Comments on: Troubleshooting Email Delivery with Exchange Server Protocol Logging

By: kiquenet

kiquenet — Fri, 03 Jun 2022 06:47:23 +0000

Applies to Office 365 ? NOT Exchange Server onpremise.

Error: 4.3.111 Temporary server error. Please try again later MRH1 [Hostname=PA4PR04MB9341.eurprd04.prod.outlook.com]

By: Denz Patricio

Denz Patricio — Wed, 08 Jul 2020 08:52:22 +0000

Hi,

I believe this is more informative compared to the actual documentation of Protocol Logging. However, even when I find it useful, I do not think it would be helpful with my current situation. And I hope you can provide me some insights about it.

Since we will be using Client Frontend to allow Authenticated/Exchange Users to relay, we do not have a control on who can access it since as long as they are Exchange users and know the server to connect to, they can. With this, we will need to come up with some service or audit logs to view if the relayers using Client Frontend are actual requesters or there are relayers that connected to it without us knowing.

I believe one of these server logs may be useful. May you give me insight on which one to use that is suitable for my situation?

Thank you and I appreciate the help!

By: Katrien Cornelis

Katrien Cornelis — Thu, 12 Mar 2020 16:48:08 +0000

HI,

thank you so much for all your wonderfull articles and books.(y) Tof notch stuff.
I have a question, I think I have an email that has been discarded due to exceeding our max transport size settings, however, I cannot find a smoking gun.I find the email in 2 receive logs (it’s generated by a java app srv whitelisted for sending to F5 relay vip whitelisted for sending to exchange relay send connector), one proxying and one the first one where it is actually arriving.This is where I could see the message size. But I cannot find any indication of the message not passing through (aside from you know, it not existing in my messagetrackinlog 🙂
Is there a specific smtp error code I should be looking for, or could it be that I have not activated logging on smth or not looking in the correct log. It’s activated everywhere except Client Frontend ,Client Proxy and Default receive connector.
So that means here Default Frontend ,Outbound Proxy Frontend ,EXT – Allow Relay.

Any pointer you could give would be helpful

By: Anthony

Anthony — Fri, 22 Nov 2019 17:04:14 +0000

Hi Paul- Looking at looks and trying to decipher some of these abbreviation meanings> These> FE, SMRPI, SMRDE, SMRC, SMRCL, SMRCR, CATRESL. 2019-10-19T05:04:39.132Z;SRV=xxxxxxx.anytown.int: TOTAL-FE=30.069|SMR=30.067(SMRPI=0.009(SMRPI-FrontendProxyAgent=0.009));SRV=xxxxxxx.anytown.int: TOTAL-HUB=1.783|SMR=0.268(SMRDE=0.003|SMRC=0.265(SMRCL=0.102|X-SMRCR=0.265))|CAT=0.061(CATOS=0.009(CATSM=0.008(CATSM-Unified Group Post Sent Item Routing Agent=0.008))|CATRESL=0.011|CATORES=0.039(CATRS=0.039(CATRS-Transport Rule Agent=0.016(X-ETREX=0.016)|CATRS-Index Routing Agent=0.022)))|QDE=0.063|SMSC=0.374(X-SMSDR=0.063)|SMS=1.014 Thank you, Ant

By: Brian Hymer

Brian Hymer — Thu, 13 Dec 2018 23:56:46 +0000

Nice stuff, Paul – helped me a lot, really, thanks!

the scripting to look for a remote-address pattern was nice. one thing I like to do with the resulting file is paste it into excel and parse by commas. This way you can use excel filter events out you don’t care about while investigating. so long as your result set isn’t toooo voluminous, excel is a great tool! 🙂

Thanks again!

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Paul Cunningham — Sat, 24 Feb 2018 01:02:54 +0000

In reply to Tim W Carpenter Sr. This article provides some troubleshooting advice for Exchange Server administrators (IT professionals who manage email servers). If you're not an IT pro it won't apply to you.

By: Tim W Carpenter Sr

Tim W Carpenter Sr — Fri, 23 Feb 2018 20:07:04 +0000

You’ve totally lost me…
I just want my daily mail.

By: nashwa zaki

nashwa zaki — Mon, 15 Jan 2018 10:08:59 +0000

In reply to nashwa zaki.

As shown below the internet receive connectors that has no anonymous checked

***************************************************************************************************************
Get-receiveconnector -Identity “myserver\internet-receive-connector” | Get-ADPermission | fl us
r, extendedrights | more

User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}

User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-SMTP-Submit}

User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-Accept-Headers-Routing}

User : NT AUTHORITY\Authenticated Users
ExtendedRights : {ms-Exch-Accept-Headers-Routing}

By: nashwa zaki

nashwa zaki — Mon, 15 Jan 2018 09:56:21 +0000

3-I also found spam messages queued on the queue every day although anti agents is installed and enabled as described in TechNet and Kaspersky security is configured in a good way for the spam and I found the message mentioned below has received by users in junk mailbox but I don’t know why I have the same message in the queue but from address and the recipient is not on our domain .
Identity: myserver\17483\49073
Subject: Undeliverable: [!!Spam]Could this digital currency actually make you a millionaire?
Internet Message ID:
From Address:
Status: Ready
Size (KB): 6
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 1/15/2018 11:33:37 AM
Expiration Time: 1/17/2018 11:33:37 AM
Last Error:
Queue ID: myserver\17483
Recipients: Footes.8142@static.vnpt.vn

By: nashwa zaki

nashwa zaki — Mon, 15 Jan 2018 09:55:34 +0000

I already installed a test exchange 2010 Sp1 to get the default configuration with all the extended rights and I will compare it with current production configuration,to know all the extended rights changed by the previous admin , I will try to return to the default settings of the receive connector with anonymous permission and remove the permission that the previous admin did to know its effect as I don’t have any documentation .

why I do that for 3 reasons

1-I’m afraid if the receive connector is relaying messages to other domain

I revised that we haven’t an external relay

2-see this warning everyday

Log Name: Application
Source: MSExchangeTransport
Date: 1/4/2018 8:27:49 AM
Event ID: 1035
Task Category: SmtpReceive
Level: Warning
Keywords: Classic
User: N/A
Computer: myserver1.mydomain.local
Description:
Inbound authentication failed with error LogonDenied for Receive connector internet-receive-connector.
The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [185.117.148.24].

Comments on: Troubleshooting Email Delivery with Exchange Server Protocol Logging

By: kiquenet

By: Denz Patricio

By: Katrien Cornelis

By: Anthony

By: Brian Hymer

By: Paul Cunningham The Real Person! Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: Tim W Carpenter Sr

By: nashwa zaki

By: nashwa zaki

By: nashwa zaki

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.