问题描述
==========
一个运行Exchange 2010+ORF反垃圾邮件的客户反映,用户出国后无法使用pop3方式发邮件还是被拒绝或是报以下错误:
550 5.2.1 Mailbox unavailable. Too many invalid delivery attempts were received from your IP address.
原因分析
=======
1.首先,我们检查这位出差国外的客户Outlook的配置,是否已将 SMTP的身份验证勾选,经验证是已经勾先的。
2.然后,我们检查ORF的日志,看是否有被ORF拒绝的情况,在分析的过程中发现,这位用户发送邮件时,根本没有进行身份验证。也就是说ORF认为这个用户的邮件被当成第三方的服务器发过来的邮件。但是我们ORF已经把这个用户加到Sender Whiretlist(发件人白名单)了,所以排除ORF被拒绝的情况。
3.最后,我们检查Exchange本身的SMTP 日志,如下:
2011-11-16T04:11:56.165Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,3,192.168.0.222:25,69.46.103.200:49760,<,EHLO mail.globalsuite.net,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,4,192.168.0.222:25,69.46.103.200:49760,>,250-WIN-TQTAID053PB.abc.com Hello [69.46.103.200],
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,5,192.168.0.222:25,69.46.103.200:49760,>,250-SIZE,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,6,192.168.0.222:25,69.46.103.200:49760,>,250-PIPELINING,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,7,192.168.0.222:25,69.46.103.200:49760,>,250-DSN,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,8,192.168.0.222:25,69.46.103.200:49760,>,250-ENHANCEDSTATUSCODES,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,9,192.168.0.222:25,69.46.103.200:49760,>,250-STARTTLS,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,10,192.168.0.222:25,69.46.103.200:49760,>,250-X-ANONYMOUSTLS,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,11,192.168.0.222:25,69.46.103.200:49760,>,250-AUTH NTLM LOGIN,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,12,192.168.0.222:25,69.46.103.200:49760,>,250-X-EXPS GSSAPI NTLM,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,13,192.168.0.222:25,69.46.103.200:49760,>,250-8BITMIME,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,14,192.168.0.222:25,69.46.103.200:49760,>,250-BINARYMIME,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,15,192.168.0.222:25,69.46.103.200:49760,>,250-CHUNKING,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,16,192.168.0.222:25,69.46.103.200:49760,>,250-XEXCH50,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,17,192.168.0.222:25,69.46.103.200:49760,>,250-XRDST,
2011-11-16T04:11:56.166Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,18,192.168.0.222:25,69.46.103.200:49760,>,250 XSHADOW,
2011-11-16T04:11:56.442Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,19,192.168.0.222:25,69.46.103.200:49760,<,MAIL FROM:<jia@abc.com>,
2011-11-16T04:11:56.442Z,WIN-TQTAID053PB\Default WIN-TQTAID053PB,08CE6E5DA8B26408,20,192.168.0.222:25,69.46.103.200:49760,*,08CE6E5DA8B26408;
我们注意到日志中的一个问题:当这个用户连接服务器发邮件时,EHLO 的信息是 mail.globalsuite.net,很显然,这个信息是不正确的,然后经我们分析,这个应该是这位出差的用户所在上网线路提供商的一个SMTP代理服务器,也就是说,所以连接25端口发送邮件的过程,都会被这个mail.globalsuite.net的服务器代理发送,也就是用户不是直接连接自己的Exchange 2010服务器发的邮件,所以就没有验证的记录了。Exchange 2010也和ORF一样,认为是第三方服务器发过来看邮件。当发送到一定数量后,就造成Tarpit 的情况。
解决方法
=======
根据以上的分析。解决的方法应该集中在如何让用户直接连接Exchange 2010的服务器的SMTP来发邮件上来。我们最终给客户提出的方案是:让这位用户用VPN拔回到公司局域网。SMTP的地址填写内网IP,以确保使用Exchange 2010的服务器的SMTP来发邮件。以解决这个问题。 |