Exchange, SMTP queues and firewall

Hi...

We have been troubleshooting an issue with our firewall where it runs
out of NAT ports and has to be rebooted.  This started last Monday and
sometimes it will be up for a few days, sometimes a few hours.

We have looked and done the obvious...checked for viruses, changed
passwords, unchecked "Allow users who authenticate to relay", applied
all critical updates, checked with the firewall tech support, checked
with Symantec, etc.

It seems that outbound connections are being opened but never closed,
so ultimately we run out of NAT ports and then cannot connect to the
internet.

When checking the Exchange Server SMTP Queues, there are a lot and
they all seem to be filled with NDRs (messages from postmaster @ our
domain).

Currently I have turned off NDRs to see if the problem goes away.

Could it be that these NDRs are opening connections and holding them
open until the NDR either sends or times out?  We have all the default
settings for Exchange so I think if it can't send, it retries for a
while.

Has anyone ever seen this behavior before?  And why would it have
started all of a sudden?

Any thoughts would be appreciated.

Terry
0
tcnolan (4)
6/21/2004 5:42:14 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
392 Views

Similar Articles

[PageSpeed] 59

tcnolan@optonline.net (tcnolan) wrote:

>Hi...
>
>We have been troubleshooting an issue with our firewall where it runs
>out of NAT ports and has to be rebooted.  This started last Monday and
>sometimes it will be up for a few days, sometimes a few hours.
>
>We have looked and done the obvious...checked for viruses, changed
>passwords, unchecked "Allow users who authenticate to relay", applied
>all critical updates, checked with the firewall tech support, checked
>with Symantec, etc.
>
>It seems that outbound connections are being opened but never closed,
>so ultimately we run out of NAT ports and then cannot connect to the
>internet.
>
>When checking the Exchange Server SMTP Queues, there are a lot and
>they all seem to be filled with NDRs (messages from postmaster @ our
>domain).
>
>Currently I have turned off NDRs to see if the problem goes away.
>
>Could it be that these NDRs are opening connections and holding them
>open until the NDR either sends or times out?  We have all the default
>settings for Exchange so I think if it can't send, it retries for a
>while.
>
>Has anyone ever seen this behavior before?  And why would it have
>started all of a sudden?
>
>Any thoughts would be appreciated.
>
>Terry

How many NDR's do you have? If there are tons and tons you could be
either a relay or being hit by spam in a big way.
When exchange tries to send an NDR it will lookup the address and will
only make a connection if it can get to the destination server. Having
nDR's in the queue won't be taking up nat ports I wouldn't say. Do you
really need to nat your outbound in this way though?
Another consideration is to change the outbound connection to a
smarthost rather than attempting delivery to each and every
destination on the Internet. That will ensure that only one
destination is available (usually the ISP's smtp relay) and will
reduce connections, depending on what you actually mean by connections
and depending on how the firewall is working.


Mark Arnold MCSA MCSE+M MVP,
FAQ: http://www.swinc.com/resource/exchange.htm
Blog: http://www.msexchange.me.uk
0
mark7219 (5666)
6/21/2004 6:19:10 PM
Hi Mark,

Thanks for your reply.  Today when I cleared out the queues in
Exchange, there were only 262 messages.  So there really isn't that
many now.  On Friday, when I started the SMTP server, in about 20
minutes I lost connection to the internet because the firewall ran out
of NAT ports.

We use Soho Watchguard (5.2.11) for our firewall.  We kept losing
connection to the internet and whenever we rebooted the firewall, it
would be fine for a while.  That is when we noticed in the firewall
logs the error NAT - Dynamic Translation Pool exhausted.

We have never had this problem before.  We are a small office with
just 10 PCs.  So we shouldn't have that many ports being used.  The
tech support at Watchguard said the NAT ports should stay around 950. 
They are as puzzled as we are.

I have used mutiple engines to scan for viruses and today changed all
the passwords on the server.  When I turned off NDRs, the firewall
seemed to hold steady at 950 NAT ports available.

I don't know what you mean by "smarthost" but will look into it.

Thanks,

Terry


"Mark Arnold [MVP]" <mark@mvps.org> wrote in message news:<ne9ed0d9hchnr19m1n7o8ojhgd3bps2au8@4ax.com>...
> tcnolan@optonline.net (tcnolan) wrote:
> 
> >Hi...
> >
> >
> How many NDR's do you have? If there are tons and tons you could be
> either a relay or being hit by spam in a big way.
> When exchange tries to send an NDR it will lookup the address and will
> only make a connection if it can get to the destination server. Having
> nDR's in the queue won't be taking up nat ports I wouldn't say. Do you
> really need to nat your outbound in this way though?
> Another consideration is to change the outbound connection to a
> smarthost rather than attempting delivery to each and every
> destination on the Internet. That will ensure that only one
> destination is available (usually the ISP's smtp relay) and will
> reduce connections, depending on what you actually mean by connections
> and depending on how the firewall is working.
> 
> 
> Mark Arnold MCSA MCSE+M MVP,
> FAQ: http://www.swinc.com/resource/exchange.htm
> Blog: http://www.msexchange.me.uk
0
tcnolan (4)
6/22/2004 12:22:58 AM
We are still having this issue.

If I have NDRs turned off, our firewall stays up fine.  If I turn on
NDRs, the NAT Ports Available slowly decrease from 1000 to 0 and we
lose connection to the internet until the firewall is rebooted.

I'm going to guess that it is not just NDRs but any message that
Exchange has to try to resend, due to a bad reply address, etc.  The
messages that just sit in an SMTP queue.

Can anyone think of why Exchange and/or the firewall would have this
problem?

Thank you,

Terry


tcnolan@optonline.net (tcnolan) wrote in message news:<9f360d9e.0406211622.2a89b3c7@posting.google.com>...
> Hi Mark,
> 
> Thanks for your reply.  Today when I cleared out the queues in
> Exchange, there were only 262 messages.  So there really isn't that
> many now.  On Friday, when I started the SMTP server, in about 20
> minutes I lost connection to the internet because the firewall ran out
> of NAT ports.
> 
> We use Soho Watchguard (5.2.11) for our firewall.  We kept losing
> connection to the internet and whenever we rebooted the firewall, it
> would be fine for a while.  That is when we noticed in the firewall
> logs the error NAT - Dynamic Translation Pool exhausted.
> 
> We have never had this problem before.  We are a small office with
> just 10 PCs.  So we shouldn't have that many ports being used.  The
> tech support at Watchguard said the NAT ports should stay around 950. 
> They are as puzzled as we are.
> 
> I have used mutiple engines to scan for viruses and today changed all
> the passwords on the server.  When I turned off NDRs, the firewall
> seemed to hold steady at 950 NAT ports available.
> 
> I don't know what you mean by "smarthost" but will look into it.
> 
> Thanks,
> 
> Terry
>
0
tcnolan (4)
6/28/2004 12:21:39 PM
Reply:

Similar Artilces:

SMTP service stopping repeatedly please help
We are running Exchange 2003 on windows 2003 and the SMTP service has all of a sudden started stopping itself, you can restart it and it just stops again. We tried installing sp1 but did not help. Any help would be appreciated Sincerley Jim Kiddoo Event logs indicate anything amiss? Jim Kiddoo wrote: > We are running Exchange 2003 on windows 2003 and the SMTP service has > all of a sudden started stopping itself, you can restart it and it > just stops again. > We tried installing sp1 but did not help. > Any help would be appreciated > Sincerley > Jim Kiddoo ...

Exchange Cluster
I am looking for information regarding deployment of an Exchange Cluster in a Blade configuration. Thanks Ken First and formost, make sure your hardware is on the HCL. Support would only be "best effort" if it is not. The following link will get you to the Deploying Microsoft Exchange 2000 Server Clusters: http://www.microsoft.com/technet/prodtechnol/exchange/2000/library/default.mspx Exchange 2003 Clusters cna be found in the Exchange 2003 Deploymnet Guide at the following location: http://www.microsoft.com/exchange/prodtechnol/exchange/2003/library/default.mspx -- Nicholas ...

Exchange
In Outlook 2007: 1. Draft folder is visible but contents are not! (i can see the number of message but not the messages) 2. Notes folder is NOT visible. (funny thing is that if i make a shortuct i can see it) In BOTH cases all is OK in OWA. Evan Camilleri http://www.holistic.com.mt http://www.dotnetmushroom.com http://www.mobilesalesman.com 1) Perhaps you have a filter set to your view? Verify that the view has been set to "Sent To" and reset it if necessary. 2) Does it show when you switch to the Notes Navigation or use the Folder List Navigation to see all your folders ...

Cannot Unistall IMF Exchange 2003
Hello, I am having troubling applying Exchange 2003 Server SP 2. The error message says I need to uninstall Intelligent Message Filtering BEFORE I install SP2. I try to uninstall IMF and it will not uninstall. The error message says "There is a problem with this Windows Installer Package. A program run as part of the setup did not finish as expected. Please contact your support personnel or package vendor. .....A Fatal error during installation." I've also reinstalled the original install of IMF and still the same issues. Any thoughts? Thanks, Randy Hughes Reinstall IM...

restore public folder to Exchange 2003 server from backup copy of the Exchange 5.5 server
Hi, Recently a user deleted a folder witnin the Public Folders on the Exchange 2003 server. When I looked at a backup copy from the backup tape, I could not find the pub1.edb file in the MDBDATA folder. I am using Backup Exec. 8.6. Prior to this, I migrated to Exchange 2003 from Exchage 5.5 and changed my Exchange 2003 into Native Mode. I made a copy of the Exchange 5.5 pub1.edb onto an external hard drive,with its utility. Can i use this copy of the pub1.edb for the existing pub1.edb I have for the Public Folders? If so, what are the steps that I would need to do in performing this act...

Intermittant connection with Outlook 2003 and Exchange 2005
I have a problem affecting just one of our clients. About a third of the messages get through, and about 2 thirds are dropped. We use Exchange Server 2005 and Outlook 2003. The client side is using Microsoft Frontbridge. If we send mail using Outlook Web Access or Evolution, all of the mail is delivered. Can someone tell me why only some of our messages sent via Outlook get delivered while all messages delivered by OWA or Evolution get through? Thanks, Rick ...

Pulling email from exchange server with an exchange account
Hello, I was running a 2003 exchange server but got tired of dealing with the spam, ndr and the rest. I had setup the accounts for everyone including myself. Basically I had in outlook my account setup as an exchange account. Now that our corporate mail is hosted elsewhere I need to pull off my email from my exchange account. I have created POP accounts while using the the IP address for pop and smtp so everything is local when asking to pull. I have also went through an archive trying to get messages to save on my PC so I can then use as PST file, with no success. I have also tried looking f...

Exchange / POP3
In short: How does one go about having exchange POP email for users whom have 3rd party POP 3 server accounts? Expanded Reason: I have an exchange server setup here and I would like to get email to my users from a 3rd party POP3 account. I would normally just change MX records and point to my exchange server and have the email go right to the exchange server, but this ISP will not allow me to receive inbound SMTP. So as it stands; I can send email from my exchange server using my internet connection with out any issues, it's the receiving part that has me hung up, and if I co...

virus attacks against Exchange
I've noticed over the last month that every Sunday morning at 5:45 a.m. our Exchange server sends a CPU warning. When I check the app event log for that date/time there is a *huge* amount of virus detections by our real time virus monitor . What exactly is going on here and how might I prevent this from continuing to happen ? thanks sounds like you have an "on demand" scan of your mailbox store scheduled for this time frame...have you checked? look in the configuration of your Exchange AV... "chrism" <chris@no_spam> wrote in message news:uZcfIwKpEHA.33...

Exchange 2003 #5
How many clients/users will Exchange 2003 support? I have heard that it can support up to 10,000 users. Is this correct? "James" <anonymous@discussions.microsoft.com> wrote: >How many clients/users will Exchange 2003 support? I have heard that it can support up to 10,000 users. Is this correct? How long is a piece of string? Define the hardware platform. Define your expectations for perdformance. Define your backup/restore hardware and strategy. Define your expectations for restore/recovery time. The number of mailboxes on a server is meanngless without some context. wi...

Microsoft Exchange #3
When setting up Outlook I clicked on Microsoft Exhange instead of POP3. Now it is stuck wanting Microsoft Exchange Server. How do I get rid of this so I can sign up under POP3. I deleted Office 2003 and reinstalled and it is still there. Thank You Maggi Control Panel->Mail Icon. Create a new Profile using the Profiles = button and configure it to use your POP3 account. Then go back and = delete the Exchange account from the Accounts button. --=81 Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. All unsolicited mail sent to my personal acco...

Exchange-Integrated Help Desk Software
Can anyone provide any good help-desk softawre that integrates well with Exchange? Preferably open-source (i.e. FREE :) ) Thanks On Wed, 23 Aug 2006 15:04:03 -0700, circulent <circulent@discussions.microsoft.com> wrote: >Can anyone provide any good help-desk softawre that integrates well with >Exchange? Preferably open-source (i.e. FREE :) ) > >Thanks You get what you pay for. MOM and its future SCOM 2007 and the helpdesk features of that 2007 product are certainly good products to name just one. As an actionpack subscriber we get MOM Workgroup Edition. does that have...

SMTP and the routing restrictions confusion
I am confused at the difference between the relay settings that are needed for my Exchange 5.5 server to send and receive SMTP from other SMTP servers on the internet and the settings used for POP clients to send mail through my Exchange server. (i.e. the Reroute incoming SMTP and the routing restrictions) Seems like that should be a whole separate deal. I have struggled with this for months and I'm still confused. Can someone explain this to me please? SteveO "SteveO" <spam@microsoft.com> wrote: >I am confused at the difference between the relay settings that are ...

exchange 5.5 to exchange 2000
Hi, we are considering to migrate our single windows NT domain to windows 2000, then to upgrade the current exchange 5.5 into Exchange 2000 which is currently in the windows 2000 member server within this NT domain. I know I have one option: * upgrade the PDC to windows 2000 domain control and then exchange 5.5 to exchange 2000. what is the risk here? * my question here is: where could I find the detail steps? I am thinking if I have another option which is: * Migrate the PDC to windows 2000 domain. * Install a saparated exchange 2000 server * move the mail box from exch...

Problems between two Exchange Servers
At my Company we are planning to replace an existing exchange 2000 server (EXS1 NT Pack 4.0 Exchange Sp3) with a new server called (EXS2 NT Pack 4, No Service Pack). So we configured an additional server and added to our primary Site. We moved a few mailboxes to the new server and seem to get outside mail but I see that all the mail sent locally is not been delivered and is stuck in the Queue that is pointing to the new server by name exs2.mydomain.com. I tried to force a connection but it doesnt want send the mail. Please help Gary Vidal Is there more than one routing group? -- reg...

GLOBALROOT Error on Exchange 2003
I setup protection for Exchange Server 2003 SP2 running on Win2K3 SP2. There are four information storage groups. I am protecting the server using DPM 2010 RC. All of the prerequisite steps were performed successfully. Two of the info storage groups (the small ones - 30GB) backup successfully. The two large info storage groups (125GB each) fail with the following alert message: DPM encountered an error while performing an operation for \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy38\Exchsvr\MdbData\support\Support (ServerName)\Support.edb on ServerName.domain.com (ID 2033 Detai...

Exchange ignores Outlooks text only setting
we are running excg5.5 sp4, on nt4.0 sp6. we are using office 98, and 2000. The problem we are having is Exchange ignores Outlooks text only setting and send both text and html mime encoded messages. On Mon, 23 Aug 2004 05:55:01 -0700, "mikee" <mikee@discussions.microsoft.com> wrote: >we are running excg5.5 sp4, on nt4.0 sp6. we are using office 98, and 2000. >The problem we are having is Exchange ignores Outlooks text only setting and >send both text and html mime encoded messages. What ticks have you got on the Internet Mail tab > Advanced Options of the I...

antigen on exchange #2
HI All, This question regarding antigen software recently we installed in our exchange server. Every thing has gone fine, when I test adding some words to filters are not working. By default filtering has in enabled the State. What I configuration I have to do. I did not change any configurations. Thanks in advance, Shiva. ...

domain added then removed from exchange but emails still route to exchange ?
Hi, Was wondering if someone can explain this: added external domainA to accepted domains added domainA mail address to users mailbox (mx was not changed) sent email from mailbox/account/domainB (hosted on exchange server) to domainA , arrived in users mailbox on exchange as expected removed domainA from accepted domains removed domainA email address from users mailbox to domainA , arrived in users mailbox on exchange as expected, arrived in users mailbox, this was not expected. When using Outlook (domainB exchange accounts) and entering the email address user@domainA.co...

SMTP Relay Server and Mail Aliases
Hi! I have front-end and back-end Exchange. I do not want that my front-end Exchange has SMTP relay functionality. I want to deploy a SMTP relay server in DMZ. My problem is: This SMTP relay server is not a member of my Exchnage AD domain and does not know about mail aliases in my Exchange domain. I do not want that I open additional ports on firewall which is between my Exchange domain and SMTP mail relay. My question is: How can I inform that SMTP relay server knows about all mail aliases on my Exchange domain? Best Regards Mustafa "mustafa" <mustafa@discussions.microso...

Exchange Calendar Item vs. Outlook problem
Our Exchange 5.5 (SP4) server has what appears to be a corrupt calendar item for January 20, 2004. Those people who have this recurring(?) calendar item experience an Outlook lock up (CPU 100% running process outlook.exe) when accessing their calendar for that date and when syncing for offline Outlook use. This effects Outlook versions 2000 and 2002. Because the item can not be accessed from an Outlook client it can not be deleted. Is there a way to delete recurring calendar items from a specific date in the private data store? Is there an Outlook patch that prevents the CPU utilization p...

Exchange 2007 RSG and Isinteg
We are running exchange 2007 on a windows 2008 server, both are fully patched. We backup with Backup Exec 12.5, again fully patched. All of our backups finish without any problems. Our problem; when i restore a database backup to a RSG and then try to restore a mailbox i recieve errors telling me that the maxium number of corrupted messages has been reached. i tried moving the limit up, but i have to move the limit up to 5000 before it works and then i only get a few emails not the complete contents of the mailbox. After a bit of research i found a few similar cases. These were resolv...

Exch2003 smtp spf filter
I keep seeing this message in my logs, little confused by what it means: "The description for Event ID ( 10400 ) in Source ( SMTP SPF Filter ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: 65.243.133.24, 65-243-133-24.classmates.com, bounce+OM_4716495163571@mail.classmates.com." Running Exch2k3 on Server2k3 Thanks! sel &...

Restore Exchange...help!!!!
My 'broken' Exchange2003\win2003 server (not DC) had it's partitions labelled...'system' for C:\, 'Exchange' for D: and 'logs' for E:. How important is it I label the new Exchange server drives the same before the restore (I am not sure of the EXACT names!!!) Also my log files were all on drive D:\ (the only things on that drive) do I need to restore them too...they may not be exactly in sync with the other data being restored? Finally, what part of my 'Exchsvr' folder do I need to restore from backup? I think that may be a few days older tha...

emails retained in exchange 2003 queue
Hi to all, i have a ZyWall firewall (hardware) with a Turbo Card option installed. When i activate the anti-virus option in the firewall, i can receive emails, but all that i sent, do not go out, all off them stay in queue. When i deactivate that option, all the mails in queue, are sent. I ask my vendor for that problem, they test my firewall in their offices, but all it's ok. In my home, donsn't work. Must i change anything in my exchange ?? Best regards It sounds like your firewall is blocking outbound connections. You may need to configure exchange to use a SmartHost (your...