Home » Exchange Server » Exchange Server 2013 and the Inboundproxy.com NDR Message Problem

Exchange Server 2013 and the Inboundproxy.com NDR Message Problem

Exchange Server 2013 has a new feature called Managed Availability. MVP Jeff Guillet has a nice, easy to understand write-up of the feature here. A far more detailed explanation exists on the Exchange team blog if you really want to dive into the topic.

One of the health monitor messages that Managed Availability sends has the following message characteristics:

  • From: inboundproxy@inboundproxy.com
  • To: HealthMailbox<a big long GUID>@<yourdomain>
  • Subject: Inbound proxy probe

If the problem isn’t immediately apparent to you let me get straight to it – Microsoft doesn’t own the inboundproxy.com domain (as far as I can tell from WHOIS records, as of the time of this writing).

Update: As of Cumulative Update 2 this probe email is now sent from inboundproxy@contoso.com instead of @inboundproxy.com.

In fact, the domain was registered several months after Exchange 2013 reached RTM. It is currently “parked” on a fairly common domain parking service called SEDO.

This in itself is not harmful to your Exchange 2013 servers. They’ll continue to operate just fine, and Managed Availability will likely work as it is designed to work.

But what you may begin to notice, as several Exchange 2013 customers are asking me about lately, is a number of messages leaving your organization sent to the inboundproxy@inboundproxy.com address.

So far everyone that has shown me an example of the issue is seeing NDRs being sent to that email address. I’ve seen them as well in my test lab, and I’ve also observed entries in my servers’ Frontend Transport protocol logs such as:

“A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond”

In other words, my server is attempting SMTP connections to the IP address of the SEDO parking server.

Again, I don’t see any specific, proven risk at this stage for any Exchange 2013 servers. At the moment the worst issue I can see is that it reveals the email addresses of your health mailboxes. Whether this can be used for nefarious purposes is unknown to me at this stage.

But in addition to that, it is not very polite to use someone else’s domain name in your product’s code, and may irritate the SEDO server admins if the volume of SMTP connection attempts from Exchange 2013 servers grows too large.

The main purpose of this article at the moment is to shed some light on the matter for those of you out there who begin to notice these types of messages or log entries on your own servers.

As far as I can see there is no remediation for this issue. I suppose configuring a remote domain and disabling NDRs to inboundproxy.com may work, but I don’t know what impact that may have on Managed Availability.

Ideally Microsoft will either acquire the domain (if they haven’t already) or change their code to stop using that domain for health probes. Maybe we’ll see such a change in an upcoming cumulative update release.

Update: Brian Reid has a post with an example on how to find the health issue that is causing the NDRs.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


    • So it would appear yes. So the issue then is how many scenarios might exist where that can happen?

      Some of the people who have contacted me have confirmed they had an issue at the time, such as a database being offline. So what happens when a whole DAG goes down for a larger organization? What happens if a big slice of Office 365 goes down?

      These are things we don’t really know at this stage.

  1. Chris Brown says:

    Could you not also set up inboundproxy.com as an authoritative domain so that Exchange will try to deliver locally?

    • Perhaps. But I don’t know what impact that might have on the overall operation of Managed Availability.

      Plus, adding a domain you don’t own as an authoritative domain is a bit of a hack job.

    • Brian Reid says:

      Adding it as an domain on Exchange is a workaround. It does not help you find the reason why your HealthMailboxes are rejecting the probe emails. Also, as the probes are sending the messages and not the mailbox that you would create if you added inboundproxy.com domain to Exchange, you might cause the probes to stop sending or receiving as they expect to be able to, and so Managed Availablity will start to “fix” services as it would believe they are not working. The cure is to fix the NDR’s as documented at http://blog.c7solutions.com/2013/06/queues-building-to-inboundproxycom.html

        • Daniel Heuberger says:

          Is the CU2 allready public? The only update my exchange servers are asking for is the anti-spam filter update.
          Today I saw this:
          2014-03-15T18:37:48.580Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,50,,,>,MAIL FROM: SIZE=0 AUTH=,
          2014-03-15T18:37:48.580Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,51,,,>,RCPT TO:,
          2014-03-15T18:37:48.580Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,52,,,<,250 2.1.0 Sender OK,
          2014-03-15T18:37:48.580Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,53,,,,DATA,
          2014-03-15T18:37:48.596Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,55,,,<,354 Start mail input; end with .,
          2014-03-15T18:37:48.659Z,Inbound Proxy Internal Send Connector,08D0FFCB1CB4018C,56,,,<,550 5.7.1 Message rejected as spam by Content Filtering.,

        • Daniel Heuberger says:

          I just remembered, I actually had to wait for a CU to even be able to install it (cause of a existing Exchange 2010 Server).
          My Exchange Servers are updated with the latest patches. But for some reason the domain for those emails still seems to be inboundproxy.com.
          Did you hear of anyone else reporting this behaviour with a current installation of Exchange 2013?
          I wonder if it could be cause by having an active Exchange 2010. I just removed the last Exchange 2010 Server a few days ago.

        • Daniel Heuberger says:

          I just checked the Version. Seems the Installation is not updated with the CUs. I was expecting them to be delivered over microsoft update. The direct microsoft update and the WSUS, both didn’t report any missing exchange 2013 updates. I always expected exchange updates to be delivered that way. Did this behaviour change?

  2. I constantly receive errors:
    Execution Context: ‘220 server.mydomain.net Microsoft ESMTP MAIL Service ready at Tue, 25 Feb 2014 14:33:03 +0000EHLO InboundProxyProbe 250-server.endava.net Hello []MAIL FROM: inboundproxy@contoso.com 530 5.7.1 Client was not authenticated ‘

    Is it possible that this cause any Outlook disconnections due to considering FrontEndService unhealthy and restarting it from time to time?

    I’ve created receive connector and let’s see if it help.

Leave a Reply

Your email address will not be published. Required fields are marked *