Scenario
For this client changing the IP of the Exchange had a potential of breaking a lot of devices that connected via IP and not DNS. We had decided early on that we could re-IP the server at the end of the cutover for the end users. We would give the Legacy server a different IP and reboot it. Then we would change the Exchange 2013 IP and reboot it. After 2013 rebooted we would update AutoDiscover and the any other DNS records pointed at the Exchange 2013 server.
After this part of the migration the client called me to let me know that several applications they had working prior to the migration were no longer able to relay emails. This was perplexing because we had copied all the RemoteIP Ranges from the Legacy Exchange 2010 connectors using a method similar to this (Ref this URL – .. Jeff Guillet article… ). We verified that the connector IP was correct as well as the IPs allowed to relay thought the connector. These values all checked out.
How to troubleshoot?
There are many ways that these devices can connect. The most common is SMTP (port 25). However, applications have been known to utilize IMAP4 and POP3. These two methods are not as common, however there are a plethora applications that can use these ports for email relay or email retrieval. So we need to review logs. For SMTP the easiest way to do this is the PowerShell Cmdlet ‘Get-MessageTrackingLog’. If you’ve just migrated all of your devices from the Legacy Exchange Servers to your new Exchange 2013 servers, then you want to run the cmdlet with a start date of when the last device moved to Exchange 203. Like this:
Get-MessageTrackingLog -start 2/9/16 -server EX01 |ft timestamp,clientip -auto
This one-liner will give us a quick view into what machines are connecting to Exchange.
If no results are found, then we can safely move on to the next protocol.
IMAP4 and POP3
With IMAP and POP3, there is no tracking log cmdlet. The server logs these connections in a series of log files – IF – logging is turned on. If it is not, then you will not be able to figure out what is connecting. The scripts below will discover the directory for the log files and then parse the log files for the CIP (Client IP) values that we will need to determine if anything is connecting on these ports.
The log files in question looks like this:
And the script running looks like this:
The Scripts
Note that these scripts will discover where the POP3 or IMAP logs are located based on the configuration in Exchange.
POP3 Discovery Script
# Define Variables
$cipresults = @()
# Get all Exchange 2010 servers
$servers = (Get-ExchangeServer | where {$_.admindisplayversion -like "Version 14*"}).name
foreach ($server in $servers) {
# Get Files for parsing
$location = (Get-PopSettings -server $server).logfilelocation
$path = "\\$Server`\$($location.Replace(':','$'))"
$files = get-childitem $path
foreach ($file in $files) {
$name = $file.name
$csv = import-csv $path"\"$name
foreach ($line in $csv) {
if ($line -like "#") {
} else {
# Get the Client IP
$info = $line.cip
if ($info -ne "cip") {
foreach ($value in $info) {
if ($value -ne $null) {
# Client IP also contains the port number which we will remove here
$ID = $value.Split([char]0x003A)
$CIP = $ID[0]
$cipresults += $cip
}
}
}
}
}
}
}
# Optional - Remove Duplicates
write-host " "
write-host "List of IP Addresses that connect to the POP3 Service of all the Exchange 2010 Servers" -foregroundcolor cyan
$cipresults | sort -unique
IMAP4 Discovery Script
# Define Variables
$cipresults = @()
# Get all Exchange 2010 servers
$servers = (Get-ExchangeServer | where {$_.admindisplayversion -like "Version 14*"}).name
foreach ($server in $servers) {
# Get Files for parsing
$location = (Get-IMAPSettings -server $server).logfilelocation
$path = "\\$Server`\$($location.Replace(':','$'))"
$files = get-childitem $path
foreach ($file in $files) {
$name = $file.name
$csv = import-csv $path"\"$name
foreach ($line in $csv) {
if ($line -like "#") {
} else {
# Get the Client IP
$info = $line.cip
if ($info -ne "cip") {
foreach ($value in $info) {
if ($value -ne $null) {
# Client IP also contains the port number which we will remove here
$ID = $value.Split([char]0x003A)
$CIP = $ID[0]
$cipresults += $cip
}
}
}
}
}
}
}
# Optional - Remove Duplicates
write-host " "
write-host "List of IP Addresses that connect to the IMAP4 Service of all the Exchange 2010 Servers" -foregroundcolor cyan
$cipresults | sort -unique
Multiple Servers?
The above script is great, but if there were more than one server to examine. How can we handle multiple servers?
POP3 Multiple:
# Define Variables
$cipresults = @()
$servers = (Get-ExchangeServer).name
foreach ($server in $servers) {
# Check to see if the server has the service on
$pop = Get-Service -ComputerName $server | where {$_.name -like "*pop3"}
if ($pop.status -ne "Stopped") {
# Get Files for parsing
$location = (Get-PopSettings -server $server).logfilelocation
$path = "\\$Server`\$($location.Replace(':','$'))"
$files = get-childitem $path
foreach ($file in $files) {
$name = $file.name
$csv = import-csv $location"\"$name
foreach ($line in $csv) {
if ($line -like "#") {
} else {
# Get the Client IP
$info = $line.cip
if ($info -ne "cip") {
foreach ($value in $info) {
if ($value -ne $null) {
# Client IP also contains the port number which we will remove here
$ID = $value.Split([char]0x003A)
$CIP = $ID[0]
$cipresults += $cip
}
}
}
}
}
}
} else {
write-host "The server " -foregroundcolor white -nonewline
write-host "$server" -foregroundcolor cyan -nonewline
write-host "'s POP3 service is not started." -foregroundcolor white -nonewline
write-host " No logs will be analyzed!" -foregroundcolor yellow
}
}
# Optional - Remove Duplicates
$cipresults | sort -unique
IMAP Multiple:
# Define Variables
$cipresults = @()
$servers = (Get-ExchangeServer).name
foreach ($server in $servers) {
# Check to see if the server has the service on
$imap = Get-Service -ComputerName $server | where {$_.name -like "*imap*"}
if ($imap.status -ne "Stopped") {
# Get Files for parsing
$location = (Get-IMAPSettings -server $server).logfilelocation
$path = "\\$Server`\$($location.Replace(':','$'))"
$files = get-childitem $path
foreach ($file in $files) {
$name = $file.name
$csv = import-csv $location"\"$name
foreach ($line in $csv) {
if ($line -like "#") {
} else {
# Get the Client IP
$info = $line.cip
if ($info -ne "cip") {
foreach ($value in $info) {
if ($value -ne $null) {
# Client IP also contains the port number which we will remove here
$ID = $value.Split([char]0x003A)
$CIP = $ID[0]
$cipresults += $cip
}
}
}
}
}
}
} else {
write-host "The server " -foregroundcolor white -nonewline
write-host "$server" -foregroundcolor cyan -nonewline
write-host "'s IMAP service is not started." -foregroundcolor white -nonewline
write-host " No logs will be analyzed!" -foregroundcolor yellow
}
}
# Optional - Remove Duplicates
$cipresults | sort -unique
What if the services are not started?
POP3
IMAP4
Further Reading
Get-IMAPSetting
Get-POPSettings
