Hi,

We have an very strange issue with Exchange 2013 (CU8, issue was the same with CU7) and receive connector on CAS. We have 1 CAS server,1 Edge and 2 Mailbox servers. This started to happen when 2010 was uninstalles/removed. Everything worked before 2010 was removed. 

We have a seperate Receive connector for mail relay from scanner/software etc. If we try to send to external addresses (user@external.com) we got this response:

"451 4.7.0 Temporary server error. Please try again later. PRX1"

If we send with internal address (user@internal.com) its works. Anonymous access is configured. The strange thing is that when we test and send a test-message with both internal and external address (user@internal.com; user@external.com), both is delivered OK. 

Used this commands to test:
This command works:
Send-MailMessage -From test@internal.com -To user@external.com,user@internal.com -Subject TestMail -SmtpServer serverip

This command gives errorcode:
Send-MailMessage -From test@internal.com -To user@external.com -Subject TestMail -SmtpServer serverip

Send-MailMessage : Error in processing. The server response was: 4.7.0 Temporary server error. Please try again later.
PRX1
At line:1 char:1
+ Send-MailMessage -From test@internal.com -To user@external.com -Subject Te ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
   ion
    + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

We have created an case with Microsoft, but the response from MS is very bad/nothing.

Anyone that have seen this behavior?

Thanks

Lars Erik

Hi gents,

We're currently working with an Exch 2010 instance and got a request for which we can't find a solution.

We've a DL which is senders restricted to avoid the overflow of mails due to the amount of users in this DL.

Here's the challenge :

We have a user which is member of a public folder and she wants to send mails on behalf of that PF to the restricted DL.

How can we arrange this access as she doesn't need to send the mail from her private address ?

Thanks in advance for your help.

Hi ,

In exchange 2013 sp1 SUBMITFAIL event id is happening for some messages .But at the second time that the same message is delivered perfectly to the end users.

My question is simple ,is this an bug in exchange 2013 sp1 if so on which CU it will be corrected ?We have to update to your customers so please provide your suggestions as soon as possible.

Thanks & Regards S.Nithyanandham

I have implemented an Edge Transport Server; but I think there is a lot of setup guidance missing from documentation.

From what I can tell, many of the Anti-SPAM agents use RBL's to contribute to their processing, not just the connection filter.

There does not seem to be any guidance on which RBL's to implement.  It seems logical to me that with this Server Role; and the dependency on these DNS databases (RBL's); compiled with each RBL's connection policies, and limits; that Microsoft would have a deployment guide on using a Microsoft housed DNS Server via DNS Server Conditional Forwarding; or something internal to the Edge Transport Role to ensure reliable access to RBL's for processing.

In Forefront for Exchange 2010; many RBL's were included in the product; and had from my testing built-in access to the RBL's absent from a dependency on internal DNS Servers.

If you need specifics, Google Public DNS does not resolve zen.spamhaus.org (the largest).  dnsbl.invaluement.com is not publically accessible, dnsbl.sorbs.net and b.barracudacentral.org are not resolvable from my ISP's DNS Server, my primary DNS forwarder.

Seems logical to me that the Exchange 2013 SP1 Edge Transport Role's Anti-SPAM Agents should somehow use a Microsoft DNS Server to resolve all the DNSBL's that Microsoft uses in it's Cloud/EOP services.

Technology Administrator Erie County (Career and) Technical School.

Hello all,

I have Edge transport server 2013

Also there are 3 Exchange servers installed

Ex01(Exchange 2010)

Ex02(Exchange 2013)

Ex03(Exchange 2013)

In the near future I will migrate all Databases from Ex01(Exchange 2010) and dismout the server and there will be Ex02(Exchange 2013) and Ex03(Exchange 2013) servers only

For now everything is working well, incoming/outgoing e-mails etc. but when I disable Ex01(Exchange 2010) I cannot send any external e-mails from mailboxes which located in Exchange 2013 servers(no problems with receiving e-mails appear)

When look in the queue of Exchange 2013 servers I can see all e-mails which got stuck in the queue.

What might that be? Please, help to resolve the issue.

Having many of these below:

Event ID 16028 A forced configuration update for Microsoft.Transport.TransportServerConfiguration has successfully completed.

Followed by this every few hours.

Event ID 15004 Resource Pressure Increased from Medium to High

Version buckets =219

Did not have this issue before CU5 update.  Updated from CU5

We're having an issue where users that are members of various distribution groups are not reliably receiving messages. We have a newsletter that is sent out weekly by one user. They use 4 internal distribution groups (some of them nested) plus external email addresses that add up to around 1170 recipients. We have around 280 internal users. Of those 280, around 100 are delivered, and 170 are not delivered but show as "pending" in the delivery report. External users seem to be receiving messages fine. 

I tried doing a trace on myself, as I didn't receive the newsletter that was sent out yesterday.

$Temp = Search-MessageTrackingReport -Identity lorraine.user -Recipients jsmith@domain.ca

[PS] C:\Windows\system32>$Temp | %{Get-MessageTrackingReport -Identity $_.MessageTrackingReportID -BypassDelegateCheckin
g -ReportTemplate Summary }

The missing message was not in the list. It should have been the first result.

Here is an example of how one of the pending delivery reports look like:

Environment:

Exchange 2013 CU7

2 Servers running Windows Server 2012 in a DAG

Hi guys!

We got Exchange 2013 in the Internet facing ADsite.

If an externat user use telnet to port 25, we need to prevent that a mail from our own domain can be accepted.

In Exchange 2010, we prevent this removing the ExtendedRights ms-exch-smtp-accept-authoritative-domain-sender on ther Internet connector.

Now in Exchange 2013, we remove this ExtendedRights in the FrontEnd Internet Connector, but the mail is accepted anyway.

Any idea if this behavior change in Exchange 2013?

Regards,

Esteban

http://nextadmin.blogspot.com

Hello, Team!

I think I’ve found a serious issue in last CU releases. This is the case:

1 Multirole server Exchange 2013 SP1 (and older) , one creceive connector from internet to this server, no edge, nothing.

I care about preventing spoofing my company’s email addresses, and remove remove the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender transport permission from anonymous senders.

To do this, we usually simple run powershell command

Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

This command works on Exchange SP1, the client (telnet session, f.e.) which try spoof address of company will be refused. (see screenshot below)

But in Exchange 2013 CU5, CU6 and even CU7 release this revoke permissions DOESN’T WORKS without any errors, softly. I've try Powershell and ADSI but unsuccessfully.

Then we take off permission on connector above, we keep 3 default permissions:

Accept-any-sender

Accept-Routing-Headers

Submit-Message to Server

It is wonderful works only on server SP1, but not on servers with older versions, which have right settings.

The saddest thing is I have information about Office 365 this behavior reproduced too. And I also think what in your lab you could take 15 minutes and play this simply thing....

I found only that information on connector side is diffenent on SP1 and CU5,6,7.

This is normal connection on SP1, when somebody try spoofed address. We can see a 250 AUTH Response on server side, and server refuse fake connection, all right.

And on CU5 and newest versions we doesnt see this code. Maybe auth mechanism miss something?

Any suggestions? On MS connect site a didn't found exchange bugs topic :)

Hi all,

 As of my organization requirement, for the internal message flow, I have created a distribution group. This distribution group will send message to it's member for alert. But when ever the member of distribution group send an email to their member, it also send back to it's sender. Is there any way to configure distribution group in such a way that it will not send back message to the sender?

Hi , i have a problem with address rewrite on exchange 2013 sp1.

We set a new address rewrite on edge machines with this parameter :

New-AddressRewriteEntry -Name "rewrite all" -InternalAddress test.local  -ExternalAddress  mail.test.com

it's work in inbound message but in outbound message test.local still appeared.

What's we wong ?

Thanks.

Dear All,

I am working with Exchange 2013 with CU7, seem Exchange 2013 doesn't have ms-Exch-SMTP-Accept-Authoritative-Domain-Sender  feature

So we can't preventing spoofing my company’s email addresses

This is has fixed on CU8 ? or anyone who have a workaround ?

Thanks,

Minh

Hello, I have setup an Edge Transport server between Office 365/EOP and our internal mail servers (Non-Exchange). For this, I have setup two receive connectors and two send connectors on the Edge server. Mail flow in and out is working fine.

I enabled Address Rewriting agents for both inbound and outbound. Then I made an address rewrite entry. The entry works fine for inbound mail. The address @contosco.com is changed to @anotherdomain.com and routed appropriately. However, when I send an email from @anotherdomain.com back to outside word, it is not rewritten to @contosco.com. 

Here are the commands I used to setup the connectors:

New-ReceiveConnector -Name "From Internal to Edge" -Usage Internal -AuthMechanism ExternalAuthoritative -PermissionGroups AnonymousUsers, ExchangeServers -RemoteIpRanges <Internal Subnets> -ProtocolLogging Verbose

New-SendConnector -Name "From Edge to Internal" -Usage Internal –AddressSpaces <domains> -ProtocolLogging Verbose

New-SendConnector -Name "From Edge to EOP" -AddressSpaces * -RequireTLS $True -SmartHosts <organization>.mail.protection.outlook.com -ProtocolLogging Verbose

New-ReceiveConnector -Name "From EOP to Edge" -Usage Custom -AuthMechanism TLS  -PermissionGroups AnonymousUsers -RemoteIpRanges $ip.DataCenterIPs -RequireTLS $True -Bindings <ip address of server>:25 -ProtocolLogging Verbose

Note that EdgeSync is not used as the internal mail servers are not Exchange only.

Any ideas?

Rishi

I'm having trouble sending email (via powershell for now) using an AD account which has been granted Send As permissions to a valid email account.

When I attempt to send I get "the SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 client was not authenticated"

In the SMTP receive log I see this:

Inbound Negotiate failed because of LogonDenied  

User Name: NULL

535 5.7.3 Authentication unsuccessful

MAIL FROM:<the-valid-email-account@yyy.com>,

530 5.7.1 Client was not authenticated

What has me perplexed is that I'm doing the same thing from another machine, where I'm using an AD account to send as this same valid email account.  All I did in that case was grant the Send As permission to the AD account and it worked.

In this instance where it's not working I've also tried adding the ms-Exch-SMTP-Submit permission to the receive connector, but still cannot send email.

So I'm stumped as to what is different and needs changed in order to allow this AD account to send mail.

Thanks for any help you can provide.

Hello everyone,

2015-03-27T20:46:34.219Z,08D236728F26DC58,192.168.5.31:25,107.158.253.253:38235,107.158.253.253,<,NewConspiracyAlerts@info.getallthenew-conspiracyalerts.us,ConstitutionalProtectionAgency@getallthenew-conspiracyalerts.us;,goodman@nhautism.org,1,Content" style="font-family:Calibri, Arial, Helvetica, sans-serif;font-size:16px;line-height:normal;" target="_blank">myem@domain.com Filter Agent,OnEndOfData,AcceptMessage,,SCL,1,,a9765756-c29b-49ab-2014-08d236e63413,,Incoming

[PS] C:\>test-ipblocklistprovider zen.spamhaus.org -ipaddress 107.158.253.253

flavio

Can any please help with the following.

We use mailmarshall (installed on the same server as exchange 2013). in the send connector, if i enable smarthost, then i cannot send email external. the above error is received by the user.  but i can still receive external emails.

If the smarthost is disabled, i can send an receive emails.

Any ideas, or has anyone else configured mailmarshal with exchange 2013?

Hi everybody

The following mail considered as spam (flase positive) by Exchange Edge server 2013 and moved to spam quarantine folder. While analyzing the header I didn't see any thing wrong with the sender. Any ideas?Thanks in advance

***********************

Delivery of this message to the following recipients or groups is quarantined:
mwafeeq@1234web.net.nl
Subject: eOoredoo Bill notification

Diagnostic information for administrators:
Generating server: Edge01.1234web.net.nl
mwafeeq@1234web.net.nl
Remote Server returned '550 5.2.1 Content Filter agent quarantined this message'
Original message headers:
Received: from smtp-out1.ooredoo.qa (212.77.206.2) by Edge01.1234web.net.nl
 (192.168.1.69) with Microsoft SMTP Server id 15.0.995.29; Thu, 26 Mar 2015
 12:04:36 +0300
Message-ID: <7ad34c$cmglg@smtp-out1.ooredoo.qa>
Date: Thu, 26 Mar 2015 09:04:12 +0000
From: e-ooredoo <e-ooredoo@ooredoo.qa>
Subject: eOoredoo Bill notification
To: <mwafeeq@1234web.net.nl>
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: e-ooredoo@ooredoo.qa
Received-SPF: Pass (Edge01.1234web.net.nl: domain of e-ooredoo@ooredoo.qa
 designates 212.77.206.2 as permitted sender) receiver=Edge01.1234web.net.nl;
 client-ip=212.77.206.2; helo=smtp-out1.ooredoo.qa;

******************************

<o:p></o:p>

Noufal Qatar

Hi , Friends
I would like to exclude any email with Sender Policy Framework (SPF) record passed from content filtering.
Any email with SPF record "Received-SPF: Pass" should be excluded. Please help   

Noufal Qatar

Exchange 2013, CU5.

Hi,

I have frequent logs showing 36875, reporting "The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings."

I would like to work out which server is making these requests, and also which certificate is being offered but deemed 'not suitable'. 

I have increased the logging level to "7" for HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\"EventLogging" but this only provides informational events to say for TLS1.0 and TLS1.2 that "SSL server handshake completed successfully".

I am running an all-in-one Exchange server. I have two receive connectors (one for inbound mail from Mimecast and the other for relaying emails from internal applications) both of which have the FQDN which matches my public certificate. I still have the self-signed cert on the server. Mimecast attempts to deliver mail using opportunistic TLS, which is working - the headers I receive from a gmail address show TLS being used at all hops.

Any help gratefully appreciated.

Hello,

As per the title, I have an issue whereby internal email from a reporting server is being classed as Junk in Outlook 2010 and 2013 for all recipients.

 -The Junk-email filtering level for all users in Outlook is set to "Low" and is applied via group policy.

 -I have anti-spam agents installed on all Exchange mailbox servers, but the "InternalMailEnabled" parameter is set to "false" for all agents.

 -The receive connector used to receive internal email has the "Externally secured" flag set, which allows spam-filtering to be bypassed.

 -The "InternalSMTPServers" parameter of the transport config contains the IP of the sending server.

- The email address has been added to several users "Safe Senders" list in Outlook.

 -I have a transport rule set up to bypass spam filtering for the sending address of the SQLReportingServices@domain.com, yet the email header on any of these messages does not contain the "SCL -1" stamp as per the below:

#↓    Header    Value
1    MIME-Version    1.0
2    From    <SQLReportingServices@domain.com>
3    To    <User1@domain.com>, <user2@domain.com>
4    Date    Tue, 10 Mar 2015 07:35:32 +0000
5    Subject    Report was executed at 10/03/2015 07:35:08
6    Content-Type    multipart/mixed; boundary="--boundary_90_638c99de-c35d-4d06-b992-536e14201c6d"
7    Message-ID    <dacbc167cba2410aa0a0c2088bdff95c@SERVER01.domain.localnet>
8    Return-Path    SQLReportingServices@domain.com
9    X-MS-Exchange-Organization-AuthSource    SERVER01.domain.localnet
10    X-MS-Exchange-Organization-AuthAs    Internal
11    X-MS-Exchange-Organization-AuthMechanism    10
12    X-MS-Exchange-Organization-Network-Message-Id    8d357628-f2e9-48d5-77e2-08d2291beca4
13    X-MS-Exchange-Organization-AVStamp-Enterprise    1.0

Can anyone assist in explaining why these emails are being continually marked as Junk in Outlook, and any further troubleshooting steps.

Thanks

Matt