504 Need to authenticate first
Stuart
-----
This is an SMTP protocol log for virtual server ID 1, connection #45. The
client at "***.***.233.218" sent a "xexch50" command, and the SMTP server
responded with "504 Need to authenticate first ". The full command sent was
"xexch50 2244 2". This will probably cause the connection to fail. For more
information, click http://www.microsoft.com/contentredirect.asp.
-----
The IP address is another company's exchange server (a customer) and we
receive quite a bit of email traffic which is all successful.
Why would I be getting this event? And should I worry? There are also
occasions when this event occurs with IP addresses where there is no reverse
dns record (i.e. spammers).
Brandy Nee [MSFT]
Thank you for posting to the SBS Newsgroup.
From your post, I understand that you have the error information in the
event log which is: 504 Need to authenticate first. You want to know how
this issue happens, and how to resolve it. If I have misunderstood your
concern, please let me know.
Please see my steps below:
1. Please perform the steps shown in the KB article below to test whether
it works or not.
843106 How to troubleshoot the "504 need to authenticate first" SMTP
protocol
http://support.microsoft.com/?id=843106
2. If this issue persists, please run "eventvwr", paste the full content of
the error information to the Newsgroup. Like Event Type, Event Source,
Event Category, Event ID, and Description.
3. Please help me to collect MSExchangeTransport event logs. To do so,
1) On the server, go to the Exchange System Manager.
2) Expand to Yourserver(Exchange)\Servers\Yourserver.
3) Right click Yourserver, go to Properties, and select Diagnostics Logging.
4) In the Services Console, highlight MSExchangeTransport, then click each
Category which are displaying in the Categories Console, change the Logging
level from None to Maximum.
5) Reproduce the issue.
6) Run "eventvwr" and paste all the related issue to the Newsgroup.
4. Also, please collect the Protocol Logging and paste the full content to
the Newsgroup. To do so, please see:
How to troubleshoot for Exchange Server 2003 transport issues
http://support.microsoft.com/?id=821910#5
Thanks for your time. If there is anything unclear or you need any
assistance, please feel free to post back. I am looking forward to your
reply.
Best regards,
Brandy Nee
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Stuart
I've looked through the articles which are helpful. I had been through some
other ones but these identified some 'normal' behaviours that occur when the
Exchange server isn't part of the domain. None of the servers that create
this message should be on our network.
I just wanted to check why this happended to ensure we weren't being
targeted by hackers. Some days we have 20-30 of these errors - is there a way
of eliminating them?
Thanks
Stuart
Brandy Nee [MSFT]
Thank you for posting back.
This is mostly caused by the ISP or the sending email servers.
The "xexch50" command should not be sent to an external server. According
to the error message, please refer to the following article to modify a
registry value to prevent the "xexch50" from being sent outside:
818222 Messages remain in an outbound queue until a non-delivery report is
http://support.microsoft.com/?id=818222
You may also test manually sending an email to see if the email can be sent
successfully:
1) Click Start-> Run-> Input "cmd" (without the quotation marks), and press
Enter.
(Note: always follow each command with the Enter key. This will be assumed
from this point onwards. Also, that commands can be typed in lowercase,
they are not case sensitive. Finally, you cannot use the backspace key with
telnet since it simply transmits it to the server as a character. If you
make a mistake you usually have to hit enter and renter the whole command
again.).
2) Enter "Telnet".
3) Enter "Set Local_Echo".
4) Enter "Open xxx.xxx.xxx.xxx 25".
5) Enter "HELO". You should receive 250.
6) Enter "MAIL FROM: <Sender Email Address>". You should receive 250.
7) Enter "RCPT TO: <Recipient Email Address>". You should receive 250.
8) Enter "DATA". You should receive 354.
9) Enter "Subject: Testing from Telnet". There is no response at this stage.
10) Enter a blank line (press enter) and then a short message. There is
still no response.
11) Hit Enter then a period (''.'') and then Enter again. You should
receive 250 indicating that the message was delivered.
12) Enter QUIT. The connection should close. Hit any key. The mailbox
User...@YourDomain.com should be able to receive this test email later.
For more information, please refer to the following articles:
323350 HOW TO: Test SMTP Services Manually in Windows Server 2003
http://support.microsoft.com/?id=323350
If the issue persists, please run "eventvwr", double click the error, click
the Copy button and paste the full content to the Newsgroup.
To secure your Exchange server, please refer to the following KB article:
324958 How to block open SMTP relaying and clean up Exchange Server SMTP
queues
http://support.microsoft.com/?id=324958
Check if your SBS server is under Reverse NDR Attack by referring to the
following KB article:
886208 Exchange queues fill with many non-delivery reports from the
postmaster
http://support.microsoft.com/?id=886208
Hope this information helps. I am looking forward to hearing from you soon.
Stuart
I have used the option to amend the registry to prevent "xexch50" commands
being sent. I manualyy tested the smtpsvc as described and it's all fine.
I'll now monitor the error reprots to ensure it's sorted out the issue.
Thanks for your help.
Stuart
Brandy Nee [MSFT]
Thank you for posting back.
I am glad to hearing that the information helps. If you have any further
questions or concerns, please let me know. I am glad to be of assistance,
and I am looking forward to hearing from you soon.
Stuart
No change following the registry edit - error as follows:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7010
Date: 06/06/2005
Time: 17:43:43
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol log for virtual server ID 1, connection #2. The
client at "195.102.148.25" sent a "xexch50" command, and the SMTP server
responded with "504 Need to authenticate first ". The full command sent was
"xexch50 2004 2". This will probably cause the connection to fail.
For more information, click http://www.microsoft.com/contentredirect.asp.
Any more thoughts?
Thanks
Stuart
Brandy Nee [MSFT]
Thank you for posting back.
From the event log, it seems that the remote host 195.102.148.25 is sending
the xexch50 SMTP command to this SBS server without being authenticated
first. So this is the sending server's issue and it does nothing to do with
your Exchange server.
In a normal SMTP transactions, xexch50 is not used, so we can safely ignore
this event. You can also disable the xexch50 authentication by changing the
registry key, to do so, please see:
a) On the server, run "regedit" (without quotation marks).
b) Expand to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC\XEXCH50\Exch50A
uthCheckEnabled value.
c) Set the data value to 0.
Hope this information helps. If anything unclear, please let me know. I am
glad to be of assistance.
Stuart
Before I make a change in the registry, can I check what you mean. I have no
Exch50AuthCheckEnabled value - is this a DWORD like SuppressExternal that I
set previously?
Stuart
Brandy Nee [MSFT]
Thank you for posting back.
Please go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC\XEXCH50, on
the Tool bar, click Edit, New, Select DWORD value. Rename it as
"Exch50AuthCheckEnable". By default, the value data should be 0, in case,
you can double click the value name, put 0 into the Value Data blank.
Hope this information helps. If anything unclear, please let me know. I am
glad be of assistance.