Some Mails don't get delivered to Exchange [SOLVED]

[Sephiroth]

Hi!

I'm having a super strange issue with my configuration.
I'm using EFA as Spam filter, sending mails to my Exchange Server.

On mailwatch I see what was delivered, and what was identified as spam.
On my Exchange Mailbox, I don't get all mails I see on mailwatch that should have been delivered.

Easy example:
I've ordered something on steam
I can see on mailwatch, that it received 2 mail confirmations for my order, one from steam, and one from paypal.
Both are marked clean and should have been send to my exchange server.
If I check my mailbox, I don't get the steam mail (just the one from paypal).

I try to release the mail again on mailwatch, with no luck.

Disabling Antispam and sender filtering on my exchange 2016 is not helping either.
The issue might still be on the exchange server, but I disabled everything that could interfere (as far as I know)

Any tips for troubleshooting?

Regards

Philippe

[TheGr8Wonder]

On the main status page of EFA, there is a mail queue listing. Is there a # listing next to either inbound or outbound? Most likely there will be a # there and if you click that, it will most likely say that the remote connection refused it.

If there are, I suggest you check your exchange server config to make sure that the IP of EFA is an allowed receive connector.

[pdwalker]

Also, you can search your mail logs on your EFA box to find out why the mail to the exchange server is not being delivered.

[Sephiroth]

My Mail queue is empty :/

Which log file can I check exactly?

[pdwalker]

log into the EFA box, and run the following command:

Code: Select all

less /var/log/maillog

Press capital G to go to the bottom of the file. "q" to quit. "b" and "f" to go backwards and forwards one screen full (page down and page up respectively)

[Sephiroth]

I see following log entry for a mail, that didnt pop up in my mailbox:

Aug 15 08:47:08 freya MailScanner[41664]: Requeue: 6026DA0244.AB35E to 53335A0257
Aug 15 08:47:08 freya MailScanner[41664]: Uninfected: Delivered 1 messages
Aug 15 08:47:08 freya postfix/qmgr[1835]: 53335A0257: from=<no-reply@efa-project.org>, size=2696, nrcpt=1 (queue active)
Aug 15 08:47:08 freya MailScanner[41664]: MailWatch: Logging message 6026DA0244.AB35E to SQL
Aug 15 08:47:08 freya MailScanner[41668]: MailWatch: 6026DA0244.AB35E: Logged to MailWatch SQL
Aug 15 08:47:09 freya postfix/smtp[42180]: 53335A0257: to=<My correct email>, relay=192.168.1.117[192.168.1.117]:25, delay=13, delays=13/0.01/0.02/0.52, dsn=2.6.0, status=sent (250 2.6.0 <a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org> Queued mail for delivery)
Aug 15 08:47:09 freya postfix/qmgr[1835]: 53335A0257: removed

[pdwalker]

is 192.168.1.117 the ip address of your exchange server?

[pdwalker]

assuming the above, the problem appears to be with your exchange server.

what version of exchange server are you running, and are you familiar with the diagnostic tools?

what i would do next is:

a/ check the exchange server mail log (message tracking) for the message you tried to send and see what it says

b/ check my smtp connector settings, both incoming and outgoing, and verifying the settings are correct, in particular the dns settings

c/ check the mail queue to see if exchange has some undelivered NDRs with the real error.

let me know what you find out

[Sephiroth]

192.168.1.117 is my exchange server

I'm using Exchange 2016 (did a migration from 2013 a month ago).

I'll try to check the logs on the exchange server. Never had to check them before, so I have to find out where they are

[Sephiroth]

I checked get-messagetrackinglog on my exchange, and those missing were not listed. :/

Queue Viewer shows no messages.

Incoming transport settings are set to allow mails from the whole subnet.

Something is still filtering those messages, even though I disabled everything I could....
And it's always the same messages / senders that are blocked, not randomly. Mails from this site (efa-project.org) are blocked as well

[pdwalker]

If EFA delivered it, and exchange accepted it, it will be in the message tracking logs, including information on what was done with the message.

Without accessing your exchange server via something like teamviewer, I am unable to debug your problem further.

The problem seems to be exchange.

[jase72]

Is 192.168.1.117 your Exchange server? The log is missing part of the line that has the Exchange message id (InternalId=longnumber) which makes me wonder.

Disabled SenderID on Exchange? Everything will be coming from the EFA box so SenderID will give you grief.

Code: Select all

Get-SenderIDConfig | fl enabled

Have you used Message Tracking to try to trace the actual missing message?

Code: Select all

Get-MessageTrackingLog -server <servername> -resultsize unlimited -Start "8/15/2017 00:00AM" -MessageId "a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org"

Full gory details can be seen via;

Code: Select all

Get-MessageTrackingLog -server <servername> -resultsize unlimited -Start "8/15/2017 00:00AM" -MessageId "a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org" | fl

Also you can do an ugly search to trawl through all the logs, assuming you've got verbose logging for "Default Frontend <server>" (try it even if you don't, it'll find some stuff).

Administrator command prompt (not PS for this). CD "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs" (or wherever your Exchange logs are). Then run;

Code: Select all

findstr /s /i /c:"a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org" *20170815*

It should find something in;

FrontEnd\ProtocolLog\SmtpReceive
FrontEnd\ProtocolLog\SmtpSend (yes, send, it gets internally forwarded)
Hub\AgentLog
MessageTracking
And possibly WLM

G'luck.

[Sephiroth]

Wow! finally I see a bit more now!

1. Server IP is correct

2. Sender Id Config is enabled

3. running your r command I finally see some infos!!

RunspaceId : 9aa5bccc-0e63-4e22-abc5-22a3f513fd4d
Timestamp : 15.08.2017 08:47:09
ClientIp : 192.168.1.116
ClientHostname : Mailserver
ServerIp : 192.168.1.117
ServerHostname :
SourceContext : Sender Id Agent
ConnectorId : Mailserver\Freya
Source : SMTP
EventId : FAIL
InternalMessageId : 12034498363392
MessageId : <a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org>
NetworkMessageId : ec49c19a-3513-4768-4407-08d4e3a9734a
Recipients : {My Email}
RecipientStatus : {[{LED=250 2.6.0 <a0c757d49d6f2a0a9a37787a5b3fcf52@forum.efa-project.org> Queued mail for
delivery};{MSG=};{FQDN=};{IP=192.168.1.117};{LRT=}]}
TotalBytes : 0
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Topic reply notification - "Some Mails don't get delivered to Exchange"
Sender : forum@efa-project.org
ReturnPath : no-reply@efa-project.org
Directionality : Incoming
TenantId :
OriginalClientIp :
MessageInfo :
MessageLatency :
MessageLatencyType : None
EventData : {[ToEntity, Unknown], [FromEntity, Unknown], [DeliveryPriority, Normal],
[OriginalFromAddress, no-reply@efa-project.org], [AccountForest]}
TransportTrafficType : Email
SchemaVersion : 15.01.1034.026

[Sephiroth]

I've set

Code: Select all

Set-ContentFilterConfig -ExternalMailEnabled $false

and I was able to resend some blocked messages from EFA to my Exchange, YAY!
I'm gonna keep an eye on my mails for a while, before I start blocking SPAM Mails from EFA to Exchange again.

[jase72]

Glad to hear it's allowed the emails though. It sounds like your SCL thresholds were low, though it should have shown up in EFA if they were rejected by Exchange (you see the rejection in the "Relay Information" section when you view the message info in MailWatch (it's right at bottom below "Spam Report" but before the quarantine options, if it's not there it went through to Exchange ok)). You can certainly leave content filtering off if you desire and rely on EFA to do all the content checking. Personally I like to have Exchange also check and have the reject SCL threshold set to 9 and the rest disabled.

Code: Select all

[PS] C:\>Get-ContentFilterConfig | ft *mailenabled, scl* -AutoSize

ExternalMailEnabled InternalMailEnabled SCLRejectThreshold SCLRejectEnabled SCLDeleteThreshold SCLDeleteEnabled SCLQuarantineThreshold SCLQuarantineEnabled
------------------- ------------------- ------------------ ---------------- ------------------ ---------------- ---------------------- --------------------
               True               False                  9             True                  9            False                      9                False

EFA does a great job or blocking or tagging spam, but I do notice that Exchange filtering will reject the odd email that EFA only tags, and with SCL set to 9 it's never a false positive so it only ever rejects junk.

The reason you're having issues receiving emails from efa-project.org might be due to the hard fail their SPF records have ("-all" for a hard fail rather than "~all" for a soft fail) combined with Sender ID checking. Check the other domains you're not receiving emails from, they might all have "-all" for their spf records. If so then (as I alluded to earlier) you might need to disable Sender ID.

Code: Select all

Set-SenderIDConfig -Enabled $false

I certainly did that once EFA became our only inbound route.

This doesn't explain why disabling content filtering has fixed the issue and unfortunately the output from message tracking isn't of any help. I have a fair bit of logging on our Exchange system to track down emails at times like this, and with the correct logs you can normally figure out exactly why it's been rejected, though it can take a bit of investigation.

Straying into Exchange tweaking rather than EFA here, but hopefully it'll help others trying to marry the two.

[Sephiroth]

Relay Information is missing on one of those blocked mails.
There's nothing between Spam Report & Quarantine.

I'm super happy, that I'm not missing any more mails, and have to be careful activating sender filtering again.¨

I just wish, exchange would make it easier spotting those rejected mails, and be able to reprocess them.
I spend hours crawling through log files and powershell command, with no luck.
Only thanks to you, I was able to find the message (with still no reasonable error description..)