 25
Step 2. Ehlo (or) helo (or) ehlo domain.com
Step 3. mail from : youraddress@domainame.com (or) mail from : <youraddress@domainame.com>
Step 4. rcpt to : RecipientAddress@domainname.com (or) rcpt to : <RecipientAddress@domainname.com>
Step 5. data
Step 6. “Type the text”
Step 7. . (Period)

Message rejected due to unacceptable attachments – E2K7

Problem
When third party application or mails from the internet sends a message to your organisation, where you have Edge-Transport Server is receiving server, then You may get an NDR saying “Unacceptable Attachment”
Reason
The attachment sent by the application or by users in the internet may be listed in the AttachmentFilterEntry.
But in some cases the attachmet get rejected by Attachment Filter Agent, though its not listed in AttachmentFilterEntry
The reason being is that the attachment may not be recognised by the Attachment Filter Agent.  For example “.zip” file may get rejected by the Attachment filter Agent
This is a know issue and update rollup 5 wil fix this as per Microsoft.
*But even the a different attachment other than .zip can be rejected due to the same reason
Solution:
1. Install the recent rollup update
2. Add a key in the file EdgeTransport.exe.config file, under <appSettings>  </appSettings>
<add key=”AllowInvalidAttachment” value=”true” />

What you find in piple-line tracing for trouble shooting – E2K7

1. There would be 11 copies of each message
2. Message Header
Message header will be useful when the emails that are not in the proper format when sent and received from the server.  Since you have 11 copies of the message, you can compare the message header with other copy to see is there any change in the message header
3. Which Transport Agent fired at each stage
This will be very useful if the message message is not reaching the mail box.  If the message is not reaching the mailbox, it is obvious one of the Transport Agent would have rejected the mail.  This information will help us to find out which agent rejected the email
4. You can enable the piple line tracing for one user or all the users.  And it cannot be enabled on per domain basis