Disappearance of one of the recipients of the message. RSS Back to forum
From: <>
To: = <>,
>>>>>>>>>> <>,
<>
CC: =<>,
<>,
<>
P.S. Edited original Header message
Hello spooller,
Thank you for contacting us. We are going to investigate this issue. Please send us your ORF configuration file (orfent.ini), the ORF log file (e.g. orfee-2016-07-05.log) from the day of the incident, along with the *original* email saved in an .eml or .msg format - forwarded emails are not sufficient - to , for analysis. The requested ORF files can be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion).
Well, i think that`s quite enough.
I get, that is no way, that RCPT TO may pass the Exchange logs, except it can be done by sending email server.
Many thanks to you, Daniel Novak, i`ll contact sender`s server support.
@spooller:
I think, i did found something:
It happens once again, and look at this:
Original:
From: Aleksandr <>
Дата: 12 june 2017, 12:09:12 GMT+3
To: Marry <>
CC: BV <>
Subject: important message
Orf:
-- EVENT SUMMARY --
Time: 12.07.2017 12:09:16 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 17.172.220.113
Action: Rejected
Email Subject: (not available)
-- EVENT MESSAGE --
Temporarily rejected by the Greylisting Test.
AND... Exchange! There is no any log about missed recipient!!!
7/12/2017 12:09:17 PM HAREDIRECTFAIL SMTP {} important message
7/12/2017 12:09:17 PM RECEIVE SMTP {} important message
7/12/2017 12:09:17 PM AGENTINFO AGENT {} important message
7/12/2017 12:09:17 PM SEND SMTP {} important message
Cheers! :)
Deleted text:
From: Aleksandr
Date: 12 june 2017, 12:09:12 GMT+3
To: Marry
CC: BV
Subject: important message
Just a quick update for people who might bump into this thread - or follow the discussion. It turns out, that in fact, the missing email/recipient had been recorded both in the Exchange and ORF logs. It should be kept in mind that ORF logs its own actions only, thus if an email goes missing without trace after the Before Arrival or On Arrival filtering point - or does not show up at in the ORF logs at all - that means the email was rerouted or rejected further down (or up) the filtering chain. The list of installed filtering agents and the order in which they are executed can be checked by running the 'Get-TransportAgent' command in the Exchange Management Shell (EMS). To change the filtering order, please consult our related KB at https://vamsoft.com/support/docs/knowledge-base/changing-the-filtering-order
Another important thing to note, is the fact that ORF does not filter the incoming email in "one go". It activates twice (i.e. hooks specific SMTP events); Once after the 'RCPT TO' protocol command - in which the sending server submits the recipient(s) - this is called the 'Before Arrival' filtering point, and one more time - if at least one of the recipients was accepted - right after the entire email has been transmitted in the 'DATA/BDAT' command - this is called the 'On Arrival' filtering point. In both cases, ORF returns the control to the underlying mail server and its installed agents once it has performed its tests. Thus, an email might be rejected or rerouted by another filtering agent in-between, never to be seen again by ORF.
To learn more about the "filtering points" concept, please consult the following article: https://vamsoft.com/support/docs/orf-help/5.4.1/fltrpointconcept
@Daniel Novak (Vamsoft):
Hello Daniel, thank you for reply.
Indeed, the last event i`ve wrote, we figured out, that there is an event in verbose logs.
But the first post, is still unanswered (well, who knows what happens, right? :))
Maybe, i`ve missed this option - Event Configuration> Events> Before Arrival: Log recipient acceptance * early ?
To get logs more clearly.
We still waiting for sender`s mail support to response! :)
Greetings!
The problem was solved. Indeed, that was hosting-provider problem, theres a reply:
"Hello, Oleg!
I apologize for the delay in replying.
The very status of the domain in our system is correct, that is, the MX record looks at the third-party servers correctly. However, sometimes, despite the priorities and correctness of the configured MX record, mail may still malfunction (for example, emails may be lost). Therefore, we strongly recommend that you do not create boxes on our servers, if they are also on other servers.
Since your domain is not delegated to Yandex servers, in this situation we usually recommend that you delete the boxes that are located on our servers and disconnect the domain so that it does not interfere with the work of the boxes located on other servers. Thus, this problem can be corrected as follows: please log in to the agro.com domain administrator's account in our service at https://pdd.ya.com/, remove the boxes from our servers, then click on the "Disconnect" link Near the domain name."
Daniel, thanks again for help! :)
Good day sirs!
Exchange 2016 CU6
ORF 5.4.1
Complained that the letter did not reach and sent the original message.
In the field "To" there is one recipient (who did not receive the letter)
In the field "Cc" there are two recipients to whom the letter has successfully reached.
From: Alex []
Sent: Friday, June 16, 2017 11:46 AM
To: Michael <>
Cc: Nina <>; Alex <>
Subject: RE: Protocol.docx
I`ve checked the ORF log, and found a strange thing...
Time June 16, 2017 11:46:31 GMT + 0300 (2 hours ago)
Sender Email
Recipient Emails:
Action (not available)
Email Subject RE: Protocol.docx
Message Whitelisted by the Sender Whitelist.
So, there is the same thing in the Exchange SMTP log:
2017-06-16T08:46:31.046Z,MX01\Main Frontend MX01,08D4B3E2B583443C,14,10.43.201.60:25,37.9.109.219:51807,<,MAIL FROM:<> SIZE=33382,
2017-06-16T08:46:31.046Z,MX01\Main Frontend MX01,08D4B3E2B583443C,15,10.43.201.60:25,37.9.109.219:51807,*,08D4B3E2B583443C;2017-06-16T08:46:30.984Z;1,receiving message
2017-06-16T08:46:31.046Z,MX01\Main Frontend MX01,08D4B3E2B583443C,16,10.43.201.60:25,37.9.109.219:51807,<,RCPT TO:<> ORCPT=rfc822;,
2017-06-16T08:46:31.062Z,MX01\Main Frontend MX01,08D4B3E2B583443C,17,10.43.201.60:25,37.9.109.219:51807,<,RCPT TO:<> ORCPT=rfc822;,
2017-06-16T08:46:31.078Z,MX01\Main Frontend MX01,08D4B3E2B583443C,18,10.43.201.60:25,37.9.109.219:51807,<,DATA,
2017-06-16T08:46:31.078Z,MX01\Main Frontend MX01,08D4B3E2B583443C,19,10.43.201.60:25,37.9.109.219:51807,>,250 2.1.0 Sender OK,
2017-06-16T08:46:31.078Z,MX01\Main Frontend MX01,08D4B3E2B583443C,20,10.43.201.60:25,37.9.109.219:51807,>,250 2.1.5 Recipient OK,
2017-06-16T08:46:31.078Z,MX01\Main Frontend MX01,08D4B3E2B583443C,21,10.43.201.60:25,37.9.109.219:51807,>,250 2.1.5 Recipient OK,
2017-06-16T08:46:31.078Z,MX01\Main Frontend MX01,08D4B3E2B583443C,22,10.43.201.60:25,37.9.109.219:51807,>,354 Start mail input; end with <CRLF>.<CRLF>,
2017-06-16T08:46:31.109Z,MX01\Main Frontend MX01,08D4B3E2B583443C,23,10.43.201.60:25,37.9.109.219:51807,*,,Proxy destination(s) obtained from OnProxyInboundMessage event
2017-06-16T08:46:31.265Z,MX01\Main Frontend MX01,08D4B3E2B583443C,24,10.43.201.60:25,37.9.109.219:51807,>,"250 2.6.0 <[email protected]> [InternalId=94489280936, Hostname=mx01.of.local] 34726 bytes in 0.159, 212,366 KB/sec Queued mail for delivery"
There is no recipient, to whom this mail was sent.
This sender () is whitelisted, meesages from that person, was successfully delivered before and still to domain users and also this recipient ().
But yesterday, this happened again.
There is nothing between exchange, orf and hardware GateWay (no edge, and so on).
There is no main recipient into the Exchange and ORF logs, but only "CC" recipients, AND
Message Header:
Received: from mx01.local (255.255.255.255) by mx02.local (255.255.255.255)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34 via Mailbox
Transport; Tue, 4 Jul 2017 12:10:06 +0300
Received: from mx02.local (255.255.255.255) by mx01.local (255.255.255.255)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34; Tue, 4 Jul
2017 12:10:05 +0300
Received: from forward14h.cmail.s.smtp.net (87.250.230.156) by mx02.local
(255.255.255.255) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34 via
Frontend Transport; Tue, 4 Jul 2017 12:10:05 +0300
Received: from smtp3o.mail.s.smtp.net (smtp3o.mail.s.smtp.net [37.140.190.28])
by forward14h.cmail.s.smtp.net (s.smtp) with ESMTP id 71AB821826;
Tue, 4 Jul 2017 12:10:05 +0300 (MSK)
Received: from smtp3o.mail.s.smtp.net (localhost.localdomain [127.0.0.1])
by smtp3o.mail.s.smtp.net (s.smtp) with ESMTP id C19072940E5F;
Tue, 4 Jul 2017 12:10:00 +0300 (MSK)
Received: by smtp3o.mail.s.smtp.net (nwsmtp/s.smtp) with ESMTPSA id 9p8oTf6gCr-9xGWr5xX;
Tue, 04 Jul 2017 12:09:59 +0300
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client certificate not present)
X-s.smtp-Suid-Status: 1 1130000038580336,1 1130000040286130,1 1130000038104541,1 1130000040275925,1 1130000039305528
From: =?koi8-r?B?69Xa2M3JziDhzMXL08XK?= <>
To: =?koi8-r?B?68nSyczMz9cg4czFy9PBzsTS?= <>,
=?koi8-r?B?9M/H1drBxdcg7cnIwcnM?= <>,
=?koi8-r?B?8M/Qz9fBIO7JzsE=?= <>
CC: =?koi8-r?B?5M3J1NLJxdcg4czFy9PBzsTS?= <>,
=?koi8-r?B?/sXS18/XIPLPzcHO?= <>,
=?koi8-r?B?J+fMz9TP1yDhzsTSxcon?= <>
Subject: =?koi8-r?B?IPPLzMHE2SDQz8Qg09nS2KMu?=
Date: Tue, 4 Jul 2017 12:09:58 +0300
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00BF_01D2F4BE.754BC830"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdL0pU8vXHP1CVDTRbCuZBobpQDPsw==
Content-Language: ru
Return-Path:
X-MS-Exchange-Organization-Network-Message-Id: da10f6d1-813e-4dd0-8edc-08d4c2bc7621
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: mx02.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1227070
Help!?