SMTP not logging

[Mayo, Bill]

Short version:

On a single Exchange 2016 server (out of 3), nothing is being logged at “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive” even though logging is set to verbose on the connector. I am as certain as I can be that relevant SMTP traffic is flowing through this server. I changed the setting to None and then back to Verbose with no result. I checked the path in Servers>Servers and it is correct.

 

Long version:

I am trying to track a problem where a 3^rd party system sends email through our Exchange 2016 environment. This 3^rd party system is used for sending messages to mobile devices for emergency responders and sends email through Exchange. At some point, these messages started getting throttled and I am trying to track that problem.

 

I have a receive connector which should be used because it is most specific to the server that is sending the messages, and I am certain this connector was used in the past. The connector has the MessageRateLimit set to Unlimited, however we can see that the messages get rejected after 5 messages, which would suggest it is using one of the more general receive connectors.

 

I was therefore trying to look at the logs to understand what receive connector is actually being used. Of the 3 Exchange Servers, 2 of them have plenty of logs, The 3^rd has no logs at all. It is the 3^rd that I am fairly certain is being used, because 1) that is the IP that resolves on the sending server, and 2) I don’t see any activity from the sending server in question on the other 2 that are logging.

 

So, my main problem is why is this email being rate limited when it doesn’t appear that it should be, but it makes me wonder if there is a bigger problem here because there is no logging.

[Mike]

Do you have any Receive Connectors scoped to specific IP addresses or ranges? I would check there first to confirm which connector the sending IP address should be landing on.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/9081ccdc9df94c6693d384c00dd427c5%40pittcountync.gov.

[Michael B. Smith]

I’d also look at the transport config to verify that the logs haven’t been moved.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/CA%2BSdsNFeM2_vHx7MkbRK6KWuNQPmnEVR26Gr6XbPJc3Q_ZAwDg%40mail.gmail.com.

[Mayo, Bill]

Yes, there is one scoped for the range that this server is in. This is the connector that has unlimited set, but the evidence indicates this traffic is being limited. That is why I was trying to troubleshoot which connector was being hit, and where I discovered that I was getting no logs on this server.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mike
Sent: Tuesday, May 12, 2020 12:16 PM
To: ntexc...@googlegroups.com
Subject: Re: [ntexchange] SMTP not logging

 

Do you have any Receive Connectors scoped to specific IP addresses or ranges? I would check there first to confirm which connector the sending IP address should be landing on.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/CA%2BSdsNFeM2_vHx7MkbRK6KWuNQPmnEVR26Gr6XbPJc3Q_ZAwDg%40mail.gmail.com.

[Mayo, Bill]

I am assuming you are talking about going to the Server config and looking at the Transport Logs settings. The Send Protocol Log Path there matches the location in which I am looking. If you are talking about something else, then I’m afraid you have to spell it out more.

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/d13d73f255474b4dbe236be26ff9803b%40smithcons.com.

[Michael B. Smith]

Yes, I believe the cmdlet is Get-TransportServer, it lists all the transport logs, their locations, and their configured maximum sizes.

 

You should be able to set “verbose” on all connectors, and then quickly figure out the required connector. The connector name is part of the info that is logged. So you can turn off the others to avoid excess log generation:

 

               

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/1ab36c1b49374e74818d45c48266baad%40pittcountync.gov.

[Mayo, Bill]

Ok, I used that cmdlet and the path is what it is supposed to be. The logging is set to verbose. I even previously changed it to none and then back to verbose to make sure it was recognized.

 

What you are describing is what I was trying to do, so that is good to confirm. However, my problem is that these logs aren’t getting generated. I have confirmed that the messages that are getting throttled did go through this server by tracking a known message, so this is not a case of where there is no traffic to log.

 

Would it possibly help to restart the Transport service?

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Tuesday, May 12, 2020 12:35 PM
To: ntexc...@googlegroups.com
Subject: RE: [ntexchange] SMTP not logging

 

Yes, I believe the cmdlet is Get-TransportServer, it lists all the transport logs, their locations, and their configured maximum sizes.

 

You should be able to set “verbose” on all connectors, and then quickly figure out the required connector. The connector name is part of the info that is logged. So you can turn off the others to avoid excess log generation:

 

               

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/18cb1f71584248a58229de2e9be93eae%40smithcons.com.

[Mayo, Bill]

Just after sending this message, I decided to do a search for the file name and seem to have found the logs at “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive” instead of “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive” (what the all the locations I looked at told me).

 

So, I am looking at the logs and I see that it is hitting the connector that I am expecting. I will have to do some more digging here to try and find where it is failing, but if anybody can explain the FrontEnd/Hub discrepancy, I would love to hear it.

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/bc953b07f68f47b09f948f2825a10f14%40pittcountync.gov.

[Michael B. Smith]

Well. Sorry about that.

 

When they integrated CAS and HT they had to put the logs in different places. CAS à FrontEnd. HT à Hub. I personally never noticed that the folder they named in the cmdlet was HT instead of CAS. I just expected it to be CAS.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/ef3064ed76e8462997f03b7552661ed8%40pittcountync.gov.

[Mayo, Bill]

So I have matched up log entries from the 3^rd part software with what is in the SMTP log and, unfortunately, it is not clear to me what is going on. The SMTP log basically ends with “Proxy session was successfully set up” followed by an “Authentication Successful” message. After that line, nothing further is logged on the Exchange side (at least in this particular log). On the 3^rd party software side, this seems to be where they get “421 4.4.2 Message submission rate for this client has exceeded the configured limit”.

 

The good news is the SMTP log indicates that it is hitting the receive connector that I expected. This connector is configured with an unlimited message rate.

 

Based on the “proxy session” message and the fact that logging seems to end there, is it reasonable to think that the message has been passed off to the “Client Proxy SERVERNAME” connector? It would make a certain amount of sense, because this connector is rate limited. What I am not clear on is why that would happen. I did some googling on the “proxy session” message, but that didn’t lead me to anything that seemed helpful right away. If it is being handed over to a different connector and I don’t want to set that particular connector to unlimited, then what are my options here?

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/ea1928ca97974d6a98c0de011c2d3285%40smithcons.com.

[Michael B. Smith]

If you look in the EAC you have “frontend” connectors and you have “hub” connectors.  Each frontend passes off to a hub. Same rules apply – the most specific hub connector wins. If you want different hub behavior create one and ensure it’s more specific for this use case.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/09aada9b790c42a5b4a15febb891ec96%40pittcountync.gov.

[Mayo, Bill]

Well, that certainly clarifies some things. I assume this was a change with Exchange 2016 and this is my first opportunity to encounter it. What I have done is create a custom hub connector on each server that limits to the IP in question. The one thing I wasn’t 100% sure on was the port. By default, it was 25 and Exchange wouldn’t let me to proceed using that port. I used 465 because that is what the “Client Proxy” connector is using, but I wasn’t completely sure if that was right. I also set these connector to verbose logging, but haven’t seen anything logged in the “hub” subfolder (which finally makes sense) yet.

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/38eb8f0a09f341b1adb06162f43b0d7f%40smithcons.com.

[Mayo, Bill]

I don’t think what I have setup is working. I am not seeing any logs generated for the HubTransport connector even though I have verbose on for it. The only way I could figure out to create a connector of this type was custom and then I had to change the port number. As mentioned, I used 465 because of the other one, but that is as deep as my logic is. I have been googling to try and find something about a similar issue with no luck so far.

 

Michael, if you would be kind enough to confirm/deny the port part, it would be appreciated.

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/5a92d26f8c7a45659fe7605f297cc9f2%40pittcountync.gov.

[Kurt Buff - GSEC, GCIH]

It's been a few months since I worked with Exchange, and it was 2010 at that, but what I did when setting up different transports was to assign a new IP address to the NIC, then the transport to the IP address - I used port 25 on all of them.

Port 465, AFAIK, isn't all that common - more usual is 587, or even 2525. Port 465 is pretty much deprecated these days

See, for instance: https://www.fastmail.com/help/technical/ssltlsstarttls.html

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/78d159fec59e4bad888410ab2541b0eb%40pittcountync.gov.

[Mayo, Bill]

Thanks for the reply, Kurt. We moved from 2010 to 2016 several months ago and this is my first experience with this type of connector. I agree with what you are saying and that was my experience as well. Exchange, or at least the admin interface, wouldn’t let me create this using port 25 and I was just trying to replicate what the other HubTransport connector was using.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/CADy1Ce6vGkrfsq%3DeDwg%3Da%3DLbner3PiH5rRv8U5MsoDZqJBfmvA%40mail.gmail.com.

[Kurt Buff - GSEC, GCIH]

We don't have on-prem email here, so it was just a wild stab. I'm
still interested in Exchange stuff, though, so it'll be interesting to
hear how you get this resolved.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/ce2c4467f6b5476bb3aab0c07e06ac15%40pittcountync.gov.

[Mayo, Bill]

I have been googling all afternoon, but I have not been able to find any definitive information on how to get the messages to go through this connector. The diagram at https://docs.microsoft.com/en-us/exchange/mail-flow/mail-flow?view=exchserver-2016 is interesting that it shows a "hub selector" at the Front End Transport Service level and at the Mailbox Transport Service level, but not the Transport Service level (which I understand to be the same as the "Hub" Transport level). It would seem fair to interpret that to mean that there is no selection process here and that my connector is never going to be used (which does seem to match what I am seeing). However, MBS said it worked the same way, so I don't know.

I did finally find a few other places where people were talking about the same problem, but there were no solutions. One person seemed to think it was not possible and that you had to change the settings on the base HubTransport connector. I am just about at the point where I am going to have to do that.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/CADy1Ce5pO8-CBDKHzTT0tBknt00Rxy2hzUxVAFsjkOu7usD5cA%40mail.gmail.com.

[Mayo, Bill]

As an FYI to anyone curious, I engaged with Microsoft paid support about 3 weeks ago on this. What I requested was assistance in creating a hub connector that would work for traffic from a specific IP, where I could change the rate limit and indicated I did not want to change the default connector. After an incredible amount of back and forth over the course of 3 weeks, they have decided I was correct that it was being rate limited by the default hub connector and have told me to increase the rate on that. Well, gee, thanks. I have asked to have it escalated. I will post with whatever resolution I ultimately get.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/fac784312ba04f1590fc6aad8f0d0907%40pittcountync.gov.

[Mayo, Bill]

I had the case escalated to no avail. They have basically told me that what I want to do is not possible. The only recommendation they have is to change the rate limit on the "Client Proxy SERVERNAME" HubTransport Receive Connector. I do believe I have come to a realization about something, though, and seems obvious in retrospect. The traffic is apparently being sent to this specific connector (which is limited), as opposed to the "Default SERVERNAME" (which is not), because I made the decision to have this specific 3rd party service authenticate. I had historically done a lot of unauthenticated things, and I thought this was a better method. In this case, it may not have been.