Mail flow central logs....

Unanswered Question
Sep 22nd, 2009
User Badges:

I have one host that seems to have a real hard time sending us email. I see many "Message Aborted" entries in Mail Flow Central. Often it looks like the same email being attempted over and over again. Eventually they will be received. Sometimes it takes several hours before they are successful. I believe the issue is network related. Any ideas on how I might help provide info to the network person, and/or the IT staff on the sending end? Anyone ever had this issue?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mychrislo_ironport Wed, 09/23/2009 - 02:54
User Badges:

Try raising the ACCEPT mail flow policy to have higher max. rcpt per hours.
and the DHAP limit.

Or if you can look at the logs directly, the most probabe is DHAP. I had this problem before.

And btw, the default setting, giving 550 code for DHAP abort in the middle of SMTP conversation is not nice too.

Anthony Bundy Wed, 09/23/2009 - 13:00
User Badges:


Try raising the ACCEPT mail flow policy to have higher max. rcpt per hours.
and the DHAP limit.

Or if you can look at the logs directly, the most probabe is DHAP. I had this problem before.

And btw, the default setting, giving 550 code for DHAP abort in the middle of SMTP conversation is not nice too.


domain is listed in our "Trusted" mail flow policy. In that policy, I have all settings at default. The number per hour defaults to unlimited. The same is true for "Accepted". In this case, it doesn't appear to be DHAP related. I will take a closer look at logs tho, thanks for the info...
Anthony Bundy Thu, 09/24/2009 - 18:08
User Badges:

I have more. I've removed the real addresses, and IP's but the time stamp on the last line is interesting. 3 minutes later, it says lost. Any ideas? Looks like network issues to me...


Thu Sep 24 10:15:08 2009 Info: New SMTP ICID 44296636 interface Data 1 (x.x.x.x) address x.x.x.x reverse dns host mail.sendingdomain.com verified yes
Thu Sep 24 10:15:08 2009 Info: ICID 44296636 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 0.3
Thu Sep 24 10:15:08 2009 Info: Start MID 3800107 ICID 44296636
Thu Sep 24 10:15:08 2009 Info: MID 3800107 ICID 44296636 From:
Thu Sep 24 10:15:08 2009 Info: MID 3800107 ICID 44296636 RID 0 To:
Thu Sep 24 10:18:51 2009 Info: ICID 44296636 lost

Rehan Latif Fri, 09/25/2009 - 06:24
User Badges:
  • Cisco Employee,

tbundy,

Is this happening to messages coming from one domain? Or is it with most of the domains?

If you have a PIX/ASA installed on the edge, then please check if it has ESMTP Inspection/SMTP Fixup enabled. If yes.. then disable it.

Running packet capture on the firewall would be really helpful in determining the exact location of the issue. If it is not ESMTP Inspection or fixup thing then there must be some packet loss and you will see "TCP Retransmission" or "DUP ACK" in the packet captures.

steven_geerts Fri, 10/30/2009 - 21:52
User Badges:

Hi TBundy,

An injection debug log might help you to sort things out. This log type logs all(!) data received from a certain host. Be careful! This includes the complete message bodies and attachments.

What I have seen a few times was a sending host that stopped responding after Ironport replies to the DATA command with "220 Go Ahead". It can be the sending system is an old/unpatched MTA that does not recognize the words "Go Ahead" in stead of "OK". At the end the debug log proves (at least in every case I had with it) that the problem is @ the sending side. (They simply stop sending data after our last "220").

The manual describes the best way(s) to configure an injection debug log.

Good luck!

Steven

Actions

This Discussion