Transfer: | |
KBXW001 | Error: Unable to establish a connection with mail host [14] |
KBXW025 | Error: Unable to start inbound SMTP connection manager Error: Port or address already in use [10048] |
KBXW016 | Error: Timeout in reading data [9] |
KBXW034 | Error: Connection closed by peer for no good reason [11] |
KBXW011 | Error: No Exchange server found at localhost |
KBXW014 | Error: No AUTH command in EHLO found, Authentication failed |
KBXW002 | 550 5.7.1 Unable to relay for user@yourdomain.com or 550 5.7.1 Unable to relay |
KBXW003 | 505 5.7.1: Client was not authenticated |
KBXW037 | 535 5.7.3 Authentication unsuccessful (after installing Exchange 2003 SP1) |
KBXW039 | 504 <server>: Helo command rejected: need fully-qualified hostname |
KBXW051 | 501 5.1.7 invalid return path |
KBXW053 | 452 4.3.1 Insufficient system resources |
KBXW065 | 552 5.3.4 Message size exceeds fixed maximum message size |
KBXW067 | 451 4.7.0 Temporary server error. Please try again later. PRX2 |
KBXW069 | 503 5.5.1 Need valid MAIL FROM first |
Connection: | |
KBXW050 | XWall not able to establish a connection to Hotmail or MSN for a few hours |
KBXW062 | Windows 2008 and XWall fails to connect to certain external mail servers including Hotmail |
DNS: | |
KBXW020 | Warning: Possible DNS problem; unable to connect to local name server xx.xx.xx.xx |
KBXW042 | Warning: DNS problem; unable to resolve test-for-dns-resolve.dataenter.co.at |
KBXW043 | Warning: DNS problem; unable to resolve MX for inbound domain yourdomain.com |
KBXW066 | Random DNS errors, SLS/RBL sometimes not working, DNSWL excludes everything |
General: | |
KBXW007 | XWall is running as a console application without any problems, but when running as a service errors are reported |
KBXW008 | XWall as a console application and the last screen line is not visible |
KBXW021 | SonicWall / Zyxel Firewall / Watchguard Firebox and problems with some mail servers |
KBXW054 | Cisco PIX and and problems with some mail servers |
KBXW018 | Eicar test virus / virus scanner pops up an alert message |
KBXW035 | XWall stops working when running as a Console application |
KBXW036 | A on-access virus scanner reports that there is a virus a non-delivery report created by qmail |
KBXW044 | XWall fails to pass a relay test |
KBXW045 | XWall hangs after sending the BDAT or XBDATA command |
KBXW046 | The recipients server refuses to accept your message because XWall refuses to accept a message with blank or NULL address |
KBXW052 | McAfee Command Line 4.x reports a virus for every message |
KBXW058 | Spam forwarded to Blackberry |
KBXW059 | Reassemble message may remove some Chinese characters |
KBXW060 | Citrix XenServer hosting Windows 2008 64bit Edition crashes MBAdmin.exe |
KBXW061 | Linux or BSD firewall and Connection Tracking shows a lot of ESTABLISHED connections |
KBXW063 | Outlook shows the message header in the body and/or attachments are not decoded |
Spam: | |
KBXW055 | Backscatter - non-delivery reports for messages that you never sent |
KBXW057 | Self-sending spam - Spammer spoofs your domain, messages show your own domain as sender |
KBXW064 | Rolex spam - different messages, some with empty text, some with pictures only |
Exchange: | |
KBXW028 | Blank messages between two Exchange server in the same organization |
KBXW047 | Message flow stops between two Exchange server in the same organization |
KBXW029 | XWall shows a license violation on a cluster |
KBXW068 | XWall fails to reject invalid e-mail addresses during a SMTP session |
Processing: | |
KBXW013 | Files stuck in the MSG-IN directory (inbound queue) |
KBXW024 | A lot of messages are in MSG-Out (outbound queue) |
KBXW038 | The logfile shows all incoming connections originated from a private IP address rather then the real IP address of the sender |
KBXW056 | Error: Unable to create file |
High CPU utilization: | |
KBXW022 | High CPU utilization - Looping message |
KBXW040 | High CPU utilization - Outdated McAfee scan engine |
KBXW041 | High CPU utilization - High message count |
Blocking: | |
KBXW026 | XWall doesn't block the string Sample in Sam<frame><noframes>itbg7</noframes></frame>ple XWall doesn't block the string Sample in Sam<frame> <noframes>itbg7 </noframes> </frame>ple |
KBXW031 | Blocked or excluded text or html is not blocked or excluded from blocking |
KBXW033 | Blocking a subject with a lot of question marks (e.g. ?????) is not possible |
Exclude: | |
KBXW017 | Excluding an IP address or host name doesn't work |
KBXW023 | Blocked or excluded MAIL FROM: e-mail address is not blocked or excluded from blocking |
KBXW027 | XWall erroneous blocks e-mail addresses that are not in the blocking list |
KBXW030 | Outgoing messages are not handled by XWall |
KBXW048 | White list exclusion doesn't work |
KBXW049 | Disclaimer is not added to outgoing messages |
KBXW031 | Blocked or excluded text or html is not blocked or excluded from blocking |
KBXW032 | Excluding a specific address from address blocking doesn't work |
KBXW001 |
Symptoms: The logfile shows Error: Unable to establish a connection with mail host [14] Cause: Exchange doesn't listen for incoming messages on port 25 or port 24. You can check if Exchange is listening on port 25 by typing (in a DOS box) telnet localhost 25 When everything is working you should get back a greeting line, else you get a connection error. Several Solutions: Exchange 5.x Make sure that your Exchange server has Inbound SMTP enabled. In Exchange Admin select the Internet Mail Service (IMS), select the tab Connections and make sure Inbound & Outbound is checked in the section Transfer Mode. Exchange 2000/2003 Make sure the Virtual SMTP Server is listening on port 25. Start System Manager (Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. In this dialog select the tab labeled General and then Advanced and here you can set the port on which this virtual server listens. Windows 2003 SP1 Make sure the firewall doesn't block port 25. Open Control Panel, select Network Connections and then the properties of the Local Area Connection. In the tab labeled Advanced you will find the settings for the firewall Norton / Symantec Antivirus Corporate Edition Norton / Symantec Antivirus may have silently installed a firewall that blocks the port McAfee v8.0 McAfee may have installed a firewall that blocks the port |
KBXW002 |
Symptoms: The logfile shows 550 5.7.1 Unable to relay for user@yourdomain.com (Exchange 2000/2003) The logfile shows 550 5.7.1 Unable to relay (Exchange 2007-2019) Cause: This error happens when Exchange does feels responsible for your e-mail domain. Usually this results because was installed using a different domain than your e-mail domain and so you need to manually tell Exchange for which domain it is responsible. Solution: Exchange 2000/2003 Start System Manager (Exchange Admin) and select Recipient->Recipient Policies . Then either change the Default Policy or create a new policy and tell Exchange for which domain it should accept mail. Additional info from Microsoft at Q289833 Exchange 2007-2019 Start Exchange Management Console and select Organization Configuration->Hub Transport->Accepted Domain and make your your domain is in the list |
KBXW003 |
Symptoms: The logfile shows 505 5.7.1 Client was not authenticated Cause: The user that XWall uses for authentication does not have the proper rights. In general, the best is to disable authentication in XWall and to enable anonymous access in Exchange. Or use a user that has the proper right to send messages to Exchange. Several Solutions: Enable Anonymous access in Exchange 2000/2003 In Exchange Admin select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. In this dialog select the tab labeled Access and then Authentication and enable Anonymous access. Enable Anonymous access Exchange 2007-2019 Start Exchange Management Console and select Server Configuration->Hub Transport->Receive Connectors->Default Connector. In this dialog select the tab labeled Permission Groups and make sure Anonymous users is enabled. Disable or enable authentication in XWall Start MBAdmin, select Options->General->Exchange and enable or disable Exchange needs authentication.. If enabled, and type in the user account and password XWall should use when connecting to Exchange. Special note for Exchange 2007-2019: The user that you use for authentication MUST NOT have a mailbox and MUST be an administrator. DO NOT use Administrator, because there is a mailbox associated with that account and therefore it can't be uses for SMTP authentication. |
KBXW007 |
Symptoms: XWall is running as a console application without any problems, but when running as a service errors are reported. Cause: The account you use to start the service doesn't have enough rights to use RAS or the Internet or the Proxy. Solution: Start the service with Administrator or the account you use to logon onto Windows NT and then it should work. |
KBXW008 |
Symptoms: You have Windows 2000/2003 and when running XWall as a console application the last screen line is not visible. Cause: By default the Windows 2000/2003 screen buffer size height for a console application is set to 300 lines. Solution: Select the Properties of the console and then select the tab labeled Layout and change the Screen Buffer Size Height to 25 |
KBXW011 |
Symptoms: The logfile shows Error: No Exchange server found at localhost Cause: A SMTP server is responding, but it is not the one of Exchange. Solution: In a DOS box type telnet localhost 25 You will then get a greeting line of the SMTP server and this should give you an idea what program is running. The most common problems are: The SMTP server of the IIS (Internet Information Server) is running In Control Panel->Services look for a service called Simple Mail Transport Protocol (SMTP) and stop it and disable it. Then restart the Exchange IMS and it should work. A proxy server with a virtual port mapping is active The IP address you specified is wrong |
KBXW013 |
Symptoms: XWall download the messages without any problem but the files stuck in the MSG-IN directory and XWall doesn't send them to Exchange. Cause: There is an on-access virus scanner running that blocks XWall from accessing the downloaded files. Solution: In your on-access scanner disable the scanning of the XWall directory and below. Most scanners will never find a virus that is in a raw message file, because they can't extract the attachments from the message and even if they would find anything, they would confuse XWall more than it would help. If you enable the virus scanner support in XWall, it will extract the attachments and html pages from the message and call the scanner to scan it. |
KBXW014 |
Symptoms: The logfile shows Error: No AUTH command in EHLO found, Authentication failed Cause: Authentication is enabled in XWall, but your Exchange doesn't support authentication. Solution: Start MBAdmin, select Options->General->Exchange and uncheck Exchange needs authentication |
KBXW016 |
Symptoms: The messages are not forwarded to the Exchange server; the messages are all in the MSG-OUT directory and the logfile shows Error: Timeout in reading data [9] Cause: This error happens in Exchange 2000/2003 when there is something that prevents Exchange from accepting the message. Usually the error is the result of a routing problem, a renamed domain in the recipient policy, an authentication problem or a firewall that blocks or a virus scanner that prevents Exchange from working correctly. Several Solutions: Check if there is a firewall like ISA Server that blocks the data flow between the interface that XWall uses and the interface that Exchange is bound. Check if you have Norton / Symantec Corporate Edition running. If XWall gets the timeout when it connects to Exchange, then Norton / Symantec Antivirus may have silently installed a firewall that blocks port 24 on the loopback interface (this is 127.0.0.1 or localhost). In this case start MBAdmin, select Options->General->Exchange and change the name of the Exchange server from localhost to the IP address. If the timeout is after the BDAT command, then Norton / Symantec Antivirus prevents Exchange from accepting the message and you need to exclude the Exchange directory from on-access scanning. Check if there is another virus scanner running and disable it. At least make sure you have excluded the XWall, the TEMP and the Exchange directory from on-access scanning. Start MBAdmin, select Options->General->Exchange and change the name of the Exchange server from localhost to the name or IP address. If you are currently using a IP address or a name , then change it to localhost. The best is you try every combination and most likely one will work. Start System Manager (Exchange Admin) and select Recipient->Recipient Policies . Make sure you haven't renamed the domain in the Default Policy. Adding a new domain is no problem, but renaming the default domain is not what Exchange likes. Start System Manager (Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. In this dialog select the tab labeled Access and then Authentication and make sure Anonymous access or Basic Authentication is checked. Start System Manager (Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. In this dialog select the tab labeled Access and then Connection and make sure All except the list below is checked. |
KBXW017 |
Symptoms: Excluding an IP address or host name doesn't work Cause: You have excluded the wrong IP or host name. Solution: Open the logfile and locate the line that reads like
In this example list.cramsession.com is the hostname and 63.146.189.62 is the IP address that you need to exclude. Another example would be:
In this example there is no hostname and the only thing you can exclude is the IP address 63.160.84.34 |
KBXW018 |
Symptoms: When XWall is starting the virus scanner pops up an alert message whining about the Eicar test virus in the XWall directory. Cause: At startup XWall tests for the presence of an on-access scanner by writing out the Eicar test virus and displays a warning in the logfile if a on-access scanner is found. Solution: You need to exclude the XWall directory and below from the scanner or else the scanner will corrupt the downloaded messages and/or prevents XWall from accessing the messages. |
KBXW020 |
Symptoms: The logfile shows Warning: Possible DNS problem; unable to connect to local name server xx.xx.xx.xx Cause: At startup XWall tests the connection to the name server and the test was not successful. Several Solutions: There is no name server at this IP address A firewall blocks access to port 53 tcp of the name server. Note: Port 53 tcp and not udp. The DNS server does not support tcp queries. In this case start MBAdmin, select View->Advanced Configuration->DSN and change the DNS query protocol to udp |
KBXW021 |
Symptoms: You have a SonicWall / Zyxel Firewall / Watchguard Firebox and XWall can't send and/or receive from or to some mail servers. Cause: The SonicWall / Zyxel Firewall has a built inSMTP proxy / Filtered SMTP service that has a bug in handling some Enhanced SMTP (ESMTP) commands, particularly the CHUNKING command (RFC 3030 - SMTP Service Extensions for Transmission of Large Messages) The problems happens only when XWall sends or receives a message from a newer mail server like Exchange 2000/2003 which supports the CHUNKING command. Several Solutions: Disable the SMTP proxy / Filtered SMTP service at the SonicWall / Zyxel Firewall / Watchguard Firebox Start MBAdmin, select View->Advanced Configuration->ESMTP and disable CHUNKING and/or ESMTP |
KBXW022 |
Symptoms: High CPU utilization - Looping message Cause: There is a looping messages that keeps XWall and Exchange busy. Solution: The most common problem is that XWall forwards a message to Exchange, but Exchange doesn't feel responsible for this message and send the message back to XWall, which in turn forward it to Exchange. Check the logfile of XWall to find out which message is looping and then make sure that Exchange is configured to handle this message Note: Enable Options->System->Suspicious and XWall will give you a warning in the case such a looping message is detected. |
KBXW023 |
Symptoms: Blocked or excluded MAIL FROM: e-mail address is not blocked or excluded from blocking Cause: The e-mail address that you added is not the e-mail address that the sender used in the MAIL FROM: command and so it is not blocked or excluded. Solution: Exchange 5.5 Exchange 5.5 doesn't show the e-mail address that was used in the MAIL FROM: command. The only way to find it out is to open the logfile of XWall (mb.log), search for the subject of the message and then you will find the e-mail address that you need to exclude or block. A sample looks like: Explanation: Exchange 2000-2019 Open the message and then View->Options and here you find Internet header lines. Locate the line called ReturnPath: and this is the e-mail address that you need to block or exclude. A sample looks like: |
KBXW024 |
Symptoms: A lot of messages are in the outbound queue (MSG-OUT) Cause: The most likely reason for this is that you defined an action of Send non-delivery report to the sender in one of the spam blockings. However, most spammer do not accept mail and so XWall queues the messages until the messages timeout is expired. Several Solutions: Start MBAdmin, select Options->General->Advanced->Outbound SMTP options and set the Retry for to something between 4 - 24 hours, which makes more sense than the default of 5 days. Select a different action than Send non-delivery report to the sender. Usually Discard message or Forward to Admin is the best. |
KBXW025 |
Symptoms: The logfile shows Cause: XWall can't bind to port 25 because there is already a SMTP server running on this machine. Solution: XWall runs on the Exchange machine: You haven't bound Exchange to a different port like port 24. See the documentation, section Running XWall on the same machine as Exchange server, how to bind Exchange to a different port. XWall runs on a different machine: Most likely the SMTP server of IIS (Internet Information Server) is running. Open the Service applet and locate the service named Simple Mail Transport Protocol (SMTP) and disable it. Note: In the case you need the SMTP server of IIS for CDONTS, you may simply bind it to another port like port 26. XWall can then use port 25 and CDONTS will also work. |
KBXW026 |
Symptoms: XWall doesn't block the string Sample in Sam<frame><noframes>itbg7</noframes></frame>ple Sam<frame> Cause: The spammer added unnecessary html tags that are not shown by Internet Explorer and after XWall removes the html tags from the string, the result is Samitbg7ple and this doesn't match Sample. Solution: Block <frame><noframes> in Options->Blocking->HTML, because this tags are only used by spammers to make string searching impossible. |
KBXW027 |
Symptoms: XWall erroneous blocks e-mail addresses that are not in the blocking list Cause: The e-mail address is case insensitive compared from right to left until a match is found. This allows you to block a whole domain by typing @domain.com and as a result, bit@domain.com blocks rabbit@domain.com Solution: If you add a space at the beginning, XWall interprets this as a full address and so bit@domain.com doesn't block rabbit@domain.com For a description see General syntax - E-mail address |
KBXW028 |
Symptoms: Blank messages between two Exchange server in the same organization Cause: Exchange has a bug and sends non-RFC conforming messages to another Exchange machine. Several Solutions: Run XWall either on a different machine Run XWall on an extra IP address so that one Exchange can communicate with the other without that XWall is between. For instructions see Running on the same machine as Exchange but with a different IP |
KBXW029 |
Symptoms: XWall shows a license violation on a cluster Cause: The licensing of XWall is server based and not user based and you need one license for every running MBServer.exe. On a cluster you have two instances of MBServer.exe running, because you have two independent machines with two independent machine names and ip addresses. Solution: You need two XWall licenses for a two-node cluster. Because XWall is more a SMTP server than a database program, it doesn't really make sense to cluster XWall and so it is not recommend to run XWall on a cluster. |
KBXW030 |
Symptoms: Outgoing messages are not handled by XWall Cause: Exchange does not forward outgoing messages to XWall Solution: Send a message to someone outside your Exchange and then check the logfile of XWall if XWall really handled this message. If there is not indication that XWall handled the message, then Exchange doesn't forward the messages to XWall. See the Installation instruction, section Outgoing Messages, how to configure Exchange so that outgoing messages are forwarded to XWall. |
KBXW031 |
Symptoms: Blocked or excluded text or html is not blocked or excluded from blocking Cause: The message doesn't contain the words you are blocking at the time XWall processes it. Either because Outlook doesn't show you the complete message or that parts of the message are dynamically downloaded while you read the message. Solution: The only way to find what's really in the message is to look at the raw message. To get the raw message start MBAdmin, select Options->General->History and enable Keep a copy of every message. Then wait until such a message comes in and the logfile will tell you the name of the message file that you can find in HIST-IN. |
KBXW032 |
Symptoms: Excluding a specific address from address blocking doesn't work Cause: For example @yahoo.com is blocked in Options->Blocking->Address->Inbound MAIL FROM , but messages from someone@yahoo.com should be accepted. If a message is blocked and excluded at the same time, then, by default, XWall favors blocking over excluding. Solution: In Options->Exclude->Options check E-Mail Address and then XWall will favor excluding over blocking and the sample message will be accepted. |
KBXW033 |
Symptoms: Blocking a subject with a lot of question marks (e.g. ?????) is not possible Cause: The question mark is a wildcard and can't be escaped. So ????? basically blocks every subject, with more than 5 characters. Solution: There is no need to block a subject with a lot of question marks, because the subject has no question mark in it. The subject has some foreign characters and because you haven't the proper font installed, Outlook shows a question mark for each character it can't display. If you want to see the real subject then consult the logfile of XWall. |
KBXW034 |
Symptoms: The logfile shows Error: Connection closed by peer for no good reason [11] Cause: The other side closed the connection without giving a good reason. Usually this indicates some kind of problem at the other side, but the range of problems is wide (this means it could be all and anything) Solution: Incoming connection: Someone runs a port scan against your server. In this case the error happens immediately after the connection There is a routing problem. Usually this happens when you have two NIC and both NIC have a default gateway. This results in an undefined state because Windows can choose one of the two cards for outgoing packets. So when the data comes in on the first NIC, but the response is sent out over the second, then usually the firewall drops the connection and you get the error mentioned above The sending server has a problem reading the message from disk. In this case the error usually happens after the DATA or BDAT command The server can send small messages, but fails on larger messages. There is a routing problem. If the message is small enough that it fits in a small network packet, then it works, but fails as soon as the router had to split it in parts There is a SMTP filter that runs on your firewall and that closes the connection for whatever reason. Most firewalls silently install such a filter to prevent invalid messages. If the sending server sends an invalid message, the firewall detects this and closes the connection to XWall. From XWall viewpoint, it looks like as if the sending server closed the connection. There is a simple test if your firewall has installed such a filter: On the XWall machine telnet to port 25 and type EHLO something. XWall will greet you and list all available ESMTP options. Make a note of the greeting and all the options. Now telnet to XWall from the Internet and repeat the test. If the greeting and all ESMTP options are equal, then you have no filter or the filter is not visible. However, in most cases you see that the filter shows either a different greeting or far less, if any, ESMPT options. Once you found out that you have such a filter, you may check the logfile of the filter to find out why it closes the connection. Usually you can disable the filter completely, because they hurt more than they help. Outgoing connection: There is a message size limit at the target server or the server is out of disk space. In this case the error usually happens after the DATA or BDAT command There target server is blocking the messages. In this case the error usually happens after the MAIL FROM command There is a virus scanner running on the target that prevent accepting the message |
KBXW035 |
Symptoms: XWall stops working when running as a Console application (when MBserver.exe was started from an icon) Cause: Quick-Edit mode was accidentally enabled with the mouse and so Windows completely stops the application in the console so that you can perform cut & paste with the mouse Several Solutions: Select the Properties of the console and then select the tab labeled Options and disable Quick-Edit mode Run XWall as a service (see Run XWall as a service) |
KBXW036 |
Symptoms: A on-access virus scanner reports that there is a virus a non-delivery report created by qmail Cause: The on-access scanner produced a false alarm, there is no virus in the non-delivery report created by qmail Here is a explanation what's going on and why the on-access scanner reports the false alarm: Someone sent a virus with your e-mail address. The recipients server couldn't deliver the message and sends you back a non-delivery message and adds the original message "as-is" into the text part of the message. The crucial part is that the non-delivery message has the original message as text and not as a RFC 822 attachment enclosed. So when someone opens the message he/she will see only a lot of characters, but no attachment or the original message. Your XWall gets the message and decodes it properly (means as plain text). If you have a virus scanner in XWall and the scanner support eml format, then XWall passes over the message to the scanner. Depending on how smart the scanner is, the if will now find a virus or not (remember, there is no virus in the message, only the pattern of the virus is in the message). If the scanner doesn't find anything, then XWall sends the message to the recipient. If the recipient has an additional scanner on the workstation, then this scanner again may or may not find a virus, but it is still no virus in the message and so this is a false alarm. Here is a sample of such a qmail non-delivery message: Solution: Block such non-delivery messages To do so start MBAdmin, select Options->Blocking->Text and add This is the qmail-send program at to the list. |
KBXW037 |
Symptoms: The logfile shows 535 5.7.3 Authentication unsuccessful after installing Exchange 2003 SP1 Cause: Microsoft has changed something in SP1 that prevents the use of simple users names for SMTP authentication. At present it is not clear if this is a feature or a bug, because it affects all programs including Outlook. Several Solutions: Disable authentication in XWall completely in Options->General->Exchange->Exchange needs authentication By default anonymous access is enabled in Exchange and so there is no need for authentication, because Exchange will accept messages for all the domain for which it is responsible. So when Exchange doesn't accept message for the own domain and gives a 550 5.7.1 Unable to relay, then Exchange doesn't feel responsible for the domain and you should fix that rather than using authentication and force Exchange to accept the message. Use the User Principal Name (UPN) (e.g. michael@dataenter.co.at) in Options->General->Exchange->Exchange needs authentication->User Prepend the domain in front of the user name (e.g. DataEnter\michael) in Options->General->Exchange->Exchange needs authentication->User |
KBXW038 |
Symptoms: The logfile shows all incoming connections originated from a private IP address rather then the real IP address of the sender. As a result blocking by IP address or host name is not working and due that relaying for private addresses is enabled by default, XWall will not pass a relay test. Cause: There is a SMTP proxy running between the sending server and XWall and so XWall sees the IP address of the proxy server and not the real IP address of the sender. Also running XWall on an ISA server without proper publishing a SMTP server has the same effect. Several Solutions: SMTP proxy: If the SMTP proxy is built into your firewall, then you should disable the proxy, because it creates more troubles than it prevents. Usually SMTP proxies are not very sophisticated SMTP servers and so they do not support the full ranges of features that a good SMTP server like XWall or Exchange support. ISA Server: If ISA and Exchange are on different machines, then install XWall on the Exchange machine and not on the ISA machine. This will save you a lot of configuration problems and is technically the better solution. To run XWall on the ISA server, you need to bind XWall to the inside IP address and publish a SMTP from the outside IP address to the inside IP address. Note: If you run ISA and Exchange on the same machine, like on a SBS 2000/2003, then XWall will run without any problems, simply because ISA is already configured to run a SMTP server. |
KBXW039 |
Symptoms: The logfile shows 504 <server>: Helo command rejected: need fully-qualified hostname Cause: The recipients server doesn't accept mail from XWall because the FQDN of the XWall machine is wrong .The name of the machine is something like server rather than server.yourdomain.com and/or server.yourdomain.com is not a public name in the DNS or the name of the IP address ( the PTR record) is not server.yourdomain.com Several Solutions: Make sure the name of your machine is something like server.yourdomain.com. If the name is only server, then this means that your machine is not part of a Windows domain. Set the FQDN explicit in View->Advanced Configuration->IP Address->FQDN Also make sure that the DNS server that is responsible for your domain has an A record for server.yourdomain.com and a PTR record for the official IP address. |
KBXW040 |
Symptoms: High CPU utilization - Outdated McAfee scan engine Cause: The engine of McAfee has a restricted lifetime and some are outdated. As a result the newer DAT files do not work or use 100% CPU utilization. Solution: Upgrade to the latest scan engine Info how to download the latest version can be found here |
KBXW041 |
Symptoms: High CPU utilization - High message count Cause: XWall handles a lot of message and so the CPU is busy Several Solutions: Select View->Advanced Configuration->Threads and decrease the worker threads 8 - 10 is a good value for a slow CPU, 10 - 15 for faster CPU. Increasing the thread count means that the operating system needs a lot of resourced switching between the threads and the time for processing a message increases. Decreasing the thread count means that it takes less time to process a message, but a single large message can stall the processing for some time. And in then case you disable Options->Virus->Virus->Scanner needs to be serialized , then XWall will start an instance of the scanner for every thread. This means that when you have 15 threads, XWall will start the scanner 15 times and this may really stress your machine and usually the CPU will be at 100%. Enable View->Advanced Configuration->Threads->Refuse inbound connections when max thread count is reached Enabling this means that XWall will not accept a message once it is busy and the advantage is that the inbound queue can't fill up. Enable Options->Session->Recipient Enabling this means that XWall does not accept messages for invalid e-mail address. Each invalid e-mail address results in a non-delivery report, either created by XWall or by Exchange and this takes CPU and system resources. Spammers often use a list of common names, combine the names with your domain to create an e-mail address and then blindly send this to your system. They hope that when the send you 10.000 messages with a likely e-mail address, that a few will reach a valid recipient. Keep in mind It takes nearly no CPU to send out 10.000 messages, but it takes really a lot of CPU and memory to accept and process 10.000 message and to send back 10.000 non-delivery reports. Check the amount of messages that you get, especially at prime time Either count the lines in the statistic file (sr*.csv) or dump the statistic into the logfile (Signal->Dump statistics). XWall can handle some 8-10 messages per second without virus scanning and 1-3 messages with virus scanning. This means that when you get more than 120 messages per hour in prime time and you have virus scanning enabled, then XWall will use all CPU that it can get and this results in a 100% CPU utilization. Note: if you add the line DumpConnectionStatisticLogEvery=5 to XWall.ini, then the statistic is dumped every 5 minutes to the logfile and this allows you to monitor the system over a longer time period. At any time you can stop XWall and move the messages from MSG-IN to a different directory Later, maybe when XWall is idle, you can stop XWall again and move back the messages into MSG-IN and XWall will continue processing the messages. |
KBXW042 |
Symptoms: The logfile shows Warning: DNS problem; unable to resolve test-for-dns-resolve.dataenter.co.at Cause: Either the DNS server doesn't support tcp queries or the DNS server can't resolve public IP addresses and as a result XWall can't resolve the IP address for an existing A record. Several Solutions: Make sure your DNS server can handle tcp queries. Bind and Microsoft DNS can handle tcp queries, some router with built-in caching server usually accept only udp queries. In the case your DNS server does not support tcp queries start MBAdmin, select View->Advanced Configuration->DSN and change the DNS query protocol to udp Make sure the DNS server is able to resolve public IP addresses. Using a internal-only DNS will not work with XWall. |
KBXW043 |
Symptoms: The logfile shows Warning: DNS problem; unable to resolve MX for inbound domain yourdomain.com Cause: XWall gets the MX records from your domain to automatically exclude your backup MX MTA from some spam blocking. However your DNS server can't resolve the MX records of your own domain. Solution: If you have an internal DNS server then you need to manually add the MX records to the zone or you exclude your backup MX manually. |
KBXW044 |
Symptoms: XWall fails to pass a relay test and the protocol shows something like:
Cause: First of all, accepting a mail doesn't mean relaying and the documentation of the relay test describes this. Also the maintainer of the test knows exactly what's the difference is and act accordingly. Relaying means that the mail is accepted in behalf of another server and that XWall will forward the mail to a server outside of your environment, whereas accepting means that XWall is responsible for the e-mail domain and will forward the mail to a server inside your environment, usually your Exchange. The test checks for a bug in Sendmail which gets confused by using a % in the user part of an e-mail and will therefore relay the message to @rep.rbl.jp. However, XWall doesn't have this bug and so it doesn't relay the messages. What XWall does is to accept the message, because it is addressed to your domain and XWall will forward the message to Exchange. Exchange in turn will then send back a non-delivery report, because the e-mail address is not valid, >but this is not part of the test. Solution: Check the logfile of XWall what XWall did with the message. If the message was sent to your Exchange, then XWall is not relaying. |
KBXW045 |
Symptoms: XWall hangs after sending the BDAT or XBDATA command Cause: The recipients server announces that it accepts binary data (RFC 3030), but when XWall sends the data, it fails to get to the server. There is SMTP proxy between XWall and the recipients server, and the proxy has has a problem with binary data. The following devices are known for the problem: SonicWall / Zyxel Firewall / Watchguard Firebox Cisco PIX with MailGuard (see also Microsoft KB 320027) Norton / Symantec Antivirus 9.0 Corporate Edition (installs a SMTP proxy that can't handle binary data) Norton / Symantec Antivirus 10.0 Corporate Edition (the scanner prevents Exchange from accepting binary messages) Kerio Winroute Firewall (installs a SMTP proxy called the SMTP Protocol Inspector that can't handle custom ESMTP commands with binary data) Several Solutions: SonicWall / Zyxel Firewall / Watchguard Firebox Disable the SMTP proxy or upgrade the firewall Cisco PIX with MailGuard Disable the SMTP fixup (this is the SMTP proxy in the Cisco PIX) Norton / Symantec Antivirus Corporate Edition 9.0 or 10.0 If the problem happens when XWall sends to Exchange, then make sure Norton / Symantec Antivirus hasn't silently installed a firewall that can't handle the binary data. Also make sure Norton / Symantec Antivirus doesn't scan the Exchange directory, because this prevents Exchange from accepting messages. Note: This means you need to exclude the Exchange, the TEMP and the XWall directory from on-access scanning, but you may leave the Exchange message scanning enabled. Kerio Winroute Firewall Disable the SMTP Protocol Inspector If nothing of the above fixes the problem, then start MBAdmin, select View->Advanced Configuration->ESMTP and disable CHUNKING or XBDATA and/or ESMTP |
KBXW046 |
Symptoms: The recipients server refuses to accept your message because XWall refuses to accept a message with blank or NULL address (MAIL FROM:<>) Cause: The recipients server connects back to XWall and verifies that XWall is willing to accept a message with blank or NULL address. If XWall is configured to verify if the sender uses an e-mail address, then it refuses such a message and in turn the recipients server refuses to accept your message. Messages with a with blank or NULL address are usually non-delivery reports and the RFC requires that every mail server needs to accept this kind of messages. Several Solutions: Start MBAdmin, and disable Options->Blocking->DSN Exclude the senders IP address or hostname in Options->Blocking->DSN->Exclude |
KBXW047 |
Symptoms: Message flow stops between two Exchange server in the same organization Cause: If more than one Exchange server exists in an organization, then the Exchange servers communicate internal states using Microsoft propriety SMTP verbs on port 25. This are things like routing information, envelope properties, message properties, and recipient properties. Third party gateways like XWall should not be inserted between internal Exchange servers in the same organization for this reason as compatibility is not possible. Even if XWall supports these verbs, they are subject to change/additions/etc since they are Microsoft proprietary. Several Solutions: Run XWall either on a different machine Run XWall on an extra IP address so that one Exchange can communicate with the other without that XWall is between. For instructions see Running on the same machine as Exchange but with a different IP |
KBXW048 |
Symptoms: White list exclusion doesn't work Cause: Exchange does not forward outgoing messages to XWall and so XWall can't add the e-mail address to the white list Solution: Send a message to someone outside your Exchange and then check the logfile of XWall if XWall really handled this message. If there is not indication that XWall handled the message, then Exchange doesn't forward the messages to XWall. See the Installation instruction, section Outgoing Messages, how to configure Exchange so that outgoing messages are forwarded to XWall. if XWall handles outgoing messages then make sure AdrOWL-A.dat exists. If the file doesn't exist, then you haven't turned on the white list in Options->Global Exclude->Exclude - White List |
KBXW049 |
Symptoms: Disclaimer is not added to outgoing messages Cause: Exchange does not forward outgoing messages to XWall and so XWall can't add the disclaimer to the message Solution: Send a message to someone outside your Exchange and then check the logfile of XWall if XWall really handled this message. If there is not indication that XWall handled the message, then Exchange doesn't forward the messages to XWall. See the Installation instruction, section Outgoing Messages, how to configure Exchange so that outgoing messages are forwarded to XWall. |
KBXW050 |
Symptoms: XWall not able to establish a connection to Hotmail or MSN for a few hours and the logfile shows Error: Unable to establish a connection with mail host [14] Cause: Hotmail and MSN use DNS round robin to load balance between their SMTP servers. However, the DNS server that XWall uses does not support round robin and so XWall does not get the correct IP addresses from the DNS server. Solution: If XWall uses the DNS of Windows, then start the DNS Management Console, select the properties of the DNS server and in the tab labeled Advanced make sure Enable round robin is enabled. If XWall uses the DNS of your ISP, then either call the ISP and ask them about round robin or let XWall use the Windows DNS server. You can test the DNS server using TestMX (download TestMX from http://www.dataenter.co.at/download.asp#testmx) Every time you run TestMX you should get a different IP address, for example: If TestMX always shows the same IP addresses, then the DNS does not support round robin. |
KBXW051 |
Symptoms: The logfile shows 501 5.1.7 invalid return path Cause: The sender sent an invalid e-mail address in the MAIL FROM: command. For example MAIL FROM: <buddy> rather then MAIL FROM: <buddy@domain.com> Solution: Prior v3.36e XWall automatically converted an invalid e-mail address to a NULL-address (MAIL FROM: <buddy> was converted to MAIL FROM: <>). However, this created a security whole and so XWall not longer converts invalid e-mail addresses. If you want to revert to the previous behavior then add the line InboundESMTPConvInvalidReturnPathToBlank=True InboundESMTPConvInvalid to XWall.ini |
KBXW052 |
Symptoms: McAfee Command Line 4.x reports a virus for every message Cause: Since 15 May 2007 the DAT files do no work with McAfee Command Line v4.x. The scanner returns an error every time XWall calls it and as a result XWall flags each messages as a virus. Several Solutions: Upgrade to McAfee Command Line v5.x Use the DAT files from 14 May 2007 |
KBXW053 |
Symptoms: The logfile shows 452 4.3.1 Insufficient system resources Cause: Exchange 2007-2019 monitors important system resources, such as available hard disk drive space and available memory. If utilization of a system resource exceeds the specified limit, then Exchange server stops accepting new connections and messages. Solution: Make sure the disk has at least 4% of the capacity with a minimum of 4GB free space. For more information on Exchange 2007-2019 system monitor see Understanding Back Pressure |
KBXW054 |
Symptoms: You have a Cisco PIX and XWall can't receive messages from some mail servers and the logfile shows:
Cause: In all reported cases the sender had a Cyberguard firewall with a SMTP proxy enabled. There seams to be a ESMTP and/or RSET compatibility problem between the Cyberguard and the Cisco PIX MailGuard SMTP fixup, which is the SMTP proxy that runs on the PIX. Solution: Disable the MailGuard SMTP fixup at the Cisco Note: The Cisco PIX MailGuard SMTP fixup does not help much, but it disables all ESMTP commands. So disabling Cisco PIX MailGuard SMTP fixup does not cause a risk, but improves the performance and reliability of your mail transfer. |
KBXW055 |
Symptoms: Backscatter - You get back non-delivery reports for messages that you never sent Cause: Backscatter occurs when a spammer uses your e-mail address to send out spam or a virus. For all the messages that can't be delivered, you get back a non-delivery report. Based on the initial message volume you may get back thousands of non-delivery reports. Several Solutions: Define SPF records for your domain. This helps the recipients mail server to block the messages before it needs to send out a non-delivery report. At www.openspf.org you find a wizard that helps you creating the SPF records. Enable View->Spam->Backscatter to block faked non-delivery reports |
KBXW056 |
Symptoms: The logfile shows Error: Unable to create file Cause: XWall is not able to create a file to store the downloaded message or it can't extract the attachments from the message. Several Solutions: Chkdsk converted the MSG-IN or MSG-OUT directory to a file Stop XWall , delete the MSG-IN and/or MSG-OUT file and create a MSG-IN and MSG-OUT directory. The TEMP directory does not exist When XWall starts, it shows which directory is used as the TEMP directory. Make sure the directory exist and that the XWall service has full read/write right to it. |
KBXW057 |
Symptoms: Self-sending spam - Spammer spoofs your domain, messages show your own domain as sender Cause: The spammer sends a message which uses your own domain as the sender of the message, something like
Solution: Enable Options->Spam->Envelope->Check if the message has an internal From: e-mail address to block spoofed messages. Note: If you have ESATInformer, external POP3 clients or a web mailer or any other application that sends messages, then read the exclude hints here |
KBXW058 |
Symptoms: You have a Blackberry device and you are using the Desktop Redirector and you are getting spam on your Blackberry. But when you check Outlook the spam is not in your Inbox, but rather in your Junk E-Mail folder or any other folder designated for spam. Cause: The Blackberry Desktop Redirector redirects the messages before Outlook moves the messages into the Junk E-Mail folder. Solution: You can slow the Blackberry processing to give Outlook time to process the messages and remove spam before it gets forwarded to the device. See Blackberry KB00139 how to set the delay. |
KBXW059 |
Symptoms: Reassemble message may remove some Chinese characters when the sender incorrectly uses codepage GB2312 is used Cause: Basically Chinese have two languages, one from traditional main China and the other from the western parts of China (Hong Kong and Taiwan). This languages uses different characters and both have their own codepage (Big5 and GB2312) The problem started as Hong Kong come back to the main China, because now they had two systems that are not compatible. This resulted in several ways to fix it ( e.g. to create a single codepage that contains all characters.). Any western program forces a Chinese user to select one of the two codepages and stay with it for the rest of the message (Exchange or Hotmail are samples of this) Chinese ISP however use a different way: They work on a "as long as it works it is ok" base. Basically this means they use GB2312 and add Big5 characters or they use Big5 and add GB2312 or simply create a new codepage at all. Even 163.com, which is a large ISP, changes it mind every now and then. XWall is always using the RFC and other standardization as the base for reassembling, because this is the only way to guarantee a exploit free messages. And because of this, XWall converts the valid characters of the codepage and remove the invalid characters. Several Solutions: Tell the sender to use codepage GBK Codepage GBK is the standardized way to fix the problem and is supported by XWall. Exclude the sender from reassembling in Options->System->Reassemble message->Exclude |
KBXW060 |
Symptoms: You have Citrix XenServer hosting Windows 2008 64bit Edition and MBAdmin.exe is crashing as soon as you start it Cause: Citrix XenServer has a bug that crashes all 32bit executable that are created using the Watcom compiler. MBAdmin.exe is always a 32bit application, even in the 64bit edition of XWall. However, the 64bit edition of MBServer.exe is not affected by this bug. More information on this bug at Xen-Bugs Solution: Start MBAdmin.exe from a workstation rather then on the server. To do this, share the XWall directory and then access the share from your workstation and start MBAdmin.exe. |
KBXW061 |
Symptoms: You have Linux or BSD based firewall and IPTables Connection Tracking shows a lot of ESTABLISHED connections, but there are no active connections Cause: When a Windows client drops the connection without sending any data, then IPTables Connection Tracking isn't realizing this all the time. Due that there is a extreme long timeout for the ESTABLISHED record (432000 seconds or 5 days), the connection table may fill up with non-existing connections. Several Solutions: Set the timeout to a lower value In Linux you can set the timeout at runtime using sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=7200 sysctl -w Or you change the value permanent using /etc/sysctl.conf Use a different version of kernel/ipfilter Different versions handle the problem in different ways Avoid using Options->Session->Greeting delay Greeting delay, especially with a high value, results in a lot of connection where no data is exchanged |
KBXW062 |
Symptoms: You have Windows 2008 and XWall fails to connect to certain external mail servers including Hotmail. Testing with Telnet gives back strange results. Windows 2003 server on the same network don't experience the problem. Cause: Windows 2008 has a different TCP/IP stack then Windows 2003 and the default settings may conflict with the external mail server. Solution: Try turning off Autotuning (in a DOS box as Administrator): netsh interface tcp set global autotuninglevel=disabled netsh interface If that doesn't change anything then return it to "normal": netsh interface tcp set global autotuninglevel=normal netsh interface |
KBXW063 |
Symptoms: You have an Exchange 2000/2003 and Outlook shows the message header in the body and/or attachments are not decoded. Cause: The sender digitally signs the message using DomainKeys or DKIM and this results in large header lines which Exchange 2000/2003 can't handle. Sometimes the problem is also related to a spam blocker that runs in front of XWall, which also adds large header lines. Solution: Turn on Options->System->Format->Inbound messages->Reassemble message XWall will then reassemble the message and remove the header line. |
KBXW064 |
Symptoms: Rolex spam - different messages, some with empty text, some with pictures only Cause: Most sender IP addresses are blocked by SLS/RBL, but some are not. Due the unusual amount of messages sent by the spammer, the count that slip though are is increasing. Unfortunately they use only the e-mail addresses for sending. Solution: Add the following lines to XWall.ini InboundBlockFromAddress=error@mailfrom.com InboundBlockFromAddress=no-reply@rolex.com This will add the e-mail addresses to Options->Blocking->E-Mail->Inbound From |
KBXW065 |
Symptoms: The logfile shows 552 5.3.4 Message size exceeds fixed maximum message size Cause: The size of the message is greater than the size limit of Exchange and so Exchange refuses to accept the message. Solution: Exchange 2007-2019 has a default size limit of 10 MB. The limit is on the hub, transport, database, mailbox and in some cases, even in the AD. Start Exchange Management Console and select Organization Configuration->Hub Transport->Global Settings->Transport Settings and Server Configuration->Hub Transport->Receive Connectors->Properties of each receive connector and Organization Configuration->Mailbox->Database Management->Properties of each database and Recipient Configuration->Mailbox->Properties of the mailbox->Mailbox Settings->Storage Quotas For setting the values in the AD using ADSIEdit see technet.microsoft.com |
KBXW066 |
Symptoms: Random DNS errors, SLS/RBL sometimes not working, DNSWL excludes everything, invalid e-mail domains are not detected Cause: The DNS server that XWall uses has a forwarder, using either the DNS of the ISP or one of the major DNS like Google or OpenDNS Solution: The large DNS server are optimized for browsing the web, more technically speaking, resolving A records. They are not optimized for MX or TXT records, the records that XWall needs most. In general, Windows comes with one of the best DNS server and so there is not a single benefit, but a lot of drawbacks: Missing Negative Caching of DNS Queries (RFC 2308) When XWall checks if a domain is valid, then it queries for a MX records. When the domain doesn't exist and the DNS caches negative queries, then is sends back an NXDOMAIN error and XWall knows that the domain doesn't exist. However, without negative cache, the DNS sends back nothing. So XWall doesn't know if the domain has a problem or is down or has a bad configuration or whatever. For an incoming message, XWall must now accept the message, even when the senders domain is not existing, simply because there is no way to proof. For an outgoing message, XWall needs to reschedule the message until the message timeout expires, rather than immediately sending back a NDR. And when XWall finally sends a NDR, the NDR shows a timeout rather than a failed domain and so the sender is confused too. DNSWL excludes everything DNSWL is not a free service and so they want to charge a public DNS server. In the case they can't agree on the terms, DNSWL simply gives back a positive result for every query from the public DNS. When XWall then queries DNSWL for a global exclusion and gets back an IP address, then XWall had to assume the IP is on the list. As a result, XWall will not perform any spam checking on the message and the message passes. SLS/RBL sometimes not working Due the amount of queries that the RBL gets from a public DNS, they sometimes block the DNS. XWall is then not able to query the SLS/RBL and may get a timeout for every query. Filtering of phishing sites Last known-good address for a A record, even if its nameserver is offline Providing an IP address for non-existing A records XWall gets back wrong results for a query and this may result in a problem detecting a spam message. |
KBXW067 |
Symptoms: The logfile shows 451 4.7.0 Temporary server error. Please try again later. PRX2 Cause: Exchange 2013-2019 needs a properly working DNS server and the NIC has more than one DNS server assigned. Solution: The NIC must have only the DNS server of your domain, not any other public DSN server like the one of your ISP or Google or OpenDNS. |
KBXW068 |
Symptoms: XWall fails to reject invalid e-mail addresses during a SMTP session Cause: Options->Session->Recipient->Verify the recipients e-mail address dynamically using a SMTP query to Exchange is enabled and Exchange fails to reject invalid e-mail addresses during the SMTP session Solution: Exchange 2003 Start System Manager (Exchange Admin) and select Message Delivery->Properties . In this dialog select the tab labeled Recipient Filtering and enable the option Filter Recipients who are not in the directory Exchange 2007-2019 Recipient Filtering is part of the Exchange Anti-Spam Functionality. By default, Anti-Spam Functionality is disabled. To enable Anti-Spam Functionality on Exchange run the script Install-AntiSpamAgents.ps1 Note: All of the anti-spam options are enabled by default. You need to disable them all except for recipient filtering. Start Exchange Management Console and select Organization Configuration->Hub Transport-> Anti-Spam and disable them all except for recipient filtering |
KBXW069 |
Symptoms: The logfile shows 503 5.5.1 Need valid MAIL FROM first Cause: The target MTA has a virus scanner / spam blocker running that manipulates the SMTP traffic. GData Antivirus is know for this behavior. Solution: Disable the virus scanner / spam blocker |