Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » KMS 6.7.2 on Redhat: 4.4.2 error only with certain domains
  •  
jlagnese

Messages: 66

Karma: 0
Send a private message to this user
We are running KMS 4.4.2 on a HP DL320s, 4gb ram, dual, dual core xeons, 2.4. The OS is Redhat Enterprise 5.4.

About a month ago, we started seeing 4.4.2 errors for Messages in queue that were being sent to any domain that uses Message Labs and Wells Fargo. I have enlisted the help of Message labs, and the only thing they could tell us is that the connection is getting cut off in between us. We do not have a SPAM appliance, we jsut use the built in tools that come with Kerio. Our firewall is a Sonic Wall 3060, so we put the mail server directly on the DMZ to remove it, and we got the same results. If anyone can help, I would appreciate it. Our ISP basically said it can't be them, and at 18K a month, I find that feckless. Below is a rejected/delayed message:

Original-Recipient: xxx.xxx<_a.t_>wellsfargo.com
Final-Recipient: rfc822;xxx.xxx<_a.t_>wellsfargo.com
Action: delayed
Status: 4.4.2
Remote-MTA: mx2.wellsfargo.com
Diagnostic-Code: SMTP; Connection lost
Received: from [205.221.40.111] ([205.221.40.111])
by keriomail.aea11.k12.ia.us (Kerio MailServer 6.7.2)
for xxx.xxx<_a.t_>wellsfargo.com;
Thu, 12 Nov 2009 15:01:08 -0600
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Thu, 12 Nov 2009 15:01:07 -0600
Subject: test
From: jim lagnese <jlagnese<_a.t_>aea11.k12.ia.us>
To: Mary Lagnese <xxx.xxx<_a.t_>wellsfargo.com>
Message-ID: <C721D3B3.EC7D%jlagnese<_a.t_>aea11.k12.ia.us>
Thread-Topic: test
Thread-Index: AcpZho+R/WIwudEVQY6LZTrg4ThCzgKVLFAw
In-Reply-To: <A6EA0B660471334B83A56FB3ABD52B3B47413ED75C<_a.t_>MSGCMSV21008.ent.wfb.bank.corp >
Disposition-Notification-To: jlagnese<_a.t_>aea11.k12.ia.us
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3340882867_6250182"

AND


<bjorgensen<_a.t_>paylessoffice.com> (cluster9a.us.messagelabs.com: Connection lost)Reporting-MTA: dns; keriomail.aea11.k12.ia.us
Arrival-Date: Thu, 12 Nov 2009 16:46:07 -0600

Original-Recipient: bjorgensen<_a.t_>paylessoffice.com
Final-Recipient: rfc822;bjorgensen<_a.t_>paylessoffice.com
Action: failed
Status: 4.4.2
Remote-MTA: cluster9a.us.messagelabs.com
Diagnostic-Code: SMTP; Connection lost
Received: from [205.221.40.111] ([205.221.40.111])
by keriomail.aea11.k12.ia.us (Kerio MailServer 6.7.2)
for bjorgensen<_a.t_>paylessoffice.com;
Thu, 12 Nov 2009 16:46:07 -0600
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Thu, 12 Nov 2009 16:46:07 -0600
Subject: Test
From: jim lagnese <jlagnese<_a.t_>aea11.k12.ia.us>
To: <bjorgensen<_a.t_>paylessoffice.com>
Message-ID: <C721EC4F.EC83%jlagnese<_a.t_>aea11.k12.ia.us>
Thread-Topic: Test
Thread-Index: Acpj6evq+EDLOb7Sc02H0npYchuT3A==
Disposition-Notification-To: jlagnese<_a.t_>aea11.k12.ia.us
Mime-version: 1.0
Content-type: multipart/alternative;
boundary="B_3340889167_6660662"
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
We're having the same issue, and I'm seeing we have similar setups. We also use a Sonicwall 3060 and our mail also aggregates through an Iowa AEA (Keystone AEA1). We're running the newest version 7.0 of KMS. I'm led to believe that the mail servers that we're losing connection with (ex: netins.net, iowa.gov and uni.edu) require the sending server to wait for an acknowledgement response from the receiving server before the sending server begins sending mail. Netins told me they had problems with another Iowa AEA getting mail through because of this problem (maybe it was you?)

Anyway, I'll be submitting a support case with Kerio tonight as I've exhausted my options in finding a fix.

I'd love to hear if you find why this is happening.
  •  
jlagnese

Messages: 66

Karma: 0
Send a private message to this user
Hi CJ. I work for Heartland AEA 11. I have problems with NetINS and they use Communigate Pro for their email. They weren't all that helpful except to tell me that:



It appears your server is trying to send before waiting for the prompt.

09:08:06.07 1 SMTPI-422110([xxx.xxx.xx.250]) dropping: got pre-prompt data:
09:08:06.07 4 SMTPI-422110([xxx.xxx.xx.250]) closing connection


As a correction, we use 6.7.3 patch 1. I haven't gone to 7 yet as I wanted to wait for one more patch release. I don't like being an early adopter and we've had egg on our face with Kerio before.
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Hi, just curious if you've made any progress on this issue? As far as I can tell, it's an issue specific to the pairing of Kerio MS and Sonicwall Pro 3060. I've opened trouble tickets with both Kerio and with Sonicwall, neither of which have been able to resolve the issue.

My current workaround is less than graceful. I am relaying email through our AEA's mailserver, however I can only do this about once per day in order to clear out the message queue. If I leave the server continulally relaying through them, it will start giving 4.4.2 connection lost errors after a few hours, and then no mail at all gets delivered.

As of now, if Kerio can't track the problem down, my options are to migrate to a different mailserver, replace the Sonicwall, or migrate our network behind our AEA's firewall. None of those options are very appealing to me, hopefully I can avoid them.
  •  
jlagnese

Messages: 66

Karma: 0
Send a private message to this user
The only luck we've had so far is fixing the problem with ssl. Kerio told us they have a patch, 7.0.2 coming out that will solve it. As far as the 4.4.2 issue, I guess if it's the firewall, they feel there is nothing they can do about it. The funny thing it's not with all recipients, just with the same few, like NetINS, DMACC, and a couple school districts. I know NetINS uses Communigate Pro for their messaging. Other than that, we are still waiting on an issue with high CPU utilization.
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Well, I think I figured this issue out. I had already played around with MTU size on the sonicwall to no avail, but last week I tried telnetting to the offending domains with large packet sizes until I found the acceptable max packet size those domains would accept. I set the MTU on my sonicwall accordingly and left it over the weekend. This morning mail seems to be going through OK. I'm not sure what process needs to happen after setting the MTU. The first time I tried this change, mail still would not go through even after I flushed the mail queue and restarted SMTP services.

Anyway, you might try making the change - in my case I had to set MTU to 1156, but you'll want to test the other domins to see what their packet threshold is - then wait a few days and see if mail is going through.

Good luck.
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Corrections:

While this appeared to solve the problem for most domains, I still have one that is closing the connection, and I'm still not sure why.
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Second correction:

I checked the mail queue this morning and now all external mail is held up in the queue with 'connection lost' errors. I have failed to see any consistency with this problem. Kerio's software has become effectively useless to me. I am now beginning the process of evaluating new mail server software. Sorry, Kerio.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Have you tried to increase the TCP timeout in KMS? What does the SMTP Client debug log say??
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
About MTU: we had several IBM blades with Broadcom 5708S gigabit NICs in them and experienced random disconnects and other odd behaviour. In the end we enabled Jumbo Frames (MTU at ~9000 bytes) on the NICs, and everything went smooth from there on. If you have gigabit network cards, try enabling jumbo frames. Bit of a long shot, but still ...

Note: MTU setting only affects the first link. When the datagram travels across the internet, it will likely become fragmented and arrive in smaller or bigger pieces than they were originally sent. Thus, the receiving mail server does not care what MTU your NIC has. There is probably at least half a dozen hops between your KC server and the receiving mail server.
  •  
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Wed, 19 May 2010 15:54
Have you tried to increase the TCP timeout in KMS? What does the SMTP Client debug log say??


I don't see this setting in the config file, but I seem to remember paying with that setting during my first support call with Kerio.

The debug log says, after sending the ehlo, "SMTP connection closed while reading SMTP reply".

I've tried enabling jumbo frames as the poster above suggests, however I've only been able to set it within the OS of the server. This machine sits on a VMWare ESXi 4.0 host, and VMWare's knowledge base tells me jumbo frames is not supported unless I upgrade to 4.0 'essentials'.

As of now, mail is again going through OK, no lost connections. It's all very intermittent and frustrating. I'm currently demoing Axigen as our Kerio replacement.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It's more important to see timestamps from the debug log. There is a 2 minute timeout while waiting for SMTP reply from the remote server. And the debug log can prove if the problem is related to the timeout or not.

Anyway, there is no way how the application can interfere with frames (packets) on link network level. If it is an issue with jumbo frames, you will experience the same problem with any application (not only mailserver).
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I found your tickets in eSupport. It is clearly not a timeout issue.

Kerio Connect can successfully connect to the remote server and get SMTP greeting. However, some application (or Sonicwall ?!?) in the middle then interrupts the connections after sending EHLO command to the remote server.

Since you're reporting that sending commands through telnet is not working either then the issue is clearly somewhere outside the Kerio Connect. You can try to download Wireshark and get a network packet dump. It can prove which side is closing the connection and why.
  •  
jlagnese

Messages: 66

Karma: 0
Send a private message to this user
CJBraun:
I am still having issues with this and in fact, in the last couple weeks, it has gotten worse, with more domains now coming back with 4.4.2 errors when email is sent there. While the sonicwall may be the common thread, why just with Kerio? Are you still having the same issues?
cjbraun

Messages: 13
Karma: 0
Send a private message to this user
Well, I am not having any issues now, and I'm afraid I can't really say why not. Just before the issue disappeared, I had been playing around with MTU size on my Sonicwall. Someone else had assured me that MTU size shouldn't make any difference, but I can't think of any other configuration changes I might have made right before the problem went away. Currently, MTU size is set to 1500 and to fragment anything larger. Each firewall rule for my mail server has the 'allow fragmented packets' box unchecked. I am unconvinced that either setting is what made it start working. Sorry I can't give you anything more specific as to why it's working now.
Previous Topic: Public contacts in AddressBook
Next Topic: Operating system support in next future
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 14:48:19 CET 2017

Total time taken to generate the page: 0.00542 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.