To ensure overall system stability, we engaged Microsoft to make some system modifications that will allow the overall integrated system to properly function.
Please find below the modification that has been advised by Microsoft. Changes to the exchange server configurations is at sites own risk. If site admin is not comfortable with the changes, then please contact Microsoft.
Get-ExchangeServer | fl name,serverrole,site,fqdn,admindisplayversion
Get-AcceptedDomain
Get-TransportAgent
Get-DomainController | fl name,dnshostname,adsite
Get-IMAPSettings | FL on both the Servers
Get-ThrottlingPolicy NPUMAdminPolicy | fl
Create the following registry key. If there is no existing registry key, create one. If site is not comfortable creating this key in the Exchange registry or any changes to the Exchange server, please call Microsoft for assistance.
Create a Maximum Allowed Sessions Per User registry key with value 2048 under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Add 2 new DWORD entries:
Maximum Allowed Sessions Per User with value 2048(Hexadecimal)
Maximum Allowed Service Sessions Per User with value 2048(Hexadecimal)
After creating the registry key, reboot the exchange server or restart IMAP4 services and the front and back-end services.
This is applicable to Exchange 2013 and Exchange 2016 Mail and CAS servers.
Perform the following steps for NTLM authentication protocol:
Disable the parameter:
EnableGSSAPIAndNTLMAuth
Check this KB: https://support.microsoft.com/en-us/kb/3076376
Run the Set-IMAPSettings, where
EnableGSSAPIAndNTLMAuth is set to $false
To set the log file’s size quota on the server, run the following command:
Set-ImapSettings -Server <ServerName> -LogPerFileSizeQuota 10MB
This is applicable to 2013 CU 11 and Exchange 2016 latest software load.
NOTE: Set the limit for maximum connections from a single user to 200000 from the default value of 16. Also, make sure that all other connections are set to the default settings. You can make the changes via the Exchange ECP Web console.
In the EAC, navigate to Server > Servers.
From the list of servers, select the Client Access Server and then click Edit.
On the server properties page, click IMAP4.
Click More Options.
Under Connection Limit, use the following settings:
Maximum connections - Specifies the total number of connections the specified server will accept. This includes authenticated and unauthenticated connections. The default value is 2,147,483,647. The possible values are from 1 through 2,147,483,647.
Maximum connections from a single IP address - Specifies the number of connections that the server will accept from a single IP address. The default value is 2,147,483,647. The possible values are from 1 through 2,147,483,647.
Maximum connections from a single user - Specifies the maximum number of connections that the server will accept from a particular user. The default value is 16. The possible values are from 1 through 2,147,483,647.
Maximum commands size (bytes) - Specifies the maximum size of a single command. The default size is 10,240. The possible values are from 1,024 through 16,384.
Click Apply and then click OK to save your changes.
After you set connection limits, restart the IMAP4 services front-end and back-end on the Exchange server services.
OR
You can make the changes via a command prompt, where you can increase the MaxConnectionsPerUser value from 16 (default) to 200000 by running below command:
Set-ImapSettings -Server "exchange server name" -MaxConnectionsPerUser 200000
You can set the Throttling policy to Unlimited for the following parameters:
ImapMaxConcurrency
ImapMaxBurst
ImapRechargeRate
ImapCutoffBalance
CPAMaxConcurrency
For example:
Set-ThrottlingPolicy NPUMAdminPolicy
[-ImapMaxConcurrency <Unlimited>]
[-ImapMaxBurst <Unlimited>]
[-ImapRechargeRate <Unlimited>]
[-ImapCutoffBalance <Unlimited>]
[-CPAMaxConcurrency <Unlimited>]
NOTE: Changes to the Exchange Server configurations is at the sites own risk. If the site admin is not comfortable with the changes,kindly contact Microsoft.
Exchange IMAP log errors:
Example: 22T12:06:14.459Z,00000000002422BF,3,172.1.0.16:993,192.168.12.15:49088,npumadmin2,61,57,23,login,com/NPUMAdmin2/oozuna *****,"R=""MSB1 NO LOGIN failed."";Msg=""User:LegacyDn: /o=Kat,ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Olga Ozuna, RecipientType: UserMailbox, RecipientTypeDetails: UserMailbox, Selected Mailbox: Display Name: Sally Ozuna, Mailbox Guid: 4ec4d3b2-1719-4f75-93dc-78737a68fc78, Database: 1d149126-97d1-4a8f-ab95-ed0522a1f9d0, Location: ServerFqdn: FW-EXCH01.Mitel.com, ServerVersion: 1937997947, DatabaseName: Mitel FW New, HomePublicFolderDatabaseGuid: be5fc5e4-4151-4446-a88c-932d59f5f7d0;Proxy:FW-EXCH01.Kat.com:993:SSL"";ErrMsg=ProxyNotAuthenticated",
Log Name: System
Source: Schannel
Date: 2/22/2019 2:38:41 PM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: FW-EXCH01.Kat.com
Description:
The following fatal alert was generated: 51. The internal error state is 900.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36888</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-22T20:38:41.809566900Z" />
<EventRecordID>1204930</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="632" />
<Channel>System</Channel>
<Computer>FW-EXCH01.Kat.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="AlertDesc">51</Data>
<Data Name="ErrorState">900</Data>
</EventData>
</Event>Log Name: Application
Source: MSExchangeIMAP4
Date: 2/22/2019 3:36:23 PM
Event ID: 1102
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: FW-EXCH01.Kat.com
Description:
The IMAP4 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchangeIMAP4" />
<EventID Qualifiers="49156">1102</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-02-22T21:36:23.000000000Z" />
<EventRecordID>4290878</EventRecordID>
<Channel>Application</Channel>
<Computer>FW-EXCH01.Kat.com</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>
Solution:
If third party certificate, you may need to run the Enable-ExchangeCertificate cmdlet to enable an existing third-party certificate on the Exchange server for IMAP service.
You may need to restore the default settings for Schannel SSL and TLS Registry Keys on Exchange 2010 Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption.
Issue Scenario:
Voice message were not getting delivered for users on Exchange
IMAP SSL is not working, gives the error - "BYE connection is closed. 14"
Solution: Resolved by adding hostname to the X509CertificateName parameter which specifies the certificate that's used for encrypting IMAP4 client connections.
In Exchange Server 2016, mail flow occurs through the transport pipeline. The transport pipeline is a collection of services, connections, components, and queues that work together to route all messages to the categorizer in the Transport service on an Exchange 2016 Mailbox server inside the organization.
Front End Transport service: This service acts as a stateless proxy for all inbound and (optionally) outbound external SMTP traffic for the Exchange 2016 organization. The Front End Transport service does not inspect message content, or communicate with the Mailbox Transport service, and does not queue any messages locally.
Front End Transport will attempt to anchor on a recipient and will look-up that recipient in Active Directory and find a DAG to which the recipient belongs to.
It will also attempt to route mail to a mailbox server in that DAG (preferably in the same site).
Whenever messages are received by the transport service, message content inspection is conducted, transport rules are applied, and anti-spam and anti-malware inspection is conducted if they are enabled.
The SMTP session has a sequence and series of events that work together in a particular order to verify and validate the contents of a message before it’s accepted. When a message has passed absolutely through SMTP Receive and isn’t rejected by receive events, or via an anti-spam or anti-malware agent, it is directed over the Submission queue.
Submission queue
Holds messages that have been accepted by the transport service, but are not processed. Messages in the Submission queue are either waiting to be processed, or are actively being processed.
On Mailbox servers, messages are received by a Receive connector, the Pickup or Replay directories, or the Mailbox Transport Submission service. On Edge Transport servers, messages are typically received by a Receive connector, but the Pickup and Replay directories are also available.
Every Mailbox server or Edge Transport server has only one Submission queue.
Categorizer
The categorizer chooses one message at a time from the Submission queue.
The categorizer performs the following steps:
Recipient resolution that includes top-level addressing,
Message bifurcation, and distribution group expansion.
Routing resolution.
Content conversion.
Moreover, mail flow rules which the organization defined are applied. After messages have been segregated, they’re routed into a delivery queue which is based on the destination of the message. Messages are lined up and queued by the destination mailbox database, Active Directory site, DAG, Active Directory forest.Mailbox Transport Delivery service : This service receives SMTP messages from the Transport service on the local Mailbox server or on other Mailbox servers and connects to the local mailbox database using RPC to deliver the messages. The Mailbox Transport service doesn't communicate with the Front End Transport service, the Mailbox Transport service, or mailbox databases on other Mailbox servers. It also doesn't queue any messages locally.
Port 25 – This port just like in previous versions of Exchange is used for SMTP. Used by both External SMTP into the Front End Transport Service (FET), SMTP with Exchange 2007\2010 hub servers, between MBX servers, and also from the FET to the Transport Service. There is a receive connector named Default Frontend <servername> that listens on this port.
Port 587 – This port just like previous versions of Exchange is used for Client Connections (POP\IMAP). The CAS Server has a receive connection listening on this port name Client Frontend <servername>.
Port 717 – Used for outbound proxy connections from the Transport service to the FET Service. When you create a Send connection you have the option to send mail destined for the Internet directly from the Transport Service to the Internet\Smart Host or relay that mail through the Front End Transport Service. There is a receive connector named Outbound Proxy Frontend <servername> that listens on this port.
Port 465 – Used to accept proxies connections that were received on port 587 by the FET service for client connections. There is a receive connector named Client Proxy <servername> that listens on this port.
Port 475 – The Mailbox Transport Delivery Service listens on this ports for connections either from the transport service SMTP Send connector or SMTP from the Transport Service on other Mailbox Servers that need to send mail to users on this server.
Port 2525 – if the CAS and MBX servers are collocated on the same server the SMTP Receive connection for the Transport service will listen on 2525 instead of 25. This is because two services (FET and Transport Service) can’t listen on the same port.