Troubleshooting Notes for IMAP for Exchange or Office 365

Advance Unified messaging IMAP Configuration Settings on Exchange 2013 and Exchange 2016 Server

To ensure overall system stability, we engaged Microsoft to make some system modifications that will allow the overall integrated system to properly function.

Please find below the modification that has been advised by Microsoft. Changes to the exchange server configurations is at sites own risk. If the site admin is not comfortable with the changes, then please contact Microsoft.

To see IMAP setting on Exchange

Get-ExchangeServer | fl name,serverrole,site,fqdn,admindisplayversion
Get-AcceptedDomain
Get-TransportAgent
Get-DomainController | fl name,dnshostname,adsite
Get-IMAPSettings | FL on both the Servers
Get-ThrottlingPolicy NPUMAdminPolicy | fl

Maximum Allowed Sessions Per User and Maximum Allowed Service Sessions Per User

Create the following registry key. If there is no existing registry key, create one. If site is not comfortable creating this key in the Exchange registry or any changes to the Exchange server, please call Microsoft for assistance.

Create a Maximum Allowed Sessions Per User registry key with value 2048 under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Add 2 new DWORD entries:

Maximum Allowed Sessions Per Userwith value2048(Hexadecimal)
Maximum Allowed Service Sessions Per Userwith value2048(Hexadecimal)

After creating the registry key, reboot the exchange server or restart IMAP4 services and the front and back-end services.

NTLM authentication protocol authentication

This is applicable to Exchange 2013 and Exchange 2016 Mail and CAS servers.

Perform the following steps for NTLM authentication protocol:

Disable the parameter:

EnableGSSAPIAndNTLMAuth
Check this KB:https://support.microsoft.com/en-us/kb/3076376
Run the Set-IMAPSettings, where

EnableGSSAPIAndNTLMAuth is set to $false
To set the log file’s size quota on the server, run the following command:
```
 Set-ImapSettings
-Server <ServerName> -LogPerFileSizeQuota 10MB
```

Set the IMAP4 connection limits for a server

This is applicable to 2013 CU 11 and Exchange 2016 latest software load.

NOTE: Set the limit for maximum connections from a single user to 200000 from the default value of 16. Also, make sure that all other connections are set to the default settings. You can make the changes via the Exchange ECP Web console.

In the EAC, navigate to Server > Servers.
From the list of servers, select the Client Access Server and then click Edit.
On the server properties page, click IMAP4.
Click More Options.
Under Connection Limit, use the following settings:
- Maximum connections - Specifies the total number of connections the specified server will accept. This includes authenticated and unauthenticated connections. The default value is 2,147,483,647. The possible values are from 1 through 2,147,483,647.
- Maximum connections from a single IP address - Specifies the number of connections that the server will accept from a single IP address. The default value is 2,147,483,647. The possible values are from 1 through 2,147,483,647.
- Maximum connections from a single user - Specifies the maximum number of connections that the server will accept from a particular user. The default value is 16. The possible values are from 1 through 2,147,483,647.
- Maximum commands size (bytes) - Specifies the maximum size of a single command. The default size is 10,240. The possible values are from 1,024 through 16,384.
ClickApplyand then clickOKto save your changes.

After you set connection limits, restart the IMAP4 services front-end and back-end on the Exchange server services.

OR

You can make the changes via a command prompt, where you can increase the MaxConnectionsPerUser value from 16 (default) to 200000 by running below command:

Set-ImapSettings -Server "exchange server name" -MaxConnectionsPerUser 200000

Configuring the client through Set-Throttling Policy

You can set the Throttling policy to Unlimited for the following parameters:

ImapMaxConcurrency
ImapMaxBurst
ImapRechargeRate
ImapCutoffBalance
CPAMaxConcurrency

For example:

Set-ThrottlingPolicy
NPUMAdminPolicy

[-ImapMaxConcurrency
<Unlimited>]

[-ImapMaxBurst
<Unlimited>]

[-ImapRechargeRate
<Unlimited>]

[-ImapCutoffBalance
<Unlimited>]

[-CPAMaxConcurrency <Unlimited>]

Note: Changes to the Exchange Server configurations is at the sites own risk. If the site admin is not comfortable with the changes,kindly contact Microsoft.

Troubleshooting and fixes for one or more Exchange servers when they are of different software version (Exchange 2016 forwarding to multiple 2013 exchange servers)

Exchange IMAP log errors:

Checked IMAP protocol logs on Exchange server for this ERROR:
993:SSL""; ErrMsg=ProxyNotAuthenticated ",
Example: 22T12:06:14.459Z,00000000002422BF,3,172.1.0.16:993,192.168.12.15:49088,npumadmin2,61,57,23,login,com/NPUMAdmin2/oozuna *****,"R=""MSB1 NO LOGIN failed."";Msg=""User:LegacyDn: /o=Kat,ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Olga Ozuna, RecipientType: UserMailbox, RecipientTypeDetails: UserMailbox, Selected Mailbox: Display Name: Sally Ozuna, Mailbox Guid: 4ec4d3b2-1719-4f75-93dc-78737a68fc78, Database: 1d149126-97d1-4a8f-ab95-ed0522a1f9d0, Location: ServerFqdn: FW-EXCH01.Mitel.com, ServerVersion: 1937997947, DatabaseName: Mitel FW New, HomePublicFolderDatabaseGuid: be5fc5e4-4151-4446-a88c-932d59f5f7d0;Proxy:FW-EXCH01.Kat.com:993:SSL"";ErrMsg=ProxyNotAuthenticated",
Check System and Application Event Viewer logs on the Exchange Servers
Log Name: System

Source: Schannel

Date: 2/22/2019 2:38:41 PM

Event ID: 36888

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: FW-EXCH01.Kat.com

Description:

The following fatal alert was generated: 51. The internal error state is 900.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />

<EventID>36888</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2019-02-22T20:38:41.809566900Z" />

<EventRecordID>1204930</EventRecordID>

<Correlation />

<Execution ProcessID="524" ThreadID="632" />

<Channel>System</Channel>

<Computer>FW-EXCH01.Kat.com</Computer>

<Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="AlertDesc">51</Data>

<Data Name="ErrorState">900</Data>

</EventData>

</Event>

Log Name: Application

Source: MSExchangeIMAP4

Date: 2/22/2019 3:36:23 PM

Event ID: 1102

Task Category: (1)

Level: Error

Keywords: Classic

User: N/A

Computer: FW-EXCH01.Kat.com

Description:

The IMAP4 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="MSExchangeIMAP4" />

<EventID Qualifiers="49156">1102</EventID>

<Level>2</Level>

<Task>1</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2019-02-22T21:36:23.000000000Z" />

<EventRecordID>4290878</EventRecordID>

<Channel>Application</Channel>

<Computer>FW-EXCH01.Kat.com</Computer>

<Security />

</System>

<EventData>

</EventData>

</Event>

Examples of issues and solutions:

Issue Scenario: Voice messages are not getting delivered for recipients on Exchange servers
Solution:
- Run the
```
Set-ImapSettings
cmdlet
```
  to modify the settings of the Microsoft Exchange IMAP4 service on Exchange servers.
- Add CertificateName to the X509CertificateName parameter which specifies the certificate that's used for encrypting IMAP4 client connections.
- Disabled NTLM for IMAP4 connections for EnableGSSAPIAndNTLMAuthparameter which specifies whether connections can use Integrated Windows authentication (NTLM) using the Generic Security Services application programming interface (GSSAPI)
If third party certificate, you may need to run the Enable-ExchangeCertificate cmdlet to enable an existing third-party certificate on the Exchange server for IMAP service.
Issue Scenario:
- Voice message were not getting delivered for users on Exchange
- IMAP SSL is not working, gives the error - "BYE connection is closed. 14"
Solution: Resolved by adding hostname to the X509CertificateName parameter which specifies the certificate that's used for encrypting IMAP4 client connections.

Mail flow and the transport pipeline in Exchange 2013/2016

In Exchange Server 2016, mail flow occurs through the transport pipeline. The transport pipeline is a collection of services, connections, components, and queues that work together to route all messages to the categorizer in the Transport service on an Exchange 2016 Mailbox server inside the organization.

Understanding the transport pipeline

The transport pipeline consists of the following services:

Front End Transport service:This service acts as a stateless proxy for all inbound and (optionally) outbound external SMTP traffic for the Exchange 2016 organization. The Front End Transport service does not inspect message content, or communicate with the Mailbox Transport service, and does not queue any messages locally.

Front End Transport will attempt to anchor on a recipient and will look-up that recipient in Active Directory and find a DAG to which the recipient belongs to.

It will also attempt to route mail to a mailbox server in that DAG (preferably in the same site).
Transport service: The Transport service on a mailbox server includes the following components and processes:
- SMTP Receive
  Whenever messages are received by the transport service, message content inspection is conducted, transport rules are applied, and anti-spam and anti-malware inspection is conducted if they are enabled.
  
  The SMTP session has a sequence and series of events that work together in a particular order to verify and validate the contents of a message before it’s accepted. When a message has passed absolutely through SMTP Receive and isn’t rejected by receive events, or via an anti-spam or anti-malware agent, it is directed over the Submission queue.
- Submission queue
  
  Holds messages that have been accepted by the transport service, but are not processed. Messages in the Submission queue are either waiting to be processed, or are actively being processed.
  
  On Mailbox servers, messages are received by a Receive connector, the Pickup or Replay directories, or the Mailbox Transport Submission service. On Edge Transport servers, messages are typically received by a Receive connector, but the Pickup and Replay directories are also available.
  
  Every Mailbox server or Edge Transport server has only one Submission queue.
- Categorizer
  
  The categorizer chooses one message at a time from the Submission queue.
  
  The categorizer performs the following steps:
  - Recipient resolution that includes top-level addressing,
  - Message bifurcation, and distribution group expansion.
  - Routing resolution.
  - Content conversion.
Moreover, mail flow rules which the organization defined are applied. After messages have been segregated, they’re routed into a delivery queue which is based on the destination of the message. Messages are lined up and queued by the destination mailbox database, Active Directory site, DAG, Active Directory forest.
Mailbox Transport Submission service: This service connects to the local mailbox database using an Exchange remote procedure call (RPC) to retrieve messages. The service submits the messages over SMTP to the Transport service on the local Mailbox server or on other Mailbox servers. The Mailbox Transport Submission service has access to the same routing topology information as the Transport service.
Mailbox Transport Delivery service : This service receives SMTP messages from the Transport service on the local Mailbox server or on other Mailbox servers and connects to the local mailbox database using RPC to deliver the messages. The Mailbox Transport service doesn't communicate with the Front End Transport service, the Mailbox Transport service, or mailbox databases on other Mailbox servers. It also doesn't queue any m

Ports used for mail flow in Exchange 2016

Port 25 – This port just like in previous versions of Exchange is used for SMTP. Used by both External SMTP into the Front End Transport Service (FET), between MBX servers, and also from the FET to the Transport Service. There is a receive connector named Default Frontend <servername> that listens on this port.
Port 587 – This port just like previous versions of Exchange is used for Client Connections (POP\IMAP). The CAS Server has a receive connection listening on this port name Client Frontend <servername>.
Port 717 – Used for outbound proxy connections from the Transport service to the FET Service. When you create a Send connection you have the option to send mail destined for the Internet directly from the Transport Service to the Internet\Smart Host or relay that mail through the Front End Transport Service. There is a receive connector named Outbound Proxy Frontend <servername> that listens on this port.
Port 465 – Used to accept proxies connections that were received on port 587 by the FET service for client connections. There is a receive connector named Client Proxy <servername> that listens on this port.
Port 475 – The Mailbox Transport Delivery Service listens on this ports for connections either from the transport service SMTP Send connector or SMTP from the Transport Service on other Mailbox Servers that need to send mail to users on this server.
Port 2525 – if the CAS and MBX servers are collocated on the same server the SMTP Receive connection for the Transport service will listen on 2525 instead of 25. This is because two services (FET and Transport Service) can’t listen on the same port.