Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1449 Views 1 Reply Latest reply: Jun 26, 2013 7:29 AM by Attila Polinger RSS
sanhun Newcomer 5 posts since
Mar 22, 2012
Currently Being Moderated

Jun 21, 2013 4:13 AM

EWS 5.1 p10; 550 denied by policy

Hello eweryone, i would like to ask some help please.

 

I have an EWS in transparent bridge mode, with an Exchange 2010 behind. I have problems with the mail receiveing, and i am not sure where is the problem, but i think it's more like the EWS than the Exchange. I have more strange symptoms what i can't repeat - but here is two situation what logged and one of them repeatable. There is no any content filtering turned on, and the scanning time and size limits, timeout limits are enough large.

 

I have a specific webform which would send an email with an attachment to the typed in address. This email is declined by us. I was able to catch the activity only when i turned on the network traffic monitoring, i get the following data:

 

250-DSN

250-AUTH NTLM

250 8BITMIME

MAIL FROM:<info@senderdomain.com>

&#136;250 2.1.0 Sender OK

RCPT TO:<recipient@mydomain.hu>

250 2.1.5 Recipient OK

DATA

354 Enter mail, end with "." on a line by itself.

550 Denied by policy

QUIT

 

In the Exchange receive SMTP log i found the following:

 

250-SIZE,

250-PIPELINING,

250-DSN,

250-ENHANCEDSTATUSCODES,

250-STARTTLS,

250-X-ANONYMOUSTLS,

250-AUTH NTLM,

250-X-EXPS GSSAPI NTLM,

250-8BITMIME,

250-BINARYMIME,

250-CHUNKING,

250-XEXCH50,

250-XRDST,

250 XSHADOW,

MAIL FROM:<info@senderdomain.com>,

08D033BD4B10FC59;2013-06-12T09:42:21.619Z;1,receiving message

250 2.1.0 Sender OK,

RCPT TO:<recipient@mydomain.hu>,

250 2.1.5 Recipient OK,

 

It's looks like if is declined in the data phase. The message limits are enough large everywhere, and neither the Exchange nor the EWS don't use content filtering. The Exchange don't have antivirus installed, and the attachment is not harmful or special anyway. If same message sent to gmail and then forwarded into the domain, it's arrives without problems.

 

My questions is:

- how can i catch some logging from the EWS, because i was able to get this logs only with the network traffic monitoring. I would like to see the exact explanation why is declined, if the EWS declined it. Lame maybe, i found where to set the logging details: System \ logging, alerting and snmp \ logging configuration \ SMTP settings - but didn't found where to get the log itself.

- what is the recommended logging options what i should monitor to catch some info

- what settings i should try to check or how to continue the troubleshoot

 

The other problem what pop time-to-time, and mostly remain hidden, is some timeout related thing i think. For example, at a given time some gmail account cant send email into the domain, but at same time a different gmail account can do. Maybe there sending from different server, have no idea. The bad sender getting back a warning like "failed to deliver the mail, but we keep sending in the next 72 hours" - but the mail never arrives, any times they are trying. Simple text mail without attachment or any special things. Meanwhile every other gmail mail arrives. Whitelisting the sender address doesn't help.

Searching logs for the problem #1, i found some interesting info in the Exchange log about this problem too:

 

The following log generated in 0.5 second, so i believe is not timeout problem:

 

250-SIZE,

250-PIPELINING,

250-DSN,

250-ENHANCEDSTATUSCODES,

250-STARTTLS,

250-X-ANONYMOUSTLS,

250-AUTH NTLM,

250-X-EXPS GSSAPI NTLM,

250-8BITMIME,

250-BINARYMIME,

250-CHUNKING,

250-XEXCH50,

250-XRDST,

250 XSHADOW,

MAIL FROM:<shop@edigital.hu>  

08D033BD4B112DD5;2013-06-15T02:43:06.708Z;1    receiving message

250 2.1.0 Sender OK  

RCPT TO:<recipient@mydomain.hu>,

250 2.1.5 Recipient OK  

Remote

 

 

Then same happens 2 more times on same day. For this i didn't found any EWS log sadly, since i can't reproduce this kind of activity, i had no turned on network traffic on the EWS.

 

My questions is:

 

- what logging options could i use on the EWS to try to catch this kind of behavior

- where and how can i get this logs from the EWS

- there is any way to monitoring how much mail failing like this - maybe with the the sender data too - i am worry that this kind of dropping is totally hidden from me, but the information is given that there was a try to sending a mail, and even the sender is known - i could use a list with the mails what failing like this.

 

Thank you for any help

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009
    Currently Being Moderated
    1. Jun 26, 2013 7:35 AM (in response to sanhun)
    Re: EWS 5.1 p10; 550 denied by policy

    Hello,

     

    you could find more clues in syslog logging if that feature is configured in the GUI. This is to be found where email alerts and logging are to be confured (not sure where exactly)

    Be sure that conversation events are also enabled.

     

    Once configured, reproduce the issue again and download the appliance log file, and look for a mail.log in the compressed file where you should search for the entries of your problem connection.

     

    Also I suggest revieweing EWS admin guide and the section Life of an email message (or similar) where they describe exaclty what type of checks are performed in what stage. See what checks are listed after the DATA phase and see if those checks are enabled in your appliance.

    One possible thing that is checked after DATA phase is reputation check.

     

    Attila

     

    Message was edited by: apoling on 26/06/13 14:35:00 CEST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points