Sunday, August 6, 2017

Exchange SpamTitan 421 4.3.2 Maximum Connections Exceeded Limit

I run a SpamTitan Private Cloud Antispam Gateway in my Exchange environment, and its awesome...probably one of the best spam filters I've run in a long time. And their support is top-notch!
And if you happen to run a ITAR/DFARS/DoD compliant Exchange environment, this solution will work for you as all data is housed on the AWS private cloud in the US.

One thing I started noticing was we had quite a few incoming messages being deferred when flowing from the gateway to my Edge server. It was pretty sporadic, where if I had messages from one external sender to multiple internal recipients, one recipient would receive it and the others wouldn't.

In the SpamTitan console, go to Reporting > History and you'll see messages with Delivery Status of Deferred and Delivery Response with the following:

host [Your Exchange external IP] refused to talk to me: 421 4.3.2 The maximum number of concurrent server connections has exceeded a per-source limit, closing transmission channel (EdgeServer.domain.com)

In my case, I had tons of these going back months. The message will list your Exchange external IP and the server that dropped the connection (this could be your Edge server or your Mailbox servers if they are internet facing).

What was happening was, my Edge server receive connector was still set to default for Max Inbound Connection Per Source, which is 20.

The SpamTitan uses 60 connections according to their support. So, we need to bump up the limit on the Receive Connector.

Fire up the Exchange Management Shell (EMS) on whichever server is internet facing - the Edge in my environment.

Run the following to verify the current settings:

Get-ReceiveConnector | fl *maxin*

You'll get the output of:

MaxInboundConnection                                  : 5000
MaxInboundConnectionPerSource                  : 20
MaxInboundConnectionPercentagePerSource : 2

As you can see, 20 MaxInboundConnectionPerSource is too low, and the SpamTitan filter will defer those messages until connections become available...or worse case, bounce those message if the time limit expires. That's bad because your users won't receive messages, and they won't even know they were supposed to.

We'll bump up the limit to 100, which should suffice for SpamTitan, and give us a little wiggle room without overloading the Exchange server(s).

Run the following:

Get-ReceiveConnector | Set-ReceiveConnector -MaxInboundConnectionPerSource 100

**Note** Some receive connectors on Mailbox servers are set to unlimited, so you'll wanna specify the connector name in the above cmdlet if you're not running this on an Edge server since it will generally only have one receive connector.

Now, you can verify the settings by running the first cmdlet again:

Get-ReceiveConnector | fl *maxin*
You'll get the output of:
MaxInboundConnection                                    : 5000
MaxInboundConnectionPerSource                   : 100
MaxInboundConnectionPercentagePerSource : 2

You're all set! Now new messages won't be deferred.
Be warned: those messages that were being queued as deferred, will start flowing in...so you'll get reports from users that they're receiving messages from days ago :)

**Note** I do not work for SpamTitan, nor did I receive any endorsement from them on this post.

No comments:

Post a Comment