McAfee Email Gateway- How to release emails from outbound queue

Couple of days back i could see that so much emails are in outbound queue in our SMTP gateway ( McAfee Securemail, formerly ironmail) due to an issue. Who ever worked on this securemail gateway they know’s we cannot release the email at a time. We need to pause the SMTPO queue then need to select the domain and release one by one.

I was searching how can we release all the emails in queue ? the answer is..

Telnet to the box and apply below commands ( This gateway is in DMZ zone and you have to open the port numbers in in your firewall to telnet to the box)

Securemail > Reset message smtpo domain.com

If you are trying to release all the emails at a time your Exchange server should accept all emails at a time.. By default 20 connections will allow for the domain. To see and edit this settings go to Hub Transport server–> Exchange Management Console –> Server configuration–>Hub Transport –> Double click the Hub transport server name –>

I had changed from 20 to 50 to accept more emails to our domain because i could see that more emails are in ready to deliver to domain.

Exchange version is 2007

 

23.885942 45.079162

McAfee blocked Hub transport server releasing emails from queue

Yesterday users complained that they have send email to outside but recipient did not received yet. And some of the users are received mail delayed email from Exchange server

Here is the delayed message

—————————————————————————————————————————————————–

Delivery is delayed to these recipients or distribution lists:

From : Microsoft Exchange 

To: Muhammad Akther

Subject: hi

This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.

 Delivery of this message will be attempted until 6/26/2011 3:18:53 PM (GMT+03:00) Kuwait, Riyadh. Microsoft Exchange will notify you if the message can’t be delivered by that time.

—————————————————————————————————————————————————–

ok. we realized that some thing wrong in Exchagne server or in relay. First loged in to Exchange Hub Transport server and checked all the services are up and running. It was running. Then went to Queue viewer to see is there any mails are stuck there. We could able  see that so much mails are stuck in Queue

Then we tried to Telnet to Email Gateway ( we are using McAfee Secure mail instead of Edge Transport server) port 25. It’s rejected the telnet session. So the issue has confirmed. Hub cannot talk to Email Gateway.

Next we checked what is blocking from Hub to Mail gateway . Is it firewall? or Antivirus ? or some thing else. The culprit was McAfee Antivirus.  There was a patch updated on Mcafee and the solution we found it from one of the Mcafee KB

Here is the solution. you have to go to McAfee EPO server and do the below changes

Problem

Outbound SMTP email is blocked by VirusScan Enterprise (VSE) 8.5i and 8.7i Access Protection rule for Port 25.

 

Cause

The Access Protection feature of VirusScan Enterprise 8.x allows specific ports to be blocked. Although standard exclusions are set, these rules must be revised manually according to the environment.

 

Solution

Manually exclude the process that is being blocked.

 

NOTE: Make sure to use the exact process name as found in the Access Protection log.

1. Click Start, Programs, McAfee, VirusScan Console.
2. Right-click Access Protection and select Properties.
3. Click the Access Protection tab.
4. Under Categories on the left, select Anti-virus Standard Protection.
5. In the right pane, select Prevent mass mailing worms from sending mail, then click Edit.
6. In the Processes to exclude section, type the process name, then click OK to close the Rule details window.
7. Click Apply then close the Access Protection Properties window. 

 

After encforce policy in Hub Transport Server Emails start releasing from queue.

Reference :

 https://kc.mcafee.com/corporate/index?page=content&id=KB50707

Regards

Akther

 

23.885942 45.079162

Restore single email by using Symantec Netbackup for Exchange 2007

Symantec Netbackup is the powerfull tool that you can use to restore entire Information store, single mailbox and single mail as well. In our Datacenter we are using Netbackup to take the backup of entire servers. In this post i am writing how we can restore single email from Netbackup server.

Symantec Netbackup version : 7.0.1

Exchange Server : 2007 SP1 CCR

Definitly we should  have a full backup of mail boxes to resotre a single email or mail boxes.

Restore a single mail

Go to backup and Restore GUI

Select Full backup from the list

Select the user –> and select which email you want to restore. ( If we select user it will restore mailbox)

Then it will start restoration process.

The particular email could see in user inbox now.

Access denied error while renewing Exchange 2007 certificate

we had faced this access denied issue when we tried to renew Exchagne 2007 certificate. The error was showing below

I login as Administrator and i am sure i have all the access in Domain and Exchange

After searching we have found that the solution.

On the “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA folder” folder go ahead and right click, properties, security.

Now for the exchange administrators I’m sure you already will see full permissions, but go ahead and click advanced, under permissions for the administrators first make sure it says “‘this folder, subfolders and files” and not “‘this folder only” and finally go ahead and check the box at the bottom that says replace permissions on all child objects just to make sure the sub folders are currently set properly.

Ahh. After this i am able to renew the certificate. Please see the below screen shot

Exchangegeek from msexchangegeek.com has a great post on how to renew the Exchange 2007 certificate here

http://msexchangegeek.com/2009/04/24/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/

Address book is not updating in Exchange 2007 CCR

Issue

When we create any users , groups or change any object it’s not showing in outlook address book. But these changes we can see immediately in OWA.

Resolution

We are running Exchange 2007 Server with CCR configuration.

Server1 is Active node

Server2 is passive node.

Cluster name – Exchangecluster

There are some hardware issues in server1 and we change cluster in to server2. Exactly after this issue started. To see the changes in address book we need to change a value in Registry.

The path is

HKLM–> System–> Current control set–>Services–>MSExchangeSA–>parameters–>Here you can see the cluster name–>can see EnableOabGenOnThisNode value–> change value in to current active node.In this case server2, then exit and go to outlook client and download address book. We can see the changes in outllok address book.

you have to update offline address book in Active mailbox cluster role through Exchange management console ( organization configuration–> Mail box role–> offline address book Tab)

The name cannot be matched to a name in the address list

I got a escalated call from Service desk that they cannot solve one of the user outlook 2007 issue. 

Issue

user changed his computer and the service desk trying to configure his outlook profile. At that time he was 

received below error.

Resolution

User name was hide from address book

Once we removed the check box, he was able to create his profile

LIMS want to send email through Exchange Server

We have a third party application called LIMS and they want to receive report through email. LIMS admin asked our SMTP server ip address. Ok they configured in LIMS ( i dont no how they configured in this application) and told me they cannot receive email because our SMTP server rejecting the connection

Resolution

Create a receive connector in Hub Transport Server to receive email from LIMS system

To create a receive connector–> Exchange Managment console–> Server configuration–> Hub Trasnport server –> Receive connector–> New receive connector

Add Lims server ip address

After creating connector take properties and go to the permission groups tab–>select anonymous users

Distribution Group members not receving emails from outside

Some of the employees  from a specifc Distribution list complained  that they are able to receive email internelly through this DL but from  outside  they cannot receive

Well, i asked them to send email from their gmail id to that DL and i start monitoring in Hub transport server ( By using Message tracking , EMC–> Tool Box–> Message Tracking) From DL name option receive. I found that from gmail this DL reeived email . that means it reached in our Hub transport server but cannot see in user inbox

Solution

By default DL cannot receive emails from outside receipient untill you remove require that all senders are authenticated check box from DL properties –> Mail flow settings tab–> Message delivery restriction

If you want to apply to all DL’s give this below commands in Exchange Management Shell

Get-DistributionGroup | Set-DistributionGroup -RequireSenderAuthenticationEnabled:$false

Now members from this DL able to recive emails from outside receipients

Getting Autodiscover warning message in outlook 2007 domain joined workstations

This issue affect to almost al the domain joined worksation machines and outlookanywhere users who all are  using outlook 2007. It took some time to resolve and quiet challenging especially it affects Exchange 2007 server main components like Autodiscover and OAB.

Thought to share my experiance in this problem and i am sure some will get some kind of benifit. I will try to explain my level best and if anybody want more detail please put a comment so i can reply back.

Problem

1)      Continuously Poping up certificate warning message in computers who all are using outlook 2007.

2)      Related to this issue few of the users are getting username and password window in outlook frequently

3)      Some of the users are facing issue with Out of office assistance settings.

4)      Outlook Anywhere users also getting same warning message

All these issues were related with Auto discover service in Exchange Server.

To check Autodiscover is working fine or not we have two methods

1) Opened Outlook and checked Test email auto-configuration, found succeeded through SCP. ( press ctrl and right click from outlook icon near clock)

2) httpsL//webmail.domain.com/autodisover/autodiscover.xml ( If you get error 600 at the middle Autodiscover is working fine)

RCA

As per my understanding there are several reasons

We have single singn on certificate from Verisign. That means https://webamil.domain.com contains both internal and external URL. Since our domain name domain.local and our external webmail address contain webmail.domain.com. So we notice that internel URL was set webmail.domain.local instead of webmail.domain.com.

Affected users were using proxy server to connect internet. We entered webmail.domain.com in exception list

IIS had some issues, will describe in detail below

Resolution

• Resolved IIS related issues
• Checked IIS for authentication on respective virtual directories on Exchange server ( Client Access Server ) and did changes as per below,

Default Web site: Found Anonymous access enabled with SSL forced.

Autodiscover: Found Basic & Integrated authentication enabled with SSL forced.

EWS: Found Basic & Integrated authentication enabled with SSL forced. Disabled Basic authentication.

OAB: Found integrated authentication enabled and no SSL forced.

• Ran IISreset command to restart IIS services.

 

• Resolved Exchange Server side Issues
• Checked internal URL for web services and OAB virtual directory, found not set 
• Set-WebServicesVirtualDirectory -Identity “CASservername\EWS (Default Web Site)” -InternalUrl  https://webmail.domain.com/ews/exchange.asmx

 

• Set-OABVirtualDirectory -Identity “CASservername\OAB (Default Web Site)” -InternalUrl  https://webmail.domain.com/oab

 

• Set OAB web distribution folder in Organization configuration tab ( Exchange Management console–>Organization configuration tab–>Mailbox server–>Offline address book tab–> Select Enable web distribution folder)

 

• Resolved Client side Outlook issues
• Checked and found proxy configured in Internet explorer. So we added webmail.domain.com in exception list.
• Again tried to browse same URL i.e., https://webmail.domain.com/autodiscover/autodiscover.xml, found successfully able to browse.
• Opened Outlook and checked Test email auto-configuration, found succeeded through SCP.
• Also able to access emails in Outlook 2010 without any certificate warning message.
• Found credential popup issue with one user. So  ran control keymgr.dll, found credential stored without password. Removed the same.
• Checked Outlook 2007, found working fine without any credential popup.
• Created new outlook profile to few client machines ( found Outlook profile was corrupted)
• Created Windows profile to few client machines ( Found Windows profile was corrupted)

 

• ISP Side Issues ( External DNS Server has wrong configuration) – To resolve outlook anywhere users
• Asked ISP to create an SRV record for Autodiscover service for Outlook Anywhere users
• Need to deleted any Autodiscover record from External DNS server before creating SRV record

Below  URL’s help me  to get solve this issue and give more idea about Autodiscover service

A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service

http://support.microsoft.com/kb/940881

White Paper: Exchange 2007 Autodiscover Service

http://technet.microsoft.com/en-us/library/bb332063.aspx

https://testexchangeconnectivity.com ( Can check Autodiscover is working fine against your Exchange Server)

Finally all the users are happy and Autodiscover service is working fine.

Newly created Users were not able to receive emails from outside

Issue

Newly created users are unable to receive mails from outside network. They were able to receive mails from internally.

 Root Cause Analysis

Communication problem between Exchange Hub Transport Server and Edge Transport server . User account called  ESRA Bootstrap was expired 

Resolution

 1)     Create a new subscription file on the Edge server: ( New-EdgeSubscription -file “c:\subscription.xml”) 

2)     On Hub server open up Exchange System Manager and add the new subscription: Organization Configuration> Hub Transport> Create New Edge Subscription.

3)     Start-EdgeSynchronization ( from Hub Transport Server)

4)     Test-EdgeSynchronization ( From Hub Transport Server )

 After this user’s start getting emails from outside.