Monday, August 01, 2005

SBS 2003: SMTP Server Remote Queue Length Alert

Have you been getting the following notification from an SBS 2003 server?

“SMTP Server Remote Queue Length Alert on SERVER”… “A large number of messages are pending in the e-mail server send queue.”?

To start off with, make certain that your internet connection is up, and that it’s not a momentary outage from you ISP. Okay, so assuming that your internet connection is good, in all likelihood the solution will probably be to filter out recipients not in Active Directory (which is explained below). But before we turn that on, let’s just entertain for a moment that a weak password has been compromised, and that a spammer might be relaying using that account (hey, here’s another good argument for password complexity requirements).

So let’s go ahead and enable maximum logging on the SMTP protocol. Later you can sort though the application log in Event Viewer for event ID 1708, and determine if an account is being authenticated against using a weak-password for the purpose of relaying UCE/Spam.

To enable logging on SMTP, open Exchange System Manager (ESM), expand servers, and right-click on SERVER (where “server” is the name of your server). Select the “Diagnostics Logging” tab, then under services select “Exchange Transport”, and in the right-hand categories column, select “SMTP Protocol” and for the logging-level choose “maximum”.

The next thing that you’ll want to consider doing (possibly after getting a good sample of data via SMTP logging above) is to prevent Exchange from trying to process email for users that don’t have an account in Active Directory. In other words, Exchange will bounce email at the SMTP level for email being sent to users that don’t have an account on your system. This is a short two-step process, and should go a long way toward eliminating the SMTP Server Remote Queue Length issue you’re getting.

1) Open ESM, click Global Settings, Message Delivers, the Recipient Filtering tab, and check the box to enable “Filter Recipients who are not in the directory”.

2) Next, you’ll need to enable this on the SMTP virtual server in order for it to take effect. While you’re in ESM, click Servers, then SERVER (the name of your server), then Protocols, then SMTP, right-click on Default SMTP Virtual Server, click Advanced, click Edit on “all unassigned”, and enable “Apply Recipient Filter”.


This usually does the trick… in larger environments, I tend not to see this… Or at the very least, there have been some discussions in the Exchange admin group as to how to handle this. More often than not, I see it come up in SBS installations. Of course, be sure and keep an eye on things over the course of the next few days, and make sure that the issue really has been resolved. You also might want to disable the “maximum SMTP logging” that we turned on at the beginning, as over time you’ll start filling your application log up.

As a recommended follow-up, it might be a good time to mention the value of installing and configuring IMF to your customer – it’s quite a powerful “free” solution that you can start using immediately in an SBS 2003 installation. This will have a noticeable, and immediate impact for you customer - and it sure beats spending $2000 on a dedicated anti-spam appliance for perimeter filtering.

1 comment:

Nick said...

If you've followed the information in this post and have additional questions, I've since added two posts that relate to this issue... SMTP queue length follow-up, and Event ID 7010 - 504 need to authenticate first.