ORF Greylisted, Remote server got reject, now I can't get their mail RSS Back to forum
@Indy:
The whitelists of ORF work independently from Exchange and other software, so if the sender is whitelisted in ORF and the email is allowed through it, Exchange (and other software) can still block it before or after ORF. I assume it is a Content filter rule in Exchange 2010 that stops these emails.
As for Greylisting, the sender server must reattempt the email delivery if it encounters a temporary rejection as per Internet standards. Though I think the standards do not define an actual time frame in which the delivery should be reattempted, Exchange servers are typically retry after 15 minutes. If the sender does not retry at all, it is clearly misconfigured. The one-minute Greylisting time in ORF only assures the re-attempted delivery is not accepted if the sender retries right away.
Are you sure these legitimate senders do not retry at all?
The problem is I show the sender's server retrying every hour, on the hour. I show ORF and my firewall passing the message and accepting the message. Here is the ORF log, occurring at exactly :03 after the hour for days now:
----------------------------------------------------------------
Version: 4.4 REGISTERED
Log Mode: Verbose
Server: OURMAILSERVER
Source: MSEXCHANGE
Time: 11/1/2011 9:03:09 PM
Class: Whitelist
Severity: Information
Filtering Point: Before Arrival
HELO/EHLO Domain:
Related IP: 67.51.yyy.xxx
Message ID:
Subject:
Message:
Recipient whitelisted by the sender whitelist. Filter comment: "Received via Remote Control on 10/27/2011 10:41:33 AM".
----------------------------------------------------------------
I don't think a Content Filter would cause this behavior. This behavior only started after I whitelisted this IP/Sender. We still get most mail from this sender, however not mail with attachments.
I can see in the headers that they use Goldmine, a CRM software, and they use a version that is slightly outdated, so I've been trying to get them to upgrade their version and see if that helps. The client and the intended recipient want me to open a case with Microsoft on the Exchange side but I really don't see how this is an Exchange issue, nor can I see Microsoft helping us since this seems sender related...
As I mentioned above, ORF does not affect other software upon whitelisting and it does not alter the email in any way either, so it is definitely caused by something outside ORF. I recommend checking the Exchange transport logs and the logs of any other software involved in email delivery.
I also recommend contacting the sender to retrieve the actual NDR message they get upon rejection.
Sample Exchange SMTP Receive: Nothing obvious, their logs look like other logs.
----------------------------
2011-11-07T20:03:08.493Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,0,172.16.x.y:25,67.51.xxx.yyy:53206,+,,
2011-11-07T20:03:08.493Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,1,172.16.x.y:25,67.51.xxx.yyy:53206,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-11-07T20:03:08.493Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,2,172.16.x.y:25,67.51.xxx.yyy:53206,>,"220 MYMAILSERVER.internal.mydomain.com Microsoft ESMTP MAIL Service ready at Mon, 7 Nov 2011 12:03:07 -0800",
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,3,172.16.x.y:25,67.51.xxx.yyy:53206,<,EHLO mail.senderserver.com,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,4,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-MYMAILSERVER.internal.mydomain.com Hello [67.51.xxx.yyy],
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,5,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-SIZE,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,6,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-PIPELINING,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,7,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-DSN,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,8,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-ENHANCEDSTATUSCODES,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,9,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-STARTTLS,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,10,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-X-ANONYMOUSTLS,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,11,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-AUTH NTLM,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,12,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-X-EXPS GSSAPI NTLM,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,13,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-8BITMIME,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,14,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-BINARYMIME,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,15,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-CHUNKING,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,16,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-XEXCH50,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,17,172.16.x.y:25,67.51.xxx.yyy:53206,>,250-XRDST,
2011-11-07T20:03:08.508Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,18,172.16.x.y:25,67.51.xxx.yyy:53206,>,250 XSHADOW,
2011-11-07T20:03:08.555Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,19,172.16.x.y:25,67.51.xxx.yyy:53206,<,MAIL FROM: <> SIZE=789680,
2011-11-07T20:03:08.555Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,20,172.16.x.y:25,67.51.xxx.yyy:53206,*,08CE649F28A0AA47;2011-11-07T20:03:08.493Z;1,receiving message
2011-11-07T20:03:08.555Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,21,172.16.x.y:25,67.51.xxx.yyy:53206,>,250 2.1.0 Sender OK,
2011-11-07T20:03:08.789Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,22,172.16.x.y:25,67.51.xxx.yyy:53206,<,RCPT TO: <>,
2011-11-07T20:03:10.318Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,23,172.16.x.y:25,67.51.xxx.yyy:53206,>,250 2.1.5 Recipient OK,
2011-11-07T20:03:10.630Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,24,172.16.x.y:25,67.51.xxx.yyy:53206,<,DATA,
2011-11-07T20:03:10.630Z,MYMAILSERVER\Default MYMAILSERVER,08CE649F28A0AA47,25,172.16.x.y:25,67.51.xxx.yyy:53206,>,354 Start mail input; end with <CRLF>.<CRLF>,
------------------------------------------
ORF: Still whitelisting everything.
Firewall:I show zero blocks/denies.
Their NDR:
------------------------------------------------
The original message was received at Mon, 31 Oct 2011 11:26:31 -0700
from localhost.localdomain [127.0.0.1]
----- The following addresses had permanent fatal errors -----
<>
----- Transcript of session follows -----
<>... Deferred: Resource temporarily unavailable
Message could not be delivered for 5 days
Message will be deleted from queue
Unknown MIME type: message/delivery-status
------------------------------------------------------------------
We allow MIME message type: message/* on our firewall. I don't show any denies from the firewall side...
Pretty sure I figured it out. The client is timing out after the default 10 minutes that Exchange allots for sending mail. By increasing the timeout I'm thinking this will allow their slower server (we're on a 100 Mbps fiber connection so we aren't the limiting factor here) to complete the transfer. Guess greylisting ORF was a coincidence. Thanks for replies!
@Indy:
It definitely seems to be an issue on their end... Judging from the bounce message they have Sendmail:
http://objectmix.com/sendmail/316253-occasional-deferred-messages-help.html
We have a client that e-mailed us, the greylist denied their message (we have it set to 60 seconds,) and they complained to us that they sent to us but we never received it.
So I whitelisted their IP/domain, told them to resend, and I thought the issue was resolved.
However, they claim that they can't send us messages with some attachments, others go through fine. I show ORF and my firewall passing the messages through, but something in Exchange appears to block them. We don't have message size/attachment limits. Can ORF impact Exchange 2010 to the point where it won't allow some e-mail inbound? We didn't see this issue with Exchange 2003.
I gotta be honest greylisting is probably a feature we may drop. Too many random people e-mail us and their servers aren't configured to retry after a minute, and we receive complaints. Any thoughts on this? I only show greylisting blocking 8-12% of mail for us. False positives are bad.