Windows Server 2019 built-in SMTP server: Emails stuck in queue and "The remote server did not respond to a connection attempt" in event log

windows smtp

I'm setting up a new dedicated server using Windows Server 2019. It's replacing an old one based on Windows Server 2008 R2. I have had the built-in SMTP server running on the old server with no issues. I have set up the new server to act as an SMTP server as well, using my own notes from setting up the old one, as well as double checking intructions online. Basically according to the instructions here:

http://www.vsysad.com/2017/05/install-and-configure-smtp-server-on-windows-server-2016/

The problem I'm having is that e-mail will not leave C:\inetpub\mailroot\Queue and will never reach the recipients. The Windows event log contains the following warning(s):

Event 4006, smtpsvc
"Message delivery to the host '204.79.197.212' failed while delivering to the remote domain 'hotmail.com' for the following reason: The remote server did not respond to a connection attempt."

The above is just an example using a Hotmail destination address. The same kind of message is received when trying to send to addresses on other domains.

What I've tried:

  1. I have sent e-mail manually by using Telnet. The e-mail is created and received by the local SMTP server without issues, but doesn't leave the queue folder.
  2. I have run SmtpDiag against both a Hotmail and a Gmail address. No issues. The MX records are listed as expected.
  3. I have used Nslookup and confirmed that the MX records are resolved.
  4. I have successfully connected to the Hotmail and Gmail SMTP servers using Telnet.
  5. I have used Wireshark and been able to see that my server only tries to access the IP address of the destination e-mail address domain, at port 25. So, for Hotmail, it simply resolves the IP address of hotmail.com (which is 204.79.197.212) and tries to open a connection to this address at port 25. This obviously fails, as there's no SMTP server there. My server never even attempts to access the SMTP server at the address specified in the MX record.

That last item above also ties into an interesting thing that I noticed, which is that the IP address listed in the event 4006 message is not one of the IP addresses listed in the MX records. It is the IP address of the actual hotmail.com domain. So, why is it attempting to contact hotmail.com and not one of the addresses listed in the MX records?

To futher investigate, I used Telnet to send to an e-mail in one of my own domains. Sure enough, I find a 4006 event in the log saying:

"Message delivery to the host '[my domain's IP]' failed while delivering to the remote domain '[my domain]' for the following reason: The connection was dropped by the remote host."

It again appears that the SMTP server is trying to connect to my domain's IP and port 25 and not to the address specified in the MX record.

This is as far as I've come. Maybe I'm misinterpreting something here, but it certainly looks like Windows' SMTP server is trying to connect to the e-mail address' domain directly at port 25 (ignoring MX records)... Any ideas on what I might be doing wrong or perhaps how I should proceed in troubleshooting this?

EDIT: Found a work-around as well as what triggers the issue. See my answer below.


Solution 1:

I have continued investigating this issue and now believe it's a bug in Windows Server 2019. I have in fact found a work-around and also how to reproduce this issue with 100% certainty.

Mail will not be sent correctly if the SMTP service start-up type is set to "Automatic" (i.e. start immediately on boot). However, if the SMTP service is set to manual start and then started manually from either services.msc or from IIS6 manager, e-mail will leave the queue and get delivered to the recipients.

If "Automatic" start-up is used for the service, any attempts to send e-mail will always result in the e-mail getting stuck in the queue and the event 4006 (see initial post for details) getting written to the event log.This is 100% reproducible in my testing.

A work-around is to set the start-up type to "Automatic (Delayed Start)". This will, if I am correctly informed, result in the SMTP service getting started 2 minutes after the last "Automatic" service has been started. This is not an optimal solution, but it'll do for the time being.

For completeness, here's a step-by-step to reproduce the issue:

  1. Install SMTP server feature
  2. Go to IIS6 manager, right-click SMTP virtual server and click "Properties"
  3. Go to the "Access" tab
  4. Click "Connection...", select "Only the list below" and add 127.0.0.1. Click "OK".
  5. Click "Relay...", select "Only the list below" and add 127.0.0.1. Uncheck the checkbox at the bottom of the window. Click "OK".
  6. Click "OK" again to exit the SMTP virtual server properties.
  7. Open services.msc and set the "Simple Mail Transfer Protocol (SMTP)" service startup type to "Automatic"
  8. Reboot the computer and attempt to send e-mail

Note: Steps 2 to 6 are probably not needed to reproduce the issue, but it's the basic setup I've been using.

Solution 2:

In my case, it turned out to be AWS preventing the emails leaving the server.

"Important: Amazon Elastic Compute Cloud (Amazon EC2) restricts Amazon Virtual Private Cloud (Amazon VPC) egress traffic on port 25 for all EC2 instances by default. If your application requires traffic on SMTP port 25, you can request to remove this restriction."

Solution 3:

You will get exactly the same behavior if the machine is a VirtualMachine hosted in Azure. After I have tried MrFika's suggestions above I had no success. It seems the problem is because a Microsoft rule for Azure VM subscription:

Starting on November 15, 2017, outbound email messages that are sent directly to external domains (like outlook.com and gmail.com) from a virtual machine (VM) are made available only to certain subscription types in Azure. Outbound SMTP connections that use TCP port 25 were blocked. (Port 25 is used mainly for unauthenticated email delivery.)

This change in behavior applies only to subscriptions and deployments that were created after November 15, 2017.

The Microsoft article is here: Troubleshoot-outbound-smtp-connectivity

Related

How large is the certificate OCSP and CRL cache in my Windows server?
Can Windows log CryptoAPI CRL timouts?
What's the difference between "sudo su -" and "sudo -i"? [duplicate]
Restarting the httpd service in RHEL returns "Stopping httpd: [FAILED]" - How do I fix this?
AD strategy for users in multiple departments
Can you use your own drives on Dell PowerVault MD3000i?
Setup CNAME for subdomain issue
I had a power outage. Now MySQL's lock file won't go away. What do you suggest?
Jenkins + LDAP Plugin --- Any way to have a login backdoor?
How to soft-restart Windows Server 10 Technical Preview (renamed Insider Preview)?
How to create a VHD file from a folder?
How to migrate windows users and retain passwords?