Print Page | Close Window

Mails not forwardet from ISP to Imail app.

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6925
Printed Date: 14 December 2017 at 1:21am


Topic: Mails not forwardet from ISP to Imail app.
Posted By: morten44
Subject: Mails not forwardet from ISP to Imail app.
Date Posted: 14 March 2011 at 2:47pm
Hi
I have a problem again where users are saying that mails are not recevied by end user who is a customer behind out ISP Spamfilter. We are using Imail 8.2
 
The end user send a mail to me with following error:
***************************************************************

>> Fra: Mail Delivery System [mailto:Mail Delivery
System]

>> Sendt: 12. marts 2011 18:16

>> Til: mailto:lisbethkrohn@c.dk - lisbethkrohn@c.dk

>> Emne: Mail Delivery Failure

>> http://postmaster.tdc.dk/publish.php?id=2855 -

>> This message was created automatically by the
mail system.

>> A message that you sent could not be delivered
to one or more of its

>> recipients

>> This is a permanent error. The following
address(es) failed:

>>  mailto:grete@christianshede.dk -

>> Reporting-MTA: dns; fep47.mail.dk Arrival-Date:
Fri, 11 Mar 2011

>>14:13:14 +0100 Status: 5.4.7 Last-Attempt-Date:
Sat, 12 Mar 2011

>>18:16:02 +0100 Diagnostic-Code: smtp; 554 5.4.7
[internal] exceeded max

>>time without delivery Action: failed Final-Recipient:
rfc822;

>> mailto:grete@christianshede.dk -


*****************************************************************
mailto:grete@christianshede.dk - - lisbethkrohn@c.dk  is an exteral account from Tele Denmark
 
I have tried to look in the logfile to find out what happens. I can not find for that same time, but I can find one record that I can not see was delivered
 
I have uploaded the log file on your ftp: 20110312-morten44
 
Can you have a look at :
03-12-11 06:10:56:218 -- (4792) Received MAIL FROM: < mailto:lisbethkrohn@c.dk - lisbethkrohn@c.dk >
 
I cant see that beeing forwarded or put in queue
 
Hope you can help
 
Regards
Morten




Replies:
Posted By: LogSat
Date Posted: 14 March 2011 at 4:46pm
Morten,

When looking at the logfile you uploaded, we see the following last two entries for that email:
03-12-11 06:10:58:812 -- (4792) RCPT TO: grete@christianshede.dk accepted
03-12-11 06:12:38:968 -- (4792) Disconnect

SpamFilter accepts the recipient information and is ready to receive the email body. However after almost two minutes (actually exactly 100 seconds) the connection is dropped. Unfortunately the logs do not provide more details as the "why" the disconnect occurs. When SpamFilter disconnects an SMTP session, it should log the reason for doing so, which is not the case here. In most cases, disconnects after relatively long periods of time occur due to timeouts caused by other equipment/software, such as firewalls and/or antivirus software. These could be occurring either on the sender's side or on your side, it's impossible to tell without actually placing a packet sniffer on the network (or installing an app like Wireshark on the SpamFilter server). 
If you're able to do this, preferably configuring sniffer to capture only traffic from the specific IP address for the mail server you're having problems, we'd be glad to assist by debugging the packet capture logs. 


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: morten44
Date Posted: 15 March 2011 at 10:50am
Hi
Thanks for your reply
If I understand what you are saying, our ISP Spamfilter accpept the incomming request and keep it open for body of message to arrive. The body is then never sent or received and therefore after 100sec, it closes again. Is that correct?
 
I can install Wireshark on our mail server
You say I should configure with ip address of mail server that is sending to us and have the problems.
Can I see out from log file what I want to sniff
Only think I can see is that SPF record is showing "mail.dk"
If i do a ping of "mail.dk" i get IP 195.41.46.251
Is that the IP i want to "sniff" from Wireshark on our mail server?
 
I think I would like to follow this up as we have several users with issues like this and we want to understand how we can trouble shoot to prove if fault is with ISP/MailServer/End users PC
 
Thanks again
 
Regards
Morten


Posted By: morten44
Date Posted: 23 March 2011 at 8:51pm
Hi Roberto
I have uploaded a log file and Wireshark log file to your ftp server. The name is:
20110323_morten44

I have asked a user: grafitek@tdcspace.dk to send me: morten@e-advice.dk 4 different mails today
I got 3 of the 4 mails, so missing 1
I have tried to capture data with Wireshark for today and have included that in the file. I find it hard to compare them through

The 4 mails has process numbers:
7740
7928
7704
7916
in the log files, for me it seems like the process 7740 was not delivered but queued and then disconnected without forwarding.
Can you check if the wireshark tell you something if the fault is on our side or on senders site in this case?

Thanks again for taking time to look at this

Regards
Morten


Posted By: LogSat
Date Posted: 23 March 2011 at 10:58pm
Morten,

I downloaded your file, but it is not in the native wireshark format - when you saved it it looks like you selected a text-based format, not the .pcap default. The text format does not contain all the TCP packet data, only a summary, and can't thus be used.

Can you please try to capture the data again, and save it in the .pcap default format so we can see all of the TCP data and try to help?



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: morten44
Date Posted: 24 March 2011 at 5:31pm
Hi
I have uploaded the file "wiresharknew.zip" to your FTP. Should be right format now. It still have data from the 23rd where you also have the log file.
That means hopefully you can see something why ISP Spamfilter accpet but disconnects in 1 of the 4 mails mentioned.
Hope I am monitoring the right IP;s so you can see something :)

Thanks again

Regards
Morten


Posted By: LogSat
Date Posted: 25 March 2011 at 7:45pm
Morten,

Yes, that second file has the correct format, we're going to be analyzing against the log for that day and will let you know more in a few hours.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 27 March 2011 at 11:38am
Hi Morten,

The entries in the logfile for the email you did not receive were actually those for thread ID 7888 as follows:

03-23-11 12:53:21:359 -- (7888) Detected TCP Connection: 195.41.46.140
03-23-11 12:53:21:359 -- (7888) Connection from: 195.41.46.140  -  Originating country : Denmark
03-23-11 12:53:31:515 -- (7888) Received MAIL FROM: <grafitek@tdcspace.dk>
03-23-11 12:53:31:531 -- (7888) Received RCPT TO: morten@e-advice.dk
03-23-11 12:53:32:078 -- (7888) RCPT TO: morten@e-advice.dk accepted
03-23-11 12:55:05:781 -- (7888) Disconnect

I'll try to explain what happened with this screenshot. There was a "hiccup" with the TCP connection, but I can't be certain if it was on your side or with the remote side. Whatever the cause, because of it there was an interruption of the TCP flow between your server and the remote server. SpamFilter has a built-in timeout of 1 minute after which, if there is no data being exchanged, SpamFilter will terminate the connection, which is what happened here. You may try to increase this timeout to something in the order of 3-5 minutes (the parameter is the "ReadTimeout=60" in the SpamFilter.ini file, but I am not sure this would have helped in this case, as I can't tell if eventually the TCP session would have self-healed or not.

Please note that SpamFilter simply disconnected the connection, it did not "reject" the email. This should have caused the remote SMTP server to retry sending the email after a brief interval, and not to report a non-deliverable notice back to the sender, as this simply simulates the network connection being dropped during the transmission (which should never generate a non-deliverable error if it's temporary).




-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window