DOCUMENT:Q295725 26-JUN-2001 [exchange] TITLE :Receiving Duplicate Inbound SMTP Messages PRODUCT :Microsoft Exchange PROD/VER::5.5 OPER/SYS: KEYWORDS:exc55 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Exchange Server, version 5.5 ------------------------------------------------------------------------------- SYMPTOMS ======== A user receives an exact copy of the same inbound message over and over. Each new duplicate message is received at a consistent interval. This continues for several hours and then stops suddenly. Several of these "runs" of duplicate messages can occur at the same time and can affect multiple users. CAUSE ===== The Cisco PIX firewall appliance uses an SMTP protocol filtering feature called Mailguard. Mailguard blocks all Extended Simple Mail Transfer Protocol (ESMTP) commands and allows only seven basic SMTP commands to pass. The Mailguard feature is intended to help protect weakly secured mail servers. If a server is already well configured, and has the latest security patches and fixes from the SMTP vendor, Mailguard is not required. There is a known issue with Mailguard that causes duplicate inbound messages. To check for the presence of Mailguard, from a workstation on the internet open a telnet session to port 25 of the Exchange IMS. You should see something similar to the following: 220 *********0***************************************************************** ************2************* Now issue the EHLO command. You may see the following: ehlo 500 Unrecognized command In a typical SMTP session, a sending host marks the end of the DATA portion of the message with CRLF.CRLF on a line by itself. The receiving host acknowledges receipt of the message data by issuing a 250 OK response back to the sending host. The sending host replies with the QUIT command. The normal response from the receiving host would be 221 closing connection. Once the sending host receives this last response, the session is complete. If for any reason the CRLF.CRLF terminating string is broken into separate packets during transmission, Mailguard rejects it and does not pass it to the mail server. The connection eventually times out and the message queues for delivery on the receiving host. Because the sending host never receives confirmation of receipt, it assumes delivery failure. It re-queues the message for attempted delivery at a later time. This goes on repeatedly until the message time-out on the sending host is exhausted. Further testing with SMTP Protocol Logging can be used to pinpoint the failure in a message session. From a sample captured SMTP log below, observe the missing response of the receiving host to the CRLF.CRLF command. 2/7/01 5:01:20 PM : A connection was accepted from mail.domain1.com 2/7/01 5:01:21 PM : <<< HELO mail.domain1.com 2/7/01 5:01:21 PM : >>> 250 OK 2/7/01 5:01:21 PM : <<< MAIL From: 2/7/01 5:01:21 PM : >>> 250 OK - mail from 2/7/01 5:01:22 PM : <<< RCPT To: 2/7/01 5:01:22 PM : >>> 250 OK - Recipient 2/7/01 5:01:23 PM : <<< DATA 2/7/01 5:01:23 PM : >>> 354 Send data. End with CRLF.CRLF 2/7/01 5:05:44 PM : A connection was accepted from mail.domain3.com RESOLUTION ========== To resolve this issue, turn off Mailguard. Cisco has corrected this issue in later software releases. Customers who do not want to turn off Mailguard must contact Cisco for the latest updates to the PIX operating system. Cisco has determined this to be an issue in certain versions of PIX operating software. This issue is linked to bug: CSCds90792. Registered users of Cisco Connection Online (CCO) have access to release notes for this bug in Cisco's Software Bug Toolkit: http://www.cisco.com/kobayashi/bugs/bugs.html The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information. MORE INFORMATION ================ Mailguard allows connections to an e-mail host through Transport Control Protocol (TCP) port 25 only. It logs all Simple Mail Transfer Protocol (SMTP) activity and allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1. PIX Firewalls are manufactured by Cisco, a vendor independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability. Additional query words: ====================================================================== Keywords : exc55 Technology : kbExchangeSearch kbExchange550 kbZNotKeyword2 Version : :5.5 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.