Re: SBS Exchange 2003: too many "Current Sessions" opened

Thanks again Cliff for your responce.

I'll modify the script to ensure that prior hard-killing inetinfo.exe, the
SMPT service will be stopped or hanging in the stopping mode - what ever it
will prefer to do - after me issuing NET STOP "SMPT (SMTP)" command - at
least this way I'll know that I have less chances to corrupt the store and I
don't have a bunch of "current sessions" each morning.

Acctually I followed your steps - the 1st and the 2d one: I enabled
recepient filtering and tar piting. (created in the registry DWORD parameter
with MS recommended value of 5 sec)

Also I enabled RBL services from SORBS.NET.

So far everything is good and now I'm just monitoring my exchange.

Thanks again!

"Cliff Galiher" wrote:

hard-killing a process should be a last resort. The fact that it is hanging
is usually a sign of a bigger problem, and you *DO* risk corrupting your
information store every time you do this. I posted the 'how' strictly as a
way to avoid a full reboot (which hard kills the process anyways.) Not as a
workaround to be used. You really should go through the steps I posted and
get the SMTP service to stop hanging in the first place. You'll be happier,
you won't be clubbing your server every day with a kill script, and you
won't have dead connections.

-Cliff

"Sann" <Sann@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D4F93C02-30F6-4802-A8B3-1C9135328438@xxxxxxxxxxxxxxxx
I see.
And for the current topic (as a quick report), to kill the "current
sessions" and make sure SMTP is running I created and scheduled to run on
a
daily basis a small batch, that kills inetinfo.exe and starts SMTP -
should
work for now until I put into production new server hardware with sbs 2003
r2.
And if I won't be able to resolve my problem in the new enviroment, I will
be bugging you guys again. :))

"Cris Hanna [SBS-MVP]" wrote:

SBS 2008 is not a production server since it only RC1...its my test
server and I'm the only user...so there was no "migration" as such

SBS 2008 does include the option during installation, to install fresh or
to perform a migration installation, which allows you to introduce it
into an existing SBS 2003 organizations.



--
Cris Hanna [SBS-MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Sann" <Sann@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:19118D7F-6331-44AF-A64B-58E77F8F43B2@xxxxxxxxxxxxxxxx
Thanks a lot for your advices and information - will start
experimenting....

btw, a quick side question to Cris: how did you move your users to
SBS2008:
using migration tool in exchange or csv, ldi tools? I'm asking this
question
in responce to your suggestion to bump the RAM to 4 GB. I'm installing a
new
server hardware: 2x4 proc-s, 4 GB, RAID 10 on SAS, etc...

"Cris Hanna [SBS-MVP]" wrote:

And if you only have 2GB of RAM, RAM is cheap!! bump it to 4GB

And my spam has dropped so much using SBS 2008 RC1 it's a non-issue
any more

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:Bfmdnb4hrr4v1z7VnZ2dnUVZ_gOdnZ2d@xxxxxxxxxxxxxx
Sann:

Try these things, in this order:

1) Enable recipient filtering and only accept messages from users in
AD.
The most common reason for ridiculously long connection times is a
spambot
trying to do a directory harvest. Since exchange defaults to accepting
*everything* at connect time and rejecting later, you end up with the
bot
just sending name after name to the server and never getting a
rejection.
It has no reason to disconnect.

2) Once recipient filtering is enabled, you will actually be exposed to
a
directory harvest attack instead of exchange just accepting everything.
So,
you should enable tarpitting. This is the point you should see those
connections drop down.

3) IF, after a week, you are still seeing some connections, try
*DISABLING*
SenderID filtering on the Virtual SMTP server. There is a bug in one
of the
SenderID dll's that can falsely hold open connections. MS has quietly
acknowledged its existence, but has not come clean yet (to my
knowledge)
what the exact parameters are that cause this behavior. It is not
consistent in my experience. Some servers have it, some don't exhibit
it at
all. And I'm told that it is fixed in Exchange 2007. I haven't seen
it
surface on 2007 yet myself, so I'm inclined to believe them...but then
again, SBS 2008 isn't released yet....so it could be an odd interaction
there.

To answer your other questions, the SMTP stack does seem to lock up
with
these long connections. That is the reason that 'terminate all' does
not
resolve the problem AND why the SMTP service stops responding if you
try to
restart it. You do *not* need to restart the server, however.

From the command line, you can run this command:

sc queryex smtpsvc

And in the output, find the process ID (PID). Once you have the PID,
you
can kill the process in task manager (usually an inetinfo process,
which is
why it is so tough to find.) From there, the process is flushed
completely
from memory and can be restarted without problem.

-Cliff

"Sann" <Sann@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6894EB2A-E7E0-4AD7-B799-446E28719BFC@xxxxxxxxxxxxxxxx
Hello Cris, thank you for your prompt reply.

dual core 2.8 GHz with 2 GB memory.
the memory usage averages about 1,5 GB at all times.

Yes, I have installed SP 2 and all latest updates released after,
with IMF
and enabled on SMTP.

"Cris Hanna [SBS-MVP]" wrote:

First question is...
How much RAM in the Server?

Second Question is
Do you have Exchange Server 2003 Service Pack 2 installed and IMF
configured for connection filtering against recognized blacklist
providers?

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"Sann" <Sann@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:12FBED5A-99AC-4821-BB29-5602036459BF@xxxxxxxxxxxxxxxx
SBS Exchange 2003: too many "Current Sessions" opened
Hello All,

Sometimes (usually it happens over weekends) my Exchange 2003 would
stop
receiving external emails because of many active "Curresnt Sessions"
and
here
is why: our organization isn't big, so I lowered the "Limit number
of
connections to:" parameter to 50 (it is done to fight the spam).

Now when somebody reports that he or she is not getting any
"outside"
emails, I go to Exchange System Manager -> Servers ->
<server> ->Protocols ->
SMTP -> Default SMTP Virtual Server - > Current Sessions and I see a
bunch of
..br, .it, .ar, OHIOIJHOJOJI, etc, user names with connected times
98353566,
43543543, 3453453 seconds, or in another words with endless
connection
times.

I understand, that once the exchange reaches the number of
connections of
50, it stops accepting new connections, stops receiving emails and
here
is my
qustions:
1. Why the "Terminate All" command doesn't remedy the problem with
email
flow?
As the second option, I try to restart SMTP service, but it freezes
in a
stopping mode leaving me with only one option to restart entire
server.
(BTW,
I've also noticed that it feezes after I update IMF filter and I
need to
restart the server)
2. what are those connections and how to protect Exchange from them?

Any advise will be greatly appreciated



.

Relevant Pages

  • [NT] Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (MS03-046)
    ... Get your security news from a reliable source. ... In Exchange Server 5.5, a security vulnerability exists in the Internet ... an unauthenticated attacker to connect to the SMTP port on an Exchange ...
    (Securiteam)
  • RE: SMTP error (only from Outlook)
    ... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ...
    (microsoft.public.windows.server.sbs)
  • RE: strange email errors
    ... you to check the relay configuration on the SBS server. ... please restart the SMTP virtue server and Exchange ... Please also refer to the following steps to create a new SMTP Connector to ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange issues
    ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ...
    (microsoft.public.exchange2000.admin)
  • Re: SMTP (Outgoing Mail) Issue
    ... I have a single Exchange 2003 SP2 server that is causing Internet ... all outgoing SMTP traffic. ... connections open from the Exchange server to multiple SMTP servers on the ...
    (microsoft.public.exchange.admin)