Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 7002 Source: MSExchangeTransport

Level
Description
This is an SMTP protocol error log for virtual server ID 1, connection #6. The remote host "221.114.29.145", responded to the SMTP command "xexch50" with "504 Need to authenticate first ". The full command sent was "XEXCH50 1028 2 ". This will probably cause the connection to fail."
Comments
 
This message is recorded in various conditions and each situation would require a different "fix" based on the response from the SMTP server. The numerical codes at the beginning of the response translate to the error description that follows them.

Few examples:

- "504 Need to authenticate first" means that the SMTP server only accepts emails from clients that authenticate so, any attempt to send email without valid credentials will fail.

- "550  Requested action not taken: mailbox unavailable". The email address to which the message was addressed does not exist on the SMTP server so, obviously, the delivery will fail. Verify the full command for the actual email address used (it could be a typo, or the email indeed is not valid anymore). Sometimes, these type of messages are a result of spammers trying to relay email through your server and the server is not configured to only accept messages for specific domains.

- "450 Client host rejected: cannot find your hostname, 145.23.44.186". This may indicate that an Exchange add-on blocks traffic from clients that do not have a host name assigned for their IP address (reverse DNS).

- "452 4.3.1 Out of memory  ". This could be a bug in the Exchange or one of the add-ons installed. See ME329167.

- ""453 #4.1.8 Domain of sender address <jdoe@jdoedomain.com> does not exist " - Again, this is an antispam protection. In many cases, spammers use domains that don't exist as the "sender" of the email. An SMTP filter configurable through ISA would block emails from such users.

- "421 Service Temporarily Unavailable " - From a newsgroup post: "In our case, after extended troubleshooting, we started to believe that there were some issue with SMTP headers. It turned out that the Netgear Aggregator, which load shares 2 ADSL services on 2 seperate phone lines, somehow had been assigned the incorrect static IPs. But, using a replacement Netgear modem-router we were able to set this box to what IP it was supposed to be, and the problem solved.

- "421 Retiring - psmtp " - This seems related to Postini email service (psmtp.com)

- "451 Requested action aborted:local error in processing" - This can be caused by a problem with the server (bug in Exchange, one of the add-ons or one of the system components used). Sometimes a reboot fixes this.
As per Microsoft: "This event is logged when the Exchange server sends an SMTP command to a remote server and receives a response that is not valid. The virtual server ID indicates which SMTP virtual server issued the command. The remote host indicates the fully qualified domain name of the remote server that responded to the command. The actual command issued, and the response received, are also mentioned in the event. Possible causes for this event include faulty network card drivers and network cards that are configured incorrectly". See MSEX2K3DB for more details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...