I had an issue with a third party email filtering product GFI MailEssentials 2014 SR2 during an Exchange 2010 to Exchange 2013 migration. GFI MailEssentials 2014 SR2 is a spam filtering product which you install directly on an Exchange transport server. It integrates with Exchange server through six transport agents which all perform various tasks as shown below:
When migrating to a new version of Exchange, as part of the process you are required to redirect mail flow to the new Exchange transport server so it can route the mail to the legacy transport environment until a point when the mailboxes can be moved.
As the new Exchange 2013 server will be the new external point of connectivity for SMTP, I installed GFI Mail Essentials on the new Exchange 2013 server and redirected mail flow as shown below.
After making this change, users were not able to receive email from external users. I verified the following things:
Exchange 2013 was receiving emails from external users as validated in the SMTP Protocol logs.
Exchange 2013 was forwarding emails to the Exchange 2010 server as per standard functionality.
Exchange 2010 successfully received the email communication from Exchange 2013 at transport level and was verified in the protocol logs.
GFI MailEssentials Transport Agents on the Exchange 2010 server receive the email for processing.
GFI MailEssentials does not place the email back into the Exchange Pickup folder giving it back to Exchange for processing.
I was not able to locate where the emails were moved to within GFI primarily due to my limited knowledge of the product (to me it is just a custom Exchange transport agent). I contacted GFI support here in Australia who were also unable to advise me where the emails went after being relayed to the Exchange 2010 server. Fantastic, so we have emails going into a black hole disappearing forever.
One thing GFI support were able to advise me was their transport agents only filter email which was sent from a public IP address, all private IP addresses were excluded from filtering. This was in line with my symptoms, all users internally were able to receive emails sent from internal devices such as Printers being relayed through the Exchange 2013 server.
In the following screenshot I have included the message tracking log from the Exchange 2010 server. The first two entries are from when the Cisco Router was forwarding email directly at the Exchange 2010 server. All other entries are from when mail was relaying through Exchange 2013. As you see email is received via SMTP however not delivered to the information store via the Exchange Store Driver due to GFI not releasing the mail.
GFI Mail Essentials modifies the header of emails that are filtered and appears to not deal with emails correctly which already have their header modified by another instance of GFI Mail Essentials.
As a work around I simply disabled the GFI Transport Agents on the Exchange 2010 server to prevent it from interfering with mail processing to resolve the issue as shown below:
This resolved the issue and did not compromise the environment as security and spam filtering was now being performed by GFI on the Exchange 2013 server.