KBCF001

• Symptoms:
  The logfile shows Error: Unable to establish a connection with mail host [14]

• Cause:
  Exchange doesn't listen for incoming messages on port 25 or port 24.
  
  You can check if Exchange is listening on port 25 by typing (in a DOS box)
   
  telnet localhost 25 [enter]
  
  When everything is working you should get back a greeting line, else you get a connection error.

• Several Solutions:

• Exchange 5.x
  Make sure that your Exchange server has Inbound SMTP enabled.
  In Exchange Admin select the Internet Mail Service (IMS) , select the tab Connections and
  make sure Inbound & Outbound is checked in the section Transfer Mode.
   
• Exchange 2000/2003
  Make sure the Virtual SMTP Server is listening on port 25.
  Start System Manager (Exchange Admin) and select
  Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties.
  In this dialog select the tab labeled General and then Advanced and here you can set the port on which this virtual server listens.
   
• Windows 2003 SP1
  Make sure the firewall doesn't block port 25.
  Open Control Panel, select Network Connections and then the properties of the Local Area Connection.
  In the tab labeled Advanced you will find the settings for the firewall
   
• Norton / Symantec Antivirus Corporate Edition
  Norton / Symantec Antivirus may have silently installed a firewall that blocks the port
   
• McAfee v8.0
  McAfee may have installed a firewall that blocks the port

KBCF002

• Symptoms:
  The logfile shows 550 5.7.1 Unable to relay for user@yourdomain.com (Exchange 2000/2003)
  The logfile shows 550 5.7.1 Unable to relay (Exchange 2007/2010)

• Cause:
  This error happens when Exchange does feels responsible for your email domain.
  Usually this results because was installed using a different domain than your email domain and
  so you need to manually tell Exchange for which domain it is responsible.

• Solution:

• Exchange 2000/2003
  Start System Manager (Exchange Admin) and select Recipient->Recipient Policies.
  Then either change the Default Policy or create a new policy and tell Exchange for which domain it should accept mail.


Additional info from Microsoft at Q289833

• Exchange 2007/2010
  Start Exchange Management Console and select Organization Configuration->Hub Transport->Accepted Domain and make your your domain is in the list

KBCF003

• Symptoms:
  The logfile shows 505 5.7.1 Client was not authenticated

• Cause:
  Exchange 2000/2003/2007/2010 doesn't allow Anonymous access and so CryptoFilter is not able to connect to Exchange.

• Several Solutions:

• Exchange 2000/2003
  In Exchange Admin select
  Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties.
  In this dialog select the tab labeled Access and then Authentication and enable Anonymous access.
   
• Exchange 2007/2010
  Start Exchange Management Console and select 
  Server Configuration->Hub Transport->Receive Connectors->Default Connector.
  In this dialog select  the tab labeled Permission Groups and make sure Anonymous users is enabled.

• Start MBAdmin, select Options->General->Exchange and check
  Exchange needs authentication and type in the user account and password CryptoFilter should use when connection to Exchange
  
  Special note for Exchange 2007/2010: The user that you use for authentication MUST NOT have a mailbox and MUST be an administrator. DO NOT use Administrator, because there is a mailbox associated with that account and therefore it can't be uses for SMTP authentication.
   

KBCF007

• Symptoms:
  CryptoFilter is running as a console application without any problems, but when running as a service errors are reported.

• Cause:
  The account you use to start the service doesn't have enough rights to use RAS or the Internet or the Proxy.

• Solution:
  Start the service with Administrator or the account you use to logon onto Windows NT® and then it should work.

KBCF008

• Symptoms:
  You have Windows® 2000/2003 and when running CryptoFilter as a console application the last screen line is not visible.

• Cause:
  By default the Windows® 2000/2003 screen buffer size height for a console application is set to 300 lines.

• Solution:
  Select the Properties of the console and then select the tab labeled Layout and change the Screen Buffer Size Height to 25

KBCF009

• Symptoms:
  CryptoFilter reports RAS problems when the Proxy server opens the line.

• Cause:
  You should run CryptoFilter over the proxy rather that use the built in dial-up.

• Solution:
  Information on how to configure your proxy can be found at 
  Additional information for Using a Proxy server

KBCF011

• Symptoms:
  The logfile shows Error: No Exchange server found at localhost

• Cause:
  A SMTP server is responding, but it is not the one of Exchange.
   
• Solution:

  In a DOS box type
  
  telnet localhost 25 [enter].
  
  You will then get a greeting line of the SMTP server and this should give you an idea what program is running.
  
  
  The most common problems are:

  • The SMTP server of the IIS ( Internet Information Server ) is running
    In Control Panel->Services look for a service called Simple Mail Transport Protocol (SMTP) and stop it and disable it. Then restart the Exchange IMS and it should work.
     
  • A proxy server with a virtual port mapping is active
     
  • The IP address you specified is wrong 

KBCF013

• Symptoms:
  CryptoFilter download the messages without any problem but the files stuck in the MSG-IN directory
  and CryptoFilter doesn't send them to Exchange.

• Cause:
  There is an on-access virus scanner running that blocks CryptoFilter from accessing the downloaded files.

• Solution:
  In your on-access scanner disable the scanning of the CryptoFilter directory and below.

  Most scanners will never find a virus that is in a raw message file, because they can't extract the attachments
  from the message and even if they would find anything, they would confuse CryptoFilter more than it would help.

  If you enable the virus scanner support in CryptoFilter, it will extract the attachments and html pages
  from the message and call the scanner to scan it.

KBCF014

• Symptoms:
  The logfile shows Error: No AUTH command in EHLO found, Authentication failed

• Cause:
  Authentication is enabled in CryptoFilter, but your Exchange doesn't support authentication.

• Solution:
  Start MBAdmin, select Options->General->Exchange and uncheck Exchange needs authentication

KBCF016

• Symptoms:
  The messages are not forwarded to the Exchange server; 
  the messages are all in the MSG-OUT directory and the logfile shows 
  Error: Timeout in reading data [9]
  

• Cause:
  This error happens in Exchange 2000/2003 when there is something that prevents Exchange from accepting the message.
  
  Usually the error is the result of a routing problem, a renamed domain in the recipient policy, an authentication problem or a firewall that blocks or a virus scanner that prevents Exchange from working correctly.

• Several Solutions:

• Check if there is a firewall like ISA Server that blocks the data flow between the interface that CryptoFilter uses and the interface that Exchange is bound.
   
• Check if you have Norton / Symantec Corporate Edition  running.
  
  If CryptoFilter gets the timeout when it connects to Exchange, then Norton / Symantec Antivirus may have silently installed a firewall that blocks port 24 on the loopback interface ( this is 127.0.0.1 or localhost ).
  
  In this case start MBAdmin, select Options->General->Exchange and change the name of the Exchange server from localhost to the IP address.
  
  If the timeout is after the BDAT command, then Norton / Symantec Antivirus prevents Exchange from accepting the message and you need to exclude the Exchange directory from on-access scanning.

• Check if there is another virus scanner running and disable it. At least make sure you have excluded the CryptoFilter, the TEMP and the Exchange directory from on-access scanning.
   
• Start MBAdmin, select Options->General->Exchange and change the name of the Exchange server from localhost to the name or IP address.
   
  If you are currently using a IP address or a name , then change it to localhost. The best is you try every combination and most likely one will work.

• Start System Manager (Exchange Admin) and select Recipient->Recipient Policies.
  Make sure you haven't renamed the domain in the Default Policy. 
  Adding a new domain is no problem, but renaming the default domain is not what Exchange likes.

• Start System Manager (Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. 
  
  In this dialog select the tab labeled Access and then Authentication and make sure Anonymous access or Basic Authentication is checked.

• Start System Manager (Exchange Admin) and select Servers->Your Server->Protocol->SMTP->Default SMTP Virtual Server->Properties. 
  
  In this dialog select the tab labeled Access and then Connection and make sure All except the list below is checked.

KBCF020

• Symptoms:
  The logfile shows Warning: Possible DNS problem; 
  unable to connect to local name server xx.xx.xx.xx
  

• Cause:
  At startup CryptoFilter tests the connection to the name server and the test was not successful.

• Several Solutions:

• There is no name server at this IP address
   
• A firewall blocks access to port 53 tcp of the name server.
  
  Note: Port 53 tcp and not udp.
   
• The DNS server does not support tcp queries.
  
  In this case start MBAdmin, select View->Advanced Configuration->DSN and change the DNS query protocol to udp

KBCF021

• Symptoms: 
  You have a SonicWall / Zyxel Firewall / Watchguard Firebox
  and CryptoFilter can't send and/or receive from or to some mail servers.
  

• Cause:
  The SonicWall / Zyxel Firewall has a built inSMTP proxy / Filtered SMTP service that has a bug
  in handling some Enhanced SMTP ( ESMTP ) commands, particularly the CHUNKING command
  ( RFC 3030 - SMTP Service Extensions for Transmission of Large Messages )
  
  The problems happens only when CryptoFilter sends or receives a message from a
  newer mail server like Exchange 2000/2003 which supports the CHUNKING command.
  
  
• Several Solutions:

• Disable the SMTP proxy / Filtered SMTP service at the SonicWall / Zyxel Firewall / Watchguard Firebox
   
• start MBAdmin, select View->Advanced Configuration->ESMTP and disable CHUNKING and/or ESMTP

KBCF024

• Symptoms: 
  A lot of messages are in the outbound queue ( MSG-OUT )

• Cause:
  The most likely reason for this is that you defined an action of Send non-delivery report to the sender
  in one of the spam blockings. However, most spammer do not accept mail and so CryptoFilter queues the
  messages until the messages timeout is expired.
  
  

• Several Solutions:

• Start MBAdmin, select Options->General->Advanced->Outbound SMTP options
  and set the Retry forto something between 4 - 24 hours, which makes more sense than the default of 5 days.
   
• Select a different action than Send non-delivery report to the sender.
  Usually Discard message or Forward to Admin is the best.

KBCF025

• Symptoms: 
  The logfile shows
  Error: Unable to start inbound SMTP connection manager
  Error: Port or address already in use [10048]

• Cause:
  CryptoFilter can't bind to port 25 because there is already a SMTP server running on this machine.
  
  

• Solution:

• CryptoFilter runs on the Exchange machine:
  You haven't bound Exchange to a different port like port 24.
  See the documentation, section Running CryptoFilter on the same machine as Exchange server,
  how to bind Exchange to a different port.
   
• CryptoFilter runs on a different machine:
  Most likely the SMTP server of IIS ( Internet Information Server ) is running.
  Open the Service applet and locate the service named
  Simple Mail Transport Protocol (SMTP) and disable it.
  
  Note: In the case you need the SMTP server of IIS for CDONTS, you may simply bind it to another port like port 26. CryptoFilter can then use port 25 and CDONTS will also work.

KBCF028

• Symptoms: 
  Blank messages between two Exchange server in the same organization 

• Cause:
  Exchange has a bug and sends non-RFC conforming messages to another Exchange machine.
  
  

• Several Solutions:

• Run CryptoFilter either on a different machine
   
• Run CryptoFilter on an extra IP address so that one Exchange can communicate with the other without that CryptoFilter is between.
  
  For instructions see Running on the same machine as Exchange but with a different IP

KBCF029

• Symptoms: 
  CryptoFilter shows a license violation on a cluster

• Cause:
  The licensing of CryptoFilter is server based and not user based and you need one license for every running MBServer.exe. On a cluster you have two instances of MBServer.exe running, because you have two independent machines with two independent machine names and ip addresses.
  
  

• Solution:
  You need two CryptoFilter licenses for a two-node cluster. Because CryptoFilter is more a SMTP server than a database program, it doesn't really make sense to cluster CryptoFilter and so it is not recommend to run CryptoFilter on a cluster.

KBCF030

• Symptoms: 
  Outgoing messages are not handled by CryptoFilter

• Cause:
  Exchange does not forward outgoing messages to CryptoFilter
  
  

• Solution:
  Send a message to someone outside your Exchange and then check the logfile of CryptoFilter if CryptoFilter really handled this message. If there is not indication that CryptoFilter handled the message, then Exchange doesn't forward the messages to CryptoFilter.
  
  See the Installation instruction, section Outgoing Messages, how to configure Exchange so that outgoing messages are forwarded to CryptoFilter.

KBCF034

• Symptoms: 
  The logfile shows Error: Connection closed by peer for no good reason [11]
   
• Cause:
  The other side closed the connection without giving a good reason.
  Usually this indicates some kind of problem at the other side, but the range of problems is wide (this means it could be all and anything)
  
  
• Solution:
  Incoming connection:
   

• Someone runs a port scan against your server.
  In this case the error happens immediately after the connection
   
• There is a routing problem. Usually this happens when you have two NIC and both NIC have a default gateway.
  This results in an undefined state because Windows® can choose one of the two cards for outgoing packets.
  So when the data comes in on the first NIC, but the response is sent out over the second, then usually the
  firewall drops the connection and you get the error mentioned above
   
• The sending server has a problem reading the message from disk.
  In this case the error usually happens after the DATA or BDAT command
   
• The server can send small messages, but fails on larger messages.
  There is a routing problem. If the message is small enough that it fits in a small network packet,
  then it works, but fails as soon as the router had to split it in parts
   
• There is a SMTP filter that runs on your firewall and that closes the connection for whatever reason.
  Most firewalls silently install such a filter to prevent invalid messages. If the sending server sends
  an invalid message, the firewall detects this and closes the connection to CryptoFilter. From CryptoFilter viewpoint,
  it looks like as if the sending server closed the connection.
   
  There is a simple test if your firewall has installed such a filter:
  On the CryptoFilter machine telnet to port 25 and type EHLO something.
  CryptoFilter will greet you and list all available ESMTP options. Make a note of the greeting and all the options.
  Now telnet to CryptoFilter from the Internet and repeat the test. If the greeting and all ESMTP options are equal,
  then you have no filter or the filter is not visible. However, in most cases you see that the filter shows
  either a different greeting or far less, if any, ESMPT options.
  
  Once you found out that you have such a filter, you may check the logfile of the filter to find out
  why it closes the connection. Usually you can disable the filter completely, because they hurt more than they help.
   

Outgoing connection:

• There is a message size limit at the target server or the server is out of disk space.
  In this case the error usually happens after the DATA or BDAT command

• There target server is blocking the messages.
  In this case the error usually happens after the MAIL FROM command

• There is a virus scanner running on the target that prevent accepting the message

KBCF035

• Symptoms: 
  CryptoFilter stops working when running as a Console application
  ( when MBserver.exe was started from an icon )
   
• Cause:
  Quick-Edit mode was accidentally enabled with the mouse and so Windows® completely
  stops the application in the console so that you can perform cut & paste with the mouse
  
  
• Several Solutions:

• Select the Properties of the console and then select the tab labeled Options and disable Quick-Edit mode
   
• Run CryptoFilter as a service ( see Run CryptoFilter as a service )
   

KBCF037

• Symptoms: 
  The logfile shows 535 5.7.3 Authentication unsuccessful
  after installing Exchange 2003 SP1
   
• Cause:
  Microsoft has changed something in SP1 that prevents the use of simple users names for SMTP authentication. At present it is not clear if this is a feature or a bug, because it affects all programs including Outlook.

• Several Solutions:

• Disable authentication in CryptoFilter completely in
  Options->General->Exchange->Exchange needs authentication
  
  By default anonymous access is enabled in Exchange and so there is no need for authentication, because Exchange will accept messages for all the domain for which it is responsible.
  
  So when Exchange doesn't accept message for the own domain and gives a  550 5.7.1 Unable to relay, then Exchange doesn't feel responsible for the domain and you should fix that rather than using authentication and force Exchange to accept the message.
  
  See also KBCF002
   
• Use the User Principal Name (UPN) ( e.g. michael@dataenter.co.at ) in
  Options->General->Exchange->Exchange needs authentication->User
   
• Prepend the domain in front of the user name ( e.g. DataEnter\michael ) in
  Options->General->Exchange->Exchange needs authentication->User
  
   

KBCF039

• Symptoms: 
  The logfile shows 504 <server>: Helo command rejected: need fully-qualified hostname
   
• Cause:
  The recipients server doesn't accept mail from CryptoFilter because the FQDN of the CryptoFilter machine is wrong .The name of the machine is something like server rather than server.yourdomain.com and/or server.yourdomain.com is not a public name in the DNS or the name of the IP address ( the PTR record ) is not server.yourdomain.com

• Several Solutions:

• Make sure the name of your machine is something like server.yourdomain.com. If the name is only server, then this means that your machine is not part of a Windows® domain.
   
• set the FQDN explicit in View->Advanced Configuration->IP Address->FQDN
  
  Also make sure that the DNS server that is responsible for your domain has an A record for server.yourdomain.com and a PTR record for the official IP address.

KBCF042

• Symptoms: 
  The logfile shows Warning: DNS problem; unable to resolve test-for-dns-resolve.dataenter.co.at
   
• Cause:
  Either the DNS server doesn't support tcp queries or the DNS server can't resolve
  public IP addresses and as a result CryptoFilter can't resolve the IP address for an existing A record.
   
• Several Solutions:

• Make sure your DNS server can handle tcp queries.
  Bind and Microsoft DNS can handle tcp queries, some router with built-in caching server usually accept only udp queries.


In the case your DNS server does not support tcp queries start MBAdmin, select View->Advanced Configuration->DSN and change the DNS query protocol to udp

 

• Make sure the DNS server is able to resolve public IP addresses.
  Using a internal-only DNS will not work with CryptoFilter.

KBCF045

• Symptoms: 
  CryptoFilter hangs after sending the BDAT or XBDATA command
   
• Cause:
  The recipients server announces that it accepts binary data ( RFC 3030 ),
  but when CryptoFilter sends the data, it fails to get to the server.
  
  There is SMTP proxy between CryptoFilter and the recipients server,
  and the proxy has has a problem with binary data.
  
  The following devices are known for the problem:

• SonicWall / Zyxel Firewall / Watchguard Firebox
  (see also KBCF021)
   
• Cisco PIX with MailGuard
  ( see also Microsoft KB 320027 )
   
• Norton / Symantec Antivirus 9.0 Corporate Edition
  ( installs a SMTP proxy that can't handle binary data )
   
• Norton / Symantec Antivirus 10.0 Corporate Edition
  ( the scanner prevents Exchange from accepting binary messages )
   
• Kerio Winroute Firewall
  ( installs a SMTP proxy called the SMTP Protocol Inspector that can't handle custom ESMTP commands with binary data )
  
  

• Several Solutions:

• SonicWall / Zyxel Firewall / Watchguard Firebox
  
  Disable the SMTP proxy or upgrade the firewall
   
• Cisco PIX with MailGuard
  
  Disable the SMTP fixup ( this is the SMTP proxy in the Cisco PIX )
   
• Norton / Symantec Antivirus Corporate Edition 9.0 or 10.0
  
  If the problem happens when CryptoFilter sends to Exchange, then make sure Norton / Symantec Antivirus hasn't silently installed a firewall that can't handle the binary data.
  
  Also make sure Norton / Symantec Antivirus doesn't scan the Exchange directory, because this prevents Exchange from accepting messages.
  
  Note: This means you need to exclude the Exchange, the TEMP and the CryptoFilter directory from on-access scanning, but you may leave the Exchange message scanning enabled.
   
• Kerio Winroute Firewall
  
  Disable the SMTP Protocol Inspector

If nothing of the above fixes the problem, then start MBAdmin, select View->Advanced Configuration->ESMTP and disable CHUNKING or XBDATA and/or ESMTP
 

KBCF047

• Symptoms: 
  Message flow stops between two Exchange server in the same organization 

• Cause:
  If more than one Exchange server exists in an organization, then the  Exchange servers communicate internal states using Microsoft propriety SMTP verbs on port 25.
  
  This are things like routing information, envelope properties, message properties, and recipient properties.
  
  Third party gateways like CryptoFilter should not be inserted between internal Exchange servers in the same organization for this reason as compatibility is not possible.
  
  Even if CryptoFilter supports these verbs, they are subject to change/additions/etc since they are Microsoft proprietary.
  

• Several Solutions:

• Run CryptoFilter either on a different machine
   
• Run CryptoFilter on an extra IP address so that one Exchange can communicate with the other without that CryptoFilter is between.
  
  For instructions see Running on the same machine as Exchange but with a different IP

KBCF053

• Symptoms: 
  The logfile shows 452 4.3.1 Insufficient system resources

• Cause:
  Exchange 2007/2010 monitors important system resources, such as available hard disk drive space and available memory. If utilization of a system resource exceeds the specified limit, then Exchange server stops accepting new connections and messages.
  

• Solution:
  Make sure you have at least 4 GB free disk space
  
  For more information on Exchange 2007/2010 system monitor see Understanding Back Pressure

KBCF054

• Symptoms: 
  You have a Cisco PIX  and CryptoFilter can't receive messages from some mail servers and the logfile shows:
  
  Connection opened by fqdn.sender.com [62.116.14.1]
  > 220 smtp ESMTP CryptoFilter v3.41
  < XXXX mail.mydomain.com
  > 503 HELO or EHLO required
  < XXXX mail.mydomain.com
  > 503 HELO or EHLO required
  < QUIT
  > 221 smtp CryptoFilter v3.41 closing transmission channel
  Connection closed with fqdn.sender.com [62.116.14.1]

• Cause:
  In all reported cases the sender had a Cyberguard firewall with a SMTP proxy enabled. There seams to be a ESMTP and/or RSET compatibility problem between the Cyberguard and the Cisco PIX MailGuard SMTP fixup, which is the SMTP proxy that runs on the PIX.
  

• Solution:
  Disable the MailGuard SMTP fixup at the Cisco
  
  Note: The Cisco PIX MailGuard SMTP fixup does not help much, but it disables all ESMTP commands. So disabling Cisco PIX MailGuard SMTP fixup does not cause a risk, but improves the performance and reliability of your mail transfer.
   

KBCF056

• Symptoms:
  The logfile shows Error: Unable to create file
   
• Cause:
  CryptoFilter is not able to create a file to store the downloaded message or it can't extract the attachments from the message.
   
• Several Solutions:

• Chkdsk converted the MSG-IN or MSG-OUT directory to a file
  
  Stop CryptoFilter , delete the MSG-IN and/or MSG-OUT file and create a MSG-IN and MSG-OUT directory. 
   
• The TEMP directory does not exist
  
  When CryptoFilter starts, it shows which directory is used as the TEMP directory.
  Make sure the directory exist and that the CryptoFilter service has full read/write right to it.

KBCF060

• Symptoms:
  You have Citrix XenServer hosting Windows 2008 64bit Edition and MBAdmin.exe is crashing as soon as you start it
   
• Cause:
  Citrix XenServer has a bug that crashes all 32bit executable that are created using the Watcom compiler. MBAdmin.exe is always a 32bit application, even in the 64bit edition of CryptoFilter. However, the 64bit edition of MBServer.exe is not affected by this bug.
  
  More information on this bug at Xen-Bugs
   
• Solution:
  Start MBAdmin.exe from a workstation rather then on the server.
  
  To do this, share the CryptoFilter directory and then access the share from your workstation and start MBAdmin.exe.

KBCF062

• Symptoms:
  You have Windows 2008 and CryptoFilter fails to connect to certain external mail servers including Hotmail.
  Testing with Telnet gives back strange results.
  Windows 2003 server on the same network don't experience the problem.
   
• Cause:
  Windows 2008 has a different TCP/IP stack then Windows 2003 and the default settings may conflict with the external mail server.
   
• Solution:
  Try turning off Autotuning (in a DOS box as Administrator):
  
  netsh interface tcp set global autotuninglevel=disabled
  
  If that doesn't change anything then return it to "normal":
  
  netsh interface tcp set global autotuninglevel=normal