Not receiving some emails - help with SMTP logs

[beatdown]

We use Exchange 2003, with Exchange SP1. I've had reports from an end user that some email is not getting through to him. Of course he never actually gives me any details, so I pretty much assumed it was user error on the senders part. Well today, he actually provided some details of a specific instance in which an email didn't get delivered, so I did some investigation.

I used the Message Tracking Center, but it had no record of the email. Then I checked the SMTP logs. This is what I found:

216.98.180.35 vsgw02 SMTPSVC1 0 HELO - +vsgw02 250 0 52 11 0 SMTP -

216.98.180.35 vsgw02 SMTPSVC1 0 MAIL - +From:<Julie.smith@sender.com> 250 0 51 38 0 SMTP -

216.98.180.35 vsgw02 SMTPSVC1 0 RCPT - +To:<Kip.West@ourdomain.com> 250 0 0 45 2140 SMTP -

So it appears that the transmission suddenly ended, and did not include the usual DATA and QUIT strings.

We use Symantec Mail Security for Exchange, and I checked the logs to make sure it wasn't mistakingly identified as spam, and it was not.

The end user says that some other people in his dept also have problems recieving email, but none of them have provided me with any complaints or details...so I can't say if this problem is isolated to this one particular user or not.

Does anybody have any ideas what might be up?

Thanks for your help.

 

[Ogi]

I'm getting this with my mails going out and we're also not receiving some emails. All seems to be with 1 customer.

What program did you use to view the ddmmyy.log file that Exchange generates? I've looked in Notepad but it's hard to read!

Carl.

 

[beatdown]

I use Notepad to read the logs too.

I did some more looking into the logs, and I realized that I was wrong...the DATA and QUIT did make it through, but for some reason, they didn't come in until 4 minutes after the HELO/MAIL/RCPT strings. I've never seen this big of a delay, which is why I missed them when I first posted this problem.

So now it appears that the issue is definately with my exchange server, and not the senders server. The SMTP logs show the email came through OK, but there is no trace of it anywhere. I used the Message Tracking Center to try to locate it, but there is no trace of this email anywhere...except for the SMTP logs.

The only thing about the logs that is unusual is the 4 minute delay between the RCPT and DATA strings...but according to the codes in the log, the transmission looks like it came through OK?

Here are the complete log entries:

216.98.180.35 vsgw02 SMTPSVC1 0 HELO - +vsgw02 250 0 52 11 0 SMTP -

216.98.180.35 vsgw02 SMTPSVC1 0 MAIL - +From:<Julie.smith@sendersdomain.com> 250 0 51 38 0 SMTP -

216.98.180.35 vsgw02 SMTPSVC1 0 RCPT - +To:<Kip.West@ourdomain.com> 250 0 0 45 2140 SMTP -

...ends abruptly..then 4 minutes later:


216.98.180.35 vsgw02 SMTPSVC1 0 DATA - +<42BF1A471CF08D4DADA33@sendersdomain.com> 250 0 148 4097145 243047 SMTP -

216.98.180.35 vsgw02 SMTPSVC1 0 QUIT - vsgw02 240 252016 73 4 0 SMTP -

My knowledge of SMTP logs is pretty much amateur at best...can anybody tell me if they see a problem here, or does it look like the logs are saying this message was delivered OK? Any clues what might have caused this message to disappear into thin air?

 

[nickpark]

Well that number 4097145 looks like the size in bytes.

Do you have any limits on email sizes? session sizes on your virtual smtp server or the user in question?

What speed is your internet connection?

 

[Ogi]

I've just removed my limit of 9Mb and made it unlimited but the ones that didn't get to the recipient were only 2Mb and I don't believe that the company we sent the email to have a limit on their email either!

I've used Notepad but found it hard to read.

When I use Message Tracking Center it errors out with 80041014 - An error occurred during a call to Windows Management Instrumentation.

I've been getting WMI errors in the event log since the machine was built. Looks like I'll have to get that fixed first! But as I've yet to find a cure, looks like I'll continue with Notepad!

Cheers for that,
Carl.

 

[Ogi]

Just to let anyone know we've got to the bottom of our issues. The people we were emailing had a corrupt MX record and have now instigated a fix!

At least it wasn't my systems! Phew!

Carl.

 

[beatdown]

We do have limits on email sizes, but the limit is 20 Megabytes, and the missing message was only around 4 Megabytes. Session sizes and size limits on the virtual smtp server are not enabled, so this shouldn't be a factor. I also checked the user in question, and their mailbox is set to use all the default exchange size settings.

Our internet connection is a T1.

I also just sent myself a test message from my hotmail account with a 7 megabyte attachment, and it was delivered just fine.

The one thing I noticed that is a little suspicious, is the size of the users mailbox: 450 megabytes. I have Exchange configured to send a warning when users mailboxes go over 350 MB. However, I do NOT have Exchange set up to prohibit sending or delivery of messages, no matter how big a mailbox gets. So maybe there is some corruption of this mailbox, or some other weirdness going on?

 

[rwieting]

If you want an easier way to view your Exchange logs, use textpad. It's much easier to read from than notepad. There is no charge to download it.

http://www.textpad.com/

 

[leahyj]

How can I stop outbound messages transferring from one exchange server to another.

Using Message Tracking\Message History on Exch1 server

10/12/2005 SMTP: Started Outbound Transfer of Message
10/12/2005 Message transferred to myExch2server.com through SMTP