Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Logs show some email as queued, but not delivered
  FAQ FAQ  Forum Search   Register Register  Login Login

Logs show some email as queued, but not delivered

 Post Reply Post Reply
Author
jortmann View Drop Down
Newbie
Newbie
Avatar

Joined: 13 November 2007
Location: Canada
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote jortmann Quote  Post ReplyReply Direct Link To This Post Topic: Logs show some email as queued, but not delivered
    Posted: 06 May 2010 at 12:09pm
Hello,

I'm experiencing some strange and frustrating email issues.

Our spamfilter forwards to exchange 2007 network load balanced (nlb) CAS servers. CAS1 and CAS2. The NLB config seems correct.

One issue is the CAS1 server does not handle any traffic from spamfilter - this may not be a question for this forum and might not have anything to do with the below issue.

The other issue is using Sawmill to parse spamfilter logs, we see that a piece of email has arrived and was queued; either filtered and accepted or whitelisted BUT the user never  gets it. Using exchange message tracking, which only shows spamfilter traffic on CAS2, we never the email as having been received.

This issue is affecting a few users and it is seeming random, one time a gmail won't be received, hours later, it is.

Any ideas? Any help will be greatly appreciated as this is becoming a big issue.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 May 2010 at 10:16pm
jortmann,

If you can please zip to our support @ logsat dot com email address SpamFilter's activity logfile for a day this happened, we'll check to see what is happening. Please let us know the to/from email addresses for one or two of these emails, so we can locate them in the logs. If the zip is over 8MB in size, please upload the file to our FTP site, for which I'll send you the login info via a PM.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jortmann View Drop Down
Newbie
Newbie
Avatar

Joined: 13 November 2007
Location: Canada
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote jortmann Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2010 at 3:54pm
Hello,

First another question: When spamfilter says an email is accepted or whitelisted and queued, does that mean it has been sent out the spamfilter infrastructure to the mail server?

Here is a log snippet that might help with my accepted but not delivered emails:

This sender is subject to filtering, he's not on any lists.

05/06/10 14:17:25:813 -- (1492) Sending email from TDesmarais@assante.com to sfraser@hialta.ca -- 

05/06/10 14:17:41:141 -- (1492) EMail from: tdesmarais@assante.com to: sfraser@hialta.ca --  was returned to sender - 

server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- 

05/06/10 14:17:51:266 -- (1492) Error-email from tdesmarais@assante.com to sfraser@hialta.ca --  was forwarded to 10.1.1.45

05/06/10 14:17:51:266 -- (1492) There was an error sending the NDR to: TDesmarais@assante.comThe remote server said:550 

5.7.1 Unable to relay -- 

05/06/10 14:17:51:266 -- (1492) server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- 



Here is a snippet from Sawmill after parsing. 

1106/May/2010 14:17:25198.163.239.133acrelay.assante.comTDesmarais@assante.comsfraser@hialta.caacceptedwas queued(empty)(empty)(empty)5.00 k


My questions are: Is the server error Spamfilter or the CAS NLB 10.1.1.45???? Is it the CAS rejecting the spamfilter server or the email?

I really want to know if this is a spamfilter issue or an exchange issue. Fighting a war on 2 fronts isn't fun.

thank you.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2010 at 8:22pm
Originally posted by jortmann jortmann wrote:

First another question: When spamfilter says an email is accepted or whitelisted and queued, does that mean it has been sent out the spamfilter infrastructure to the mail server?
Even if the logs say "is accepted" or "whitelisted", it's possible the sender disconnects before completing the email. The "sure" way of determining SpamFilter attempted to forward the email to your destination SMTP server is the line that contains "Sending email from .... to ..., as the following one:

05/06/10 14:17:25:813 -- (1492) Sending email from TDesmarais@assante.com to sfraser@hialta.ca -- 

The above is just an "attempt" to forward the email to your server. In this specific case, your destination server at 10.1.1.45 has rejected the above email from SpamFilter, and this is being logged with the entry, which shows in red the specific error string SpamFilter received when attempting to forward the email to 10.1.1.45:

05/06/10 14:17:41:141 -- (1492) EMail from: tdesmarais@assante.com to: sfraser@hialta.ca --  was returned to sender - server error - 10.1.1.45 said: 5.7.1 Recipient not authorized, your IP has been found on a block list -- 


As SpamFilter accepted an email for delivery from TDesmarais@assante.com, but was unable to deliver it due to the above error, we must at this point send a non-delivery report (NDR) email back to the sender (TDesmarais@assante.com). This email is forwarded for delivery to your SMTP server at 10.1.1.45, as SpamFilter will never send emails out to the internet directly. When this NDR is sent however, your server 10.1.1.45 rejects this attempt with an "550 5.7.1 Unable to relay" error message:

05/06/10 14:17:51:266 -- (1492) Error-email from tdesmarais@assante.com to sfraser@hialta.ca --  was forwarded to 10.1.1.45
05/06/10 14:17:51:266 -- (1492) There was an error sending the NDR to: TDesmarais@assante.comThe remote server said:550 5.7.1 Unable to relay -- 

Please note that we pre-released in the registered user area a new build (4.2.4.830) that drastically changes the above NDR behavior, to prevent the generation of NDR emails as much as possible. In v4.2, SpamFilter verifies the existence of the recipient with your destination SMTP server after an email has passed all filtering tests and is about to be delivered. While it is being delivered to your destination SMTP server, SpamFilter puts "on hold" the incoming connection while it ensures that your server will accept the recipient. Should your server reject the "RCPT TO" command (due to a non-existent user, mailbox full, etc), then in this case SpamFilter will relay the same SMTP error back to the sender. This forces the remote server to send the NDR to their customers, and will avoid having SpamFilter generate an NDR email that needs to be sent.

This said, you will need to ensure that your destination SMTP will accept all emails sent to it by SpamFilter, as if this is not done, you risk that emails won't be delivered.

Originally posted by jortmann jortmann wrote:

My questions are: Is the server error Spamfilter or the CAS NLB 10.1.1.45???? Is it the CAS rejecting the spamfilter server or the email?
I'm not sure what mail server software is running on 10.1.1.45. That mail server is however rejecting SpamFilter's connection attempts with the error "your IP has been found on a block list", and you will thus need to check your mail server's configuration to see what block list is being used that causes these connection attempts to be rejected. 
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jortmann View Drop Down
Newbie
Newbie
Avatar

Joined: 13 November 2007
Location: Canada
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote jortmann Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2010 at 2:08pm
Thank you for your replies Roberto, they were very helpful to my understanding of the Spamfilter process. 

We do have the issue resolved HOWEVER it's not resolved in my mind. I'm not the exchange admin but have been poking around and see some settings that concern me, I don't fully understand them but understand enough that I think something is off. One of these settings, once disabled, 'fixed' the email issue.  I will also be upgrading Spamfilter soon as we are out of date.

Sorry the below is a little exchange heavy.

We run Exchange 2007 on Server 2008 servers. 10.1.1.45 is the IP for two network load balanced Client Access/Hub Transport servers, CAS1 and CAS2. Our Spamfilter server points to 10.1.1.45.

From the exchange mgmt console:
MS Exchange -> Organization Config -> Hub Transport -> AntiSpam tab ->IP Block list Providers.

Disabling this setting resolved the issue. The properties of this settings are blacklist server providers, the same as spamfilter but spamfilter has 1 more.

From Spamfilter:

bl.spamcop.net, true
zen.spamhaus.org, true
dnsbl.njabl.org, true
cbl.abuseat.org, true
blackholes.mail-abuse.org, true

From Exchange:

bl.spamcop.net
zen.spamhaus.org
dnsbl.njabl.org
dnsbl-1.uceprotect.net

What I do find strange is how disabling this filtering stopped the issue. Again the issue was that about a group of 30-40 users couldn't receive email from perhaps 1 or 2 of their contacts only. Everything else worked, in some case other users received mail from the same contacts without issue.

From the exchange mgmt console:
MS Exchange -> Organization Config -> Hub Transport -> Global Settings -> Transport Settings 

The properties have General and Message Delivery. Under Message Delivery we have

10.1.1.0/24
10.1.1.177  - spamfilter server

Concerns:

First, 10.1.1.0/24 covers the range, so we don't need a separate entry for spamfilter.

Second I noticed the DSN codes that have been entered do not include 5.7.1, that is the error code given in the spamlogs.

From the exchange mgmt console:
MS Exchange -> Server Config -> Hub Transport -> Receive Connectors 

There are 3 receive connectors set up; identical on both CAS servers. 

Client - Cas1server - not an issue here

Default - Cas1server  -> network settings specify 0.0.0.0.-255.255.255.255 port 25

Relay Connector -> network settings specify a bunch of individual servers within our 10.x.x.x internal scheme on port 25, or in other words, already covered by the DEFAULT connector. There are 3 server IPs that are in our DMZ - these seem like the only ones necessary to this connector given potential authentication configurations. (I did just tested this, our backup server was in this group, I removed it and it is still able to forward it's daily report to me.)


ONE Difference is with Authentication. The Default has "Exchange server auth" and "Integrated windows auth" enabled, whereas the Relay only has "Externally Secured auth enabled".

Roberto, I'm hoping all this makes sense, screenshots are easier to look at, I can upload some to the ftp site if you like.

Thank you again.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.297 seconds.