This week I tweeted a tip that can help you troubleshoot email delivery for your Exchange servers.
In this article I’m going to expand on that topic and explain why protocol logging is useful, and how you can enable it in your own environment.
What is Exchange Server Protocol Logging?
Protocol logs capture the SMTP communications that occur between servers. The information that is written to the protocol log files looks very similar to what you see when you are using Telnet to make an SMTP connection.
This information is invaluable in troubleshooting scenarios, because it captures events that occur during message delivery that may not appear in other logs on the server.
For example, many administrators are used to looking in message tracking logs when they troubleshoot email delivery. But message tracking logs only record events for messages once they are in the transport pipeline. If a message is never sent/received because the SMTP connection itself is rejected, the message tracking log will show no useful troubleshooting information.
There are two parts to the configuration of protocol logging in Exchange Server, and they are basically the same across Exchange 2007, Exchange 2010, and Exchange 2013.
Configuring Protocol Logging on Transport Servers
The first is the per-server settings, configured on Hub Transport and Edge Transport servers for Exchange 2007/2010, or either Client Access or Mailbox servers in Exchange 2013.
Protocol log paths can be set in the Exchange Management Console in the properties of the server.
However, most of the other useful settings can only be configured in the Exchange Management Shell.
You can use Get-TransportServer to view existing settings.
[PS] C:\>Get-TransportServer ho-ex2010-mb1 | select *protocollog* IntraOrgConnectorProtocolLoggingLevel : None ReceiveProtocolLogMaxAge : 30.00:00:00 ReceiveProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes) ReceiveProtocolLogMaxFileSize : 10 MB (10,485,760 bytes) ReceiveProtocolLogPath : C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsProtocolLog SmtpReceive SendProtocolLogMaxAge : 30.00:00:00 SendProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes) SendProtocolLogMaxFileSize : 10 MB (10,485,760 bytes) SendProtocolLogPath : C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsProtocolLog SmtpSend
Note: I’ve left out the HTTP protocol log settings from the above output since they are not relevant to this article.
You’ll notice that send and receive logs have their own settings, allowing you to keep those log files in separate paths and use different retention periods to suit the specific server’s role.
The default settings on a server are fine for low volumes of email traffic. The 30 days retention is useful in theory but the max directory size of 250mb will mean that high volumes of email traffic will probably result in far less than 30 days of log files retained (250mb would cover a few hours of traffic on one of my servers at the moment).
So think of the max directory size as a safety net for your log retention to make sure that logs don’t fill up the disk on the server. My experience these days is that Transport servers tend to have plenty of free disk space so I like to set the max log directory to something generous like 4GB for both send and receive.
Set-TransportServer ho-ex2010-mb1 -SendProtocolLogMaxDirectorySize 4GB -ReceiveProtocolLogMaxDirectorySize 4GB
If you have any concerns about storing logs on the C: drive, either for performance or free space reasons, you can use the protocol log path settings to move the log directory to a different disk.
Configuring Protocol Logging on Connectors
The second part of the configuration is the per-connector settings. Even though protocol logging is enabled by default on Transport servers, it is not enabled by default on any send or receive connectors.
One approach is to enable protocol logging on every connector in your organization. However some administrators will prefer to enable it only as needed.
I recommend that you enable protocol logging on any of the following:
- Send/receive connectors on any servers involved in internet email flow
- Receive connectors on any servers that act as SMTP relays for internal devices and applications
Those recommendations are based on my experience that most SMTP troubleshooting cases are for situations where email is not delivering to/from the internet, or from internal devices and applications that relay through your Exchange servers.
I’ll give you two real world examples of those situations:
- Outbound emails to specific domains are queuing on your Edge Transport servers. Protocol logging is how you can discover what reason the recipient’s email server is giving for rejecting the connection from your server.
- You’ve added an IP address of an internal server to your relay connector. Protocol logging is how you can ensure that the correct receive connector on your Hub Transport server is processing the connections from that internal server.
You can see all of your receive connector protocol logging settings using the Get-ReceiveConnector cmdlet.
[PS] C:\>Get-ReceiveConnector | select server,name,*protocollogginglevel | sort server | ft -auto Server Name ProtocolLoggingLevel ------ ---- -------------------- BR-EX2010-MB Client BR-EX2010-MB None BR-EX2010-MB Default BR-EX2010-MB None HO-EX2007-MB1 Client HO-EX2007-MB1 None HO-EX2007-MB1 Default HO-EX2007-MB1 None HO-EX2010-MB1 Relay Verbose HO-EX2010-MB1 Client HO-EX2010-MB1 None HO-EX2010-MB1 Default HO-EX2010-MB1 Verbose HO-EX2010-MB2 Default HO-EX2010-MB2 Verbose HO-EX2010-MB2 Client HO-EX2010-MB2 None
The setting is also visible in the properties of a receive connector.
Send connectors also have their own protocol logging level, visible when you run Get-SendConnector (you’ll notice there is no “server” for a send connector).
[PS] C:\>Get-SendConnector | select name,*protocollogginglevel | ft -auto Name ProtocolLoggingLevel ---- -------------------- EdgeSync - HeadOffice to Internet Verbose EdgeSync - Inbound to HeadOffice None
Again, you will also find the setting in the properties of the send connector.
Using Protocol Logging Data
Once you have protocol logging enabled there are a few ways you can put it to good use.
The first is in specific troubleshooting cases. Protocol logs are quite readable so all you need to do is open them in Notepad or a similar text editor and look at the data.
However, finding what you’re looking for can be a challenge if you’ve got a lot of log files.
You can often narrow down the file you’re looking for because they are named according to date. But if there are multiple files for a given day you can search for strings in the files.
You can use PowerShell to search for string matches in the log files. In this example Get-Childitem returns the list of log files in the current directory, and I’m piping those into Select-String to look for “microsoft.com”.
PS > Get-ChildItem | Select-String -Pattern "microsoft.com" RECV20120806-1.LOG:11:2012-08-06T00:30:07.127Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,5,10.1.3.6:25,114.42.130.106:19992,, RECV20120806-1.LOG:14:2012-08-06T00:30:07.284Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,8,10.1.3.6:25,114.42.130.106:19992,,
The lines with the pattern matches as well as the file name itself (eg RECV20120806-1.LOG) are displayed in the results.
You also get the remote IP address (eg 114.42.130.106) returned, so you can perform a further search to see the entire SMTP conversation that occurred with that host.
PS > Get-ChildItem | Select-String -Pattern "114.42.130.106" RECV20120806-1.LOG:6:2012-08-06T00:30:06.768Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411D A334E41E,0,10.1.3.6:25,114.42.130.106:19992,+,, RECV20120806-1.LOG:7:2012-08-06T00:30:06.768Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411D A334E41E,1,10.1.3.6:25,114.42.130.106:19992,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender Accept RoutingHeaders,Set Session Permissions RECV20120806-1.LOG:8:2012-08-06T00:30:06.768Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411D A334E41E,2,10.1.3.6:25,114.42.130.106:19992,>,"220 HO-EX2010-EDGE.exchangeserverpro.net Microsoft ESMTP MAIL Service re ady at Mon, 6 Aug 2012 10:30:05 +1000", RECV20120806-1.LOG:9:2012-08-06T00:30:06.956Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411D A334E41E,3,10.1.3.6:25,114.42.130.106:19992,,250 HO-EX2010-EDGE.exchangeserverpro.net Hello [114.42.130.106], RECV20120806-1.LOG:11:2012-08-06T00:30:07.127Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,5,10.1.3.6:25,114.42.130.106:19992,, RECV20120806-1.LOG:12:2012-08-06T00:30:07.127Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,6,10.1.3.6:25,114.42.130.106:19992,*,08CF411DA334E41E;2012-08-06T00:30:06.768Z;1,receiving message RECV20120806-1.LOG:13:2012-08-06T00:30:07.127Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,7,10.1.3.6:25,114.42.130.106:19992,>,250 2.1.0 Sender OK, RECV20120806-1.LOG:14:2012-08-06T00:30:07.284Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,8,10.1.3.6:25,114.42.130.106:19992,, RECV20120806-1.LOG:15:2012-08-06T00:30:07.284Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,9,10.1.3.6:25,114.42.130.106:19992,*,Tarpit for '0.00:00:05', RECV20120806-1.LOG:16:2012-08-06T00:30:12.299Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,10,10.1.3.6:25,114.42.130.106:19992,>,550 5.7.1 Unable to relay, RECV20120806-1.LOG:17:2012-08-06T00:30:12.471Z,HO-EX2010-EDGEDefault internal receive connector HO-EX2010-EDGE,08CF411 DA334E41E,11,10.1.3.6:25,114.42.130.106:19992,-,,Remote
Those results can be a bit ugly though. Sometimes its easier to output them to a file for reading.
PS > $results = Get-ChildItem | Select-String -Pattern "114.42.130.106" PS > $results | select line | Export-Csv -NoTypeInformation results.csv
Protocol logs were useful when I was troubleshooting the case of the Hub Transport server load imbalance.
Protocol logs can also be used for general reporting and monitoring of your servers. I’ve published some tutorials that show how to use Log Parser to extract useful insights from protocol logs.
- Report Top Sender IP’s on Exchange Server 2010 using Log Parser
- Generate SMTP Error Statistics using Log Parser and Exchange Server 2010 Protocol Logs
- Using Log Parser and Protocol Logs to Analyze Send Connector Usage
Summary
As you can see, protocol logging is quite useful. I do recommend you check your protocol log configurations and enable them on the most important send and receive connectors so that when problems happen you have this valuable log data available to assist you with troubleshooting.
Applies to Office 365 ? NOT Exchange Server onpremise.
Error: 4.3.111 Temporary server error. Please try again later MRH1 [Hostname=PA4PR04MB9341.eurprd04.prod.outlook.com]
Hi,
I believe this is more informative compared to the actual documentation of Protocol Logging. However, even when I find it useful, I do not think it would be helpful with my current situation. And I hope you can provide me some insights about it.
Since we will be using Client Frontend to allow Authenticated/Exchange Users to relay, we do not have a control on who can access it since as long as they are Exchange users and know the server to connect to, they can. With this, we will need to come up with some service or audit logs to view if the relayers using Client Frontend are actual requesters or there are relayers that connected to it without us knowing.
I believe one of these server logs may be useful. May you give me insight on which one to use that is suitable for my situation?
Thank you and I appreciate the help!
HI,
thank you so much for all your wonderfull articles and books.(y) Tof notch stuff.
I have a question, I think I have an email that has been discarded due to exceeding our max transport size settings, however, I cannot find a smoking gun.I find the email in 2 receive logs (it’s generated by a java app srv whitelisted for sending to F5 relay vip whitelisted for sending to exchange relay send connector), one proxying and one the first one where it is actually arriving.This is where I could see the message size. But I cannot find any indication of the message not passing through (aside from you know, it not existing in my messagetrackinlog 🙂
Is there a specific smtp error code I should be looking for, or could it be that I have not activated logging on smth or not looking in the correct log. It’s activated everywhere except Client Frontend ,Client Proxy and Default receive connector.
So that means here Default Frontend ,Outbound Proxy Frontend ,EXT – Allow Relay.
Any pointer you could give would be helpful
Hi Paul-
Looking at looks and trying to decipher some of these abbreviation meanings>
These> FE, SMRPI, SMRDE, SMRC, SMRCL, SMRCR, CATRESL.
2019-10-19T05:04:39.132Z;SRV=xxxxxxx.anytown.int:
TOTAL-FE=30.069|SMR=30.067(SMRPI=0.009(SMRPI-FrontendProxyAgent=0.009));SRV=xxxxxxx.anytown.int:
TOTAL-HUB=1.783|SMR=0.268(SMRDE=0.003|SMRC=0.265(SMRCL=0.102|X-SMRCR=0.265))|CAT=0.061(CATOS=0.009(CATSM=0.008(CATSM-Unified Group Post Sent Item Routing Agent=0.008))|CATRESL=0.011|CATORES=0.039(CATRS=0.039(CATRS-Transport Rule Agent=0.016(X-ETREX=0.016)|CATRS-Index Routing Agent=0.022)))|QDE=0.063|SMSC=0.374(X-SMSDR=0.063)|SMS=1.014
Thank you, Ant
Nice stuff, Paul – helped me a lot, really, thanks!
the scripting to look for a remote-address pattern was nice. one thing I like to do with the resulting file is paste it into excel and parse by commas. This way you can use excel filter events out you don’t care about while investigating. so long as your result set isn’t toooo voluminous, excel is a great tool! 🙂
Thanks again!
You’ve totally lost me…
I just want my daily mail.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
This article provides some troubleshooting advice for Exchange Server administrators (IT professionals who manage email servers). If you’re not an IT pro it won’t apply to you.
3-I also found spam messages queued on the queue every day although anti agents is installed and enabled as described in TechNet and Kaspersky security is configured in a good way for the spam and I found the message mentioned below has received by users in junk mailbox but I don’t know why I have the same message in the queue but from address and the recipient is not on our domain .
Identity: myserver\17483\49073
Subject: Undeliverable: [!!Spam]Could this digital currency actually make you a millionaire?
Internet Message ID:
From Address:
Status: Ready
Size (KB): 6
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 1/15/2018 11:33:37 AM
Expiration Time: 1/17/2018 11:33:37 AM
Last Error:
Queue ID: myserver\17483
Recipients: Footes.8142@static.vnpt.vn
I already installed a test exchange 2010 Sp1 to get the default configuration with all the extended rights and I will compare it with current production configuration,to know all the extended rights changed by the previous admin , I will try to return to the default settings of the receive connector with anonymous permission and remove the permission that the previous admin did to know its effect as I don’t have any documentation .
why I do that for 3 reasons
1-I’m afraid if the receive connector is relaying messages to other domain
I revised that we haven’t an external relay
2-see this warning everyday
Log Name: Application
Source: MSExchangeTransport
Date: 1/4/2018 8:27:49 AM
Event ID: 1035
Task Category: SmtpReceive
Level: Warning
Keywords: Classic
User: N/A
Computer: myserver1.mydomain.local
Description:
Inbound authentication failed with error LogonDenied for Receive connector internet-receive-connector.
The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [185.117.148.24].
Ok sorry for inconvenience Paul ,thanks for your support and
I just feel confused cause what I seem to understand from the document differ on what I see practically now
In other words
I know that anonymous permission makes the receive connector receives mail from outside, so when I view it as unchecked and it receives mail I was surprised and digging into the receive connector permission I found that the “internet receive connector “that has no anonymous checked has ANONYMOUS LOGON permissions
, I thought that when there is no anonymous checked I will not find any anonymous logon
As shown below the internet receive connectors that has no anonymous checked
***************************************************************************************************************
Get-receiveconnector -Identity “myserver\internet-receive-connector” | Get-ADPermission | fl us
r, extendedrights | more
User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}
User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-SMTP-Submit}
User : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-Accept-Headers-Routing}
User : NT AUTHORITY\Authenticated Users
ExtendedRights : {ms-Exch-Accept-Headers-Routing}
hi Paul
I inherited an exchange server 2010 SP1 ,that have 3 receive connectors
the Client myserver
the Default myserver
a custom receive connector (internet receive connector )
the default myreceive connector has the following settings:
identity : myserver2\Default myserver2
Server : myserver2
RemoteIPRanges : {172.16.1.0-172.16.1.255}
permissiongroup :AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom
AuthMechanism : Tls, Integrated, BasicAuth, ExchangeServer
note (172.16.1.0) those are internal ips of servers inside our lan
the other custom receive connector (internet receive connector )
Identity : myserver\internet-receive-connector
Server : myserver
RemoteIPRanges : {0.0.0.0-255.255.255.255}
permissiongroup :ExchangeUsers, Custom
AuthMechanism : Tls, Integrated, BasicAuth
I wonder how exchange receives mail from outside while the remote ip ranges of the default receive connector has internal ips and has an anonymous permission
while the internet receive connector that has no anonymous permission and has the range of all IP addresses receives mail ,I think that I need to modify the remote ip ranges in the default receive connector to be from 0.0.0.0 till 255.255.255.2555 and modify the remote IP range for custom internet receive connector to be for 172.16.1.0 to 172.16.1.255
the mail server receives mail from outside and I check the log and I found that
it recieves mail through the custom “internet receive connector ”
which has no anonymous permission !!!!!
when I asked the admin who did that ,he told me he created the internet for receiving mail internally from oracle servers and website server that are located in the company ,because when he removes the “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender” from the default receive connector ,the website server of the company and the monitoring servers and the oracle servers inside the company couldn’t send notification to our mail server ,
so do you think that the configuration that is mentioned first is right or my modification will be wrong
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
So what you’re saying is, it works just fine right now but for some reason you want to change it?
Doesn’t make sense to me. If it isn’t broken, why change it?
dear Paul
i can’t understand how receive connector that called “internet receive connector ” that only has exchange user permission group receives mail from outside the organization
as shown below
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity “SRVHC01\internet-receive-connector”| fl name,remoteipranges,Aut
hMechanism,permissiongroups
Name : internet-receive-connector
RemoteIPRanges : {0.0.0.0-255.255.255.255}
AuthMechanism : Tls, Integrated, BasicAuth
PermissionGroups : ExchangeUsers, Custom
and the default receives email accepts mail only from internal servers and that’s make sense as long as the remote ip ranges
has internal ip
Name : Default SRVHC01
RemoteIPRanges : {172.16.1.0-172.16.1.255}
AuthMechanism : Tls, Integrated, BasicAuth
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom
I haven’t seen this configuration before , and I want to understand why it’s configured this way ,and how anonymous is not checked and the receive connector receives emails
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It probably has to do with the “Custom” permission that is in place. At least partly. There’s more to receive connector permissions than just the PermissionGroups.
You’re asking me to explain a configuration I can’t see. You say it’s working, so all I can really say is that it seems fine to me. If you want to get deeper into the intricacies of receive connector configurations and permissions, there’s extensive documentation on TechNet.
Thank you Paul very much. It’s great article. I searched for information many months. Everything in detail.
Hi,
I have my Exchange server 2010 which was working fine. Just few days back it was observed that incoming emails were irregular as some were not coming through. I have checked all firewall issues were intact. What might be the problem? Please assist!
Pingback: Issues With Load Balancing SMTP Traffic – IT BLOG
If that looks healthy then there is some other issue which we can check with the message tracking if it is outlook or exchange server or spam issues.Junk is marked or blacklisted while in the pipeline or user is blocked in pipeline or some kind of a hybrid issue is there.If outbound connectors are configured properly or some transport rule is blocking the email.On premises we can repair the database if something is also wrong with dirsync.
Is it quite similar to the telnet basically we are looking for error to eliminate the problem.
We can check the MX record by set type=mx and then the domain name.
Then we can check the rules of the firewall if rule is blocking the port no 25.
Then checking SMTP , we can increase the maximum directory size of protocol logging or we can check the error in the protocol logging.But that error can be accomplished by the echo telnet command.
Is I am right and then we can fix the issue as it persists or we can check the performance of the exchange by using backpressure
Hi Paul,
I’ve had encountered an issue regarding smtp forwarding. We have a large email volumes each day so we decided to try out a 3rd party email archiver. by enabling smtp connector, we have integrated our exchange 2010 to archiver, and everything was running okay, then one day the archiving server was shutdown. We have congestion in the mail system, so we decided to remove the smtp connector. Can you help us to determine if exchange have some type of feature that can detect if the archive/backupserver which Exchange supposed to send a copy of email is down or up. Then what action can an exchange server can do to immediately stop the smtp connector without human intervention.
thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No, it doesn’t. You’d need to monitor it yourself and write a script to make whatever change you think is necessary.
thanks Paul! your reply is very helpful.
Hi Paul!
What about Exchange 2016?
After few hours of investigation :), i notice that paths for logs is changed.
e.g. if you create a custom receive connector for Anonymous relay and set logging to verbose, you’ll not be able to find logs in the expected path.
Logs will be wrote in the default path:
C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsFrontEndProtocolLogSmtpReceive
I don’t know why, but hope this help 😉
Loreman
Hi, thanks for the info, how would you find the log location for connectors in Exchange 2013? I’ve enabled the verbose protocol logging, and confirmed with your powershell command.
Cheers
EDIT, found them.
Receive connector protocol log files for the Transport service on Mailbox servers %ExchangeInstallPath%TransportRolesLogsHubProtocolLogSmtpReceive
Receive connector protocol log files for the Mailbox Transport service on Mailbox servers %ExchangeInstallPath%TransportRolesLogsMailboxProtocolLogSmtpReceive
Receive connector protocol log files for the Front End Transport service on Client Access servers %ExchangeInstallPath%TransportRolesLogsFrontEndProtocolLogSmtpReceive
Send connector protocol log files for the Transport service on Mailbox servers %ExchangeInstallPath%TransportRolesLogsHubProtocolLogSmtpSend
Send connector protocol log files for the Mailbox Transport service on Mailbox servers %ExchangeInstallPath%TransportRolesLogsMailboxProtocolLogSmtpSend
Send connector protocol log files for the Front End Transport service on Client Access servers %ExchangeInstallPath%TransportRolesLogsFrontEndProtocolLogSmtpSend
Pingback: Performing a Like for Like Exchange Server Migration
Pingback: Troubleshooting SMTP Connectivity from External Senders
Pingback: Exchange Server 2016 Outbound Mail Flow
Pingback: Troubleshooting Email Delivery with Exchange Server Protocol Logging | Infrastructure:land
Pingback: Troubleshooting Email Delivery with Exchange Server Protocol Logging | Infrastructure Land
As well as I want to tell you one more thing that could clarify my situation.
The outgoing mail server (SMTP) for domain esmartsoft.com,eg was wmail.link.net and at this step the gsfmo domain was able to send all mails to esmartsoft.com.eg domain but once it’s changed by the ISP to be linkmail.hosting.link.net the gsfmo failed to send any mails after that changes.
As well as the following is lines that are captured from SmtpLog files while I can send the mail to hotmail domain:
Date: 22/07/2015 07:42:12.194
Session-ID: 08D2922927230511
Local: None
Remote: 65.55.37.72 port 25
07:42:12.194 [attempting to connect]
07:42:12.818 220 ******************************************************************************************************************************************************************************************************************************************
07:42:12.818 EHLO mail.gsfmo.gov.sa
07:42:13.099 250-COL004-MC1F40.hotmail.com (3.21.0.194) Hello [85.194.65.196]
07:42:13.099 250-SIZE 36909875
07:42:13.099 250-PIPELINING
07:42:13.099 250-8bitmime
07:42:13.099 250-BINARYMIME
07:42:13.099 250-XXXXXXXA
07:42:13.099 250-XXXXXXXB
07:42:13.099 250-AUTH LOGIN
07:42:13.099 250-AUTH=LOGIN
07:42:13.099 250 XC
07:42:13.099 922 [sending message]
07:42:13.099 MAIL FROM: SIZE=398873
07:42:13.099 RCPT TO:
07:42:13.379 250 afzalali@gsfmo.gov.sa….Sender OK
07:42:13.894 250 hohanykamal@hotmail.com
07:42:13.894 DATA
07:42:14.175 354 Start mail input; end with .
07:42:23.520 250 Queued mail for delivery
07:42:23.520 QUIT
07:42:23.801 221 COL004-MC1F40.hotmail.com Service closing transmission channel
Please help me to understand the following lines that are captured from SmtpLog files:
Date: 30/06/2015 02:09:32.498
Session-ID: 08D271F4045EF862
Local: None
Remote: 41.128.142.5 port 25
02:09:32.498 [attempting to connect]
02:09:32.873 220 **************************************************************************************
02:09:32.873 EHLO mail.gsfmo.gov.sa
02:09:33.060 250-bmail.linkdatacenter.net [85.194.65.196], this server offers 7 extensions
02:09:33.060 250-AUTH LOGIN
02:09:33.060 250-SIZE 21504000
02:09:33.060 250A
Notes:
1 – each time we are trying to send to a domain esmartsoft.com.eg we received this error.
2 – I used a program called “LogView.exe” to enhance the output of the log.
Please I need your advice ASAP
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What error? I don’t see an error message in your comment.
Pingback: New Released Microsoft 70-342 Dumps PDF&VCE Free Download from Braindump2go (31-40) | Free Braindump2go Latest Microsoft Exam Dumps
Pingback: Braindump2go Free 70-342 VCE Files Free Download (31-40) | Braindump2go Free Latest Microsoft Hot Exam Dumps In PDF & VCE Free Download
Pingback: Braindump2go 70-342 Dumps PDF Free Download (31-40) | Free IT Exam VCE Download - ExamCollection
Pingback: 2015 Latest Braindump2go 70-342 Braindumps Free Download From Braindump2go (31-40) | Free Exam Dumps PDF&VCE Examcollections
Pingback: Braindump2go Provides Instant Free Download for Microsoft 70-342 Exam Dumps PDF! (31-40) | Updated Real Microsoft MCSE Exam Questions & MCSE Dumps
Pingback: 70-342 Exam Dumps PDF&VCE Free Download From Braindump2go (31-40) | Braindump2go Updated Real Microsoft Exam Dumps PDF&VCE
Pingback: 100% Pass Microsoft 70-342 Exam Questions and Answers Instant Download in Braindump2go (31-40) | Free Download Braindump2go Oracle OCA, OCP, OCM,Microsoft Exam Questions & Dumps with PDF&VCE
Pingback: Microsoft 70-342 Practice Exams Free Download From Braindump2go (31-40) | Braindump2go Hot IT Certification Exam Questions
Pingback: Braindump2go 70-342 Exam Dumps New Version Provided For Free Download Today! (31-40) | Updated Real Microsoft MCPD Exam Questions & MCPD Dumps
Pingback: 2015 100% Pass Guarantee: Braindump2go 70-342 Exam Questions and Answers from Real 70-342 Exam Dumps! (31-40) | Collection of Latest Microsoft Exam Questions and Hot Exam Dumps
Pingback: Braindump2go 2015 100% Real 70-342 Exam Questions Guaranteed from Microsoft Official (31-40) | Braindump2go Free MCPD Exam Dumps, Exam Questions
Pingback: Microsoft 70-342 Dumps Full Version New Updated By Braindump2go Today (31-40) | Free Braindump2go Latest Microsoft Exam Dumps PDF&VCE
Pingback: 2015 Microsoft 70-342 Practice Tests Free Download 100% Pass Promised By Braindump2go (31-40) | Offer Braindump2go Latest Microsoft Exam Questions
Pingback: 2015 Latest Microsoft 70-342 Exam Questions Provided By Braindump2go For Free Download (31-40) | Braindump2go Free Hot IT Exam Dumps Collection!
Pingback: 2015 Microsoft Official Latest Updated 70-342 Exam Dumps Questions Free Download Provided By Braindump2go (31-40) | Free Latest Braindump2go IT Exam Dumps
Pingback: 100% New Updated 70-342 Practice Tests Questions Braindump2go Helps Pass 70-342 Successfully (31-40) | Offer Free Online Latest Braindump2go Microsoft Exam Dumps
Pingback: 2015 70-342 Exam Questions PDF Free Download From Braindump2go (31-40)Free Braindump2go Microsoft Exam Dumps | Free Braindump2go Microsoft Exam Dumps
Pingback: Download New Updated 70-342 Questions With 98 Percent Same As Real 70-342 Exam! (31-40)Online Latest Braindump2go Microsoft Exam Dumps Free Share | Online Latest Braindump2go Microsoft Exam Dumps Free Share
If you’re unfamiliar with “Get-ChildItem” make sure that you drill down to the actual SMTP protocol log file path in PowerShell before you enter the commands.
Example:
[PS]C:ProgramFilesMicrosoftExchangeServerV14TransportRolesLogsProtocolLogSmtpSend>Get-ChildItem | Select-String -Pattern “example.com.au”
Just wanted to thank you for another great piece, where you manage to teach an arcane subject and make it almost enjoyable to be unraveling the inner working of Exchange. As the previous comment mentioned, you are a consistently valuable resource and I wanted to express my appreciation for that.
Paul,
You’ve been a consistent knowledgeable resource for me throughout the years as I carved myself a career as an Exchange Engineer. So I would like to thank you for all of the nuggets of wisdom you have shared. I have a question for you. In your article “Don’t leave pop/imap protocol logging enabled” you referenced this article and you mentioned the following:
“As a side note, I surveyed a few of my fellow MVPs on the topic of protocol logging and opinions were split about 50/50 on whether it should be left on all the time or not. You can certainly make up your own mind about that”
I’m curious as to a few reasons why it should not be left “enabled”. Of course if disk space is a concern, there’s circular logging. But what I tend to hear is that it creates additional “stress” on the hub transport server, and words like “overload” are mentioned.
I’ve transitioned into a new position and I previously maintained a small environment with 3 sites and 8 servers. Today I’m working at a company that has quadruple the servers and is the largest environment I’ve ever supported. Recently I found myself in need of the protocol logging and found that they weren’t enabled at all. I find them very useful. Would enabling on a very large environment really cause such a noticeable strain on the environment?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There’s no stress or strain. Exchange is already writing a ton of log files to disk. My opinion is that a server would already need to be overloaded for protocol logging to contribute to the issue.
SMTP protocol log settings have max age and max directory size thresholds you can set to ensure that logs don’t grow forever and consume all available disk space.
POP/IMAP protocol logging does not have those thresholds and carries the risk of consuming all available disk space.
That is why I don’t recommend leaving POP/IMAP logging enabled (unless you implement your own cleanup scripts), whereas I do recommend SMTP logging be left on for all the benefits it delivers for troubleshooting scenarios.
Paul,
Thank you for your response. Your time and advice is greatly appreciated. I’m honored.
Excellent article !
But one question, when you’ve got a proxy in order to filter spams in the architecture, Exchange saw only one IP Address (the anti-spam gateway address).
If a Saas application must send a mail with relay. How exchange choose the right connector ?
Dear,Paul Cunningham
Sir I needed Exchange Server 2010 & 2013 Interview Question. Please Can U Help me ..
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
No. You either know the information or you don’t.
what information Sir..
Pingback: 4 weeks to MCSE : Messaging – 70-341 (4/5) | David Bérubé's blog
Pingback: Exchange 2010 to 2013 Migration - Removing Legacy Servers
Hello Paul,
Its an amazing experience to read this great article.
Very precisely, in depth and well work done!
Many Thanks!
-Azad
Hi Paul,
Got a question regarding recipient resolution. I’m troubleshooting an issue and discovered there is a way to log this.
Recipient resolution logging is controlled by the ResolverLogLevel parameter in the EdgeTransport.exe.config application configuration file. The valid values for this parameter are Disabled, Enabled, and FullContent. The default value is Disabled. When the ResolverLogLevel parameter is set to Enabled, only message envelope data is logged. When the ResolverLogLevel parameter is set to FullContent, message envelope data and message header data are logged.
I was wondering if you’ve ever come across a problem where you needed to change this setting. Also, I have not changed this config file before or I might have but cannot remember so my question is, when making changes to this file, do you need to restart the transport service for changes to be applied?
Here’s my scenario:
a) Client sends an email to a shared mailbox
b) Shared mailbox has a server side rule to check for emails from a specific address with specific wording in the subject, with action: REDIRECT to an email group (distribution list).
This email group is set on our primary domain and it’s only member is a contact on our legacy domain.
I’m basically trying to get more info about what happens after the email group gets expanded, see below (this is the last event in the tracking logs)
RunspaceId : e66056fa-129b-42ec-9ef5-aba0d88616cc
Timestamp : 7/11/2013 1:04:15 PM
ClientIp :
ClientHostname :
ServerIp :
ServerHostname : HUBSERVER01
SourceContext : DOMAIN CONTROLLER
ConnectorId :
Source : ROUTING
EventId : EXPAND
InternalMessageId : 2871228
MessageId :
Recipients : {emailadd@legacydomain.com} (This is a contact which is a member of a distribution list)
RecipientStatus : {250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded}
TotalBytes : 6496
RecipientCount : 1
RelatedRecipientAddress : emailgroup@mycompanydomain.com (this is the distribution list)
Reference :
MessageSubject : Why is this not being delivered to its final destination (contact)
Sender : clientadd@clientcompanydomain.com
ReturnPath :
MessageInfo :
MessageLatency :
MessageLatencyType : None
EventData :
Hope this makes sense! Any help would be appreciated. I’m going nuts, I have enabled verbose logging level on all the receive connectors and not getting any bounces or fails so it’s like it knows its a distribution list that has a member but that’s it, after expanding it does not do anything with it (not TRANSFER) which is what I was expecting to see in the logs.
Thanks!!!
Very Good article Paul with lots of good details. This one is going to really help admins as Troubleshooting issues with mail flow is always an issue and most of the time we cannot identify the cause of the issue when it happens in an Org.
Thanks for sharing with the forum.
Cheers!
Paul,
Article is amazing very depth knowledge of the troubleshooting for mail flow.
Thank you for sharing such a deep dive
Pingback: Configuring Outbound Mail Flow in Exchange Server 2013
Hi Paul,
You are producing high quality content and great article layout. Can I suggestion to add a ‘print’ icon whereby you can print the article as printable version which removes all the ads, comments etc.
A printable version whereby a clean article……
Keep up the good work mate.
cheers
Excellent. Nice article…done well.
Nice one again!
Thanks!
:-))
Pingback: Tofa IT » A Guide to Back Pressure in Microsoft Exchange Server
Pingback: Weekend reading - subject: exchange
Thanks
very helpful information
Pingback: Troubleshooting Email Delivery with Exchange Server Protocol Logging « JC’s Blog-O-Gibberish