SMTP IIS Relay – attachments are encoded in email body

email-serveriis-7.5smtp

Server 2008 R2, MS IIS build 7.5 being used as an outgoing SMTP relay only. Session/message limits and attachment limits set to 500 MB per attachment and session. Attachment is between 10-20 KB.

When sending out mass e-mails via our GoldMine CRM software, the attachment comes through in the body of the text as base64 encoding. If I send it out via Outlook it works fine. Sending the e-mail with attachment via GoldMine to an individual comes through just fine. It's only when sending to multiple recipients. This also includes HTML based e-mails. The HTML will come through as plain text and not parsed.

If I change the outgoing SMTP to use our ISP's server which is also an IIS 7.5 relay (relay.somedomain.com — 66.110.x.x) it goes through with success.

xmail*.myhosting.com is the 3rd party e-mail hosting provider we use to receive our e-mail. We stopped using them as an outgoing host because we were constantly being black listed via RBL's.

Here is the e-mail server log: 

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2016-05-17 13:12:32
#Fields: date time c-ip cs-username s-computername s-ip s-port cs-method cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) 
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 EHLO +MAILSVR01.localdomain.com 250 0 231 36 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 MAIL +FROM:<me@ourdomain.com> 250 0 46 33 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email1@ourdomain.com> 250 0 35 32 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email2@ourdomain.com> 250 0 33 30 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email3@ourdomain.com> 250 0 32 29 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email4@ourdomain.com> 250 0 38 35 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email5@ourdomain.com> 250 0 37 34 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 RCPT +TO:<email6@ourdomain.com> 250 0 34 31 0 SMTP - -
2016-05-17 13:12:32 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 DATA +<SjQ5TkVLTShMNzFHJD5QNTk3ODk5NzEy@MAILSVR01> 250 0 130 43284 15 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 220+relay.COC.com+Microsoft+ESMTP+MAIL+Service,+Version:+7.5.7600.16385+ready+at++Tue,+17+May+2016+09:12:31+-0400+ 0 0 114 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 EHLO MAILSVR01.localdomain.com 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250-relay.somedomain.com+Hello+[66.110.xx.xxx] 0 0 39 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 MAIL FROM:<sender1@ourdomain.com>+SIZE=43574 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.1.0+sender1@ourdomain.com....Sender+OK 0 0 44 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email1@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email2@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email3@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email4@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email5@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 RCPT TO:<email6@ourdomain.com> 0 0 4 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.1.5+email1@ourdomain.com+ 0 0 33 0 0 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.1.5+email2@ourdomain.com+ 0 0 31 0 16 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.1.5+email3@ourdomain.com+ 0 0 35 0 16 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.1.5+email4@ourdomain.com+ 0 0 31 0 16 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 BDAT 43574+LAST 0 0 4 0 16 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 250+2.6.0+<RELAYbnGjke2bgzMnJt00001ab6@relay.somedomain.com>+Queued+mail+for+delivery 0 0 78 0 344 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 QUIT - 0 0 4 0 344 SMTP - -
2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionResponse MAILSVR01 - 25 - 221+2.0.0+relay.somedomain.com+Service+closing+transmission+channel 0 0 60 0 344 SMTP - -
2016-05-17 13:12:34 192.168.x.x MAILSVR01.localdomain.com MAILSVR01 192.168.4.15 0 QUIT MAILSVR01.localdomain.com 240 1794 79 4 0 SMTP - -

This is how the e-mail is received with headers: 

Return-Path: <myemail@ourdomain.com>
Delivered-To: myemail@ourdomain.com
Received: (qmail 26071 invoked from network); 17 May 2016 12:33:54 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on xsa04.softcom.biz
X-Spam-Level: 
X-Spam-DCC: : xsa04 1323; Body=1 Fuz1=1
X-Spam-Pyzor: 
X-Spam-Status: No, score=-0.1 hits=-0.1 required=5.0 tests=AWL,BAYES_00,
    MISSING_HEADERS,RDNS_NONE,URIBL_BLOCKED autolearn=no version=3.3.1
Received: from unknown (HELO relay.somedomain.com) ([66.110.xx.xx])
          (envelope-sender <myemail@ourdomain.com>)
          by xmail04.myhosting.com (qmail-ldap-1.03) with SMTP
          for <email1@ourdomain.com>; 17 May 2016 12:33:48 -0000
Received: from MAILSVR01.localdomain.com  ([66.110.xx.xx]) by relay.somedomain.com with Microsoft SMTPSVC(7.5.7600.16385);
     Tue, 17 May 2016 08:30:14 -0400
Received: from MAILSVR01.localdomain.com  ([192.168.x.xx]) by MAILSVR01.localdomain.com with Microsoft SMTPSVC(7.5.7601.17514);
     Tue, 17 May 2016 08:30:15 -0400
Date: Tue, 17 May 2016 08:30:15 -0400
From: Travis <myemail@ourdomain.com>
Subject: Test Day 2 #1
Bcc:
Return-Path: myemail@ourdomain.com
Message-ID: <RELAYz2hW3BdeUJt3qL00001ab4@relay.somedomain.com>
X-OriginalArrivalTime: 17 May 2016 12:30:14.0665 (UTC) FILETIME=[DCECC790:01D1B037]

To:  ---redacted--
Message-ID: <SjQ5S09PSyFKWDEgJD5QNTk1MzYyNTEy@MAILSVR01>
Mime-Version: 1.0
Organization: Company Name
X-Mailer: GoldMine [2014.1.0.489]
X-GM-Attachments-Sync-Time: 20160517083014
Content-Type: multipart/mixed; boundary="nqp=nb64=()17phzZSPf"
Return-Path: myemail@ourdomain.com
X-OriginalArrivalTime: 17 May 2016 12:30:15.0874 (UTC) FILETIME=[DDA54220:01D1B037]

--nqp=nb64=()17phzZSPf
Content-Type: text/plain

Test day 2


--nqp=nb64=()17phzZSPf
Content-Type: image/jpeg; name="image9.jpeg"
Content-Disposition: attachment; filename="image9.jpeg"
Content-Transfer-Encoding: base64

/9j/4Q/+RXhpZgAATU0AKgAAAAgACwEPAAIAAAAGAAAAkgEQAAIAAAAJAAAAmAESAAMAAAAB
AAYAAAEaAAUAAAABAAAAogEbAAUAAAABAAAAqgEoAAMAAAABAAIAAAExAAIAAAAGAAAAsgEy
-----removed fluff to cut down for Server Fault character limit----
AKGhrCvfip8DkRkktNfYf9d7fj6/uqwm+K/wSBaSHT9dcdCDcwdPUYhqPrstbN/cy3RXl+B/
/9l=

--nqp=nb64=()17phzZSPf--

Headers for a successful e-mail attachment through our ISP's SMTP.

Subject:Test Day 2 #2
            Date:Tuesday, May 17, 2016 8:43 am
            From:Travis <myemail@ourdomain.com>
            To:<redcated recipients>
            Org:Western Plastics
            X-Mailer:GoldMine [2014.1.0.489]
            MIME Version:1.0
            MIME Type:multipart/mixed; boundary="nqp=nb64=()J6Ske6A0R"
            Message-id:<SjQ5TEtDMSA5QF9JJD5QNTk2MTgyODU4@MAILSVR1>
            Return-Path:<myemail@ourdomain.com>
            Delivered-To:myemail@ourdomain.com
            Received:(qmail 1683 invoked from network); 17 May 2016 12:47:28 
            -0000
            X-Spam-Checker-Version:SpamAssassin 3.3.1 (2010-03-16) on 
            xsa09.softcom.biz
            X-Spam-DCC:: xsa09 1323; Body=1 Fuz1=1
            X-Spam-Status:No, score=0.5 hits=0.5 required=5.0 
            tests=AWL,BAYES_50, RDNS_NONE,URIBL_BLOCKED autolearn=no 
            version=3.3.1
            Received:from unknown (HELO relay.COC.com) ([66.110.220.12])         
             (envelope-sender <myemail@ourdomain.com>)          by 
            xmail08.myhosting.com (qmail-ldap-1.03) with SMTP          for 
            <email1@ourdomain.com>; 17 May 2016 12:47:24 -0000
            Received:from MAILSVR1.localdomain.com ([66.110.xx.xx]) by 
            relay.somedomain.com with Microsoft SMTPSVC(7.5.7600.16385);  Tue, 17 May 
            2016 08:43:54 -0400
            Return-Path:myemail@ourdomain.com
            X-OriginalArrivalTime:17 May 2016 12:43:54.0806 (UTC) 
            FILETIME=[C5C45D60:01D1B039]

            Attachments:\\192.168.x.x\MailBox\Attach\TRAVIS\image7.jpeg




Test Email 2

Best Answer

Finally figured it out after a lot of scrutinizing log files.

The e-mail client was sending DATA but the internal SMTP server was sending it out to the smart host via BDAT and evidently this is a potential DDoS issue and I guess somewhere along the way it was not allowing it to process properly. It's possible that our SonicWall firewall was screwing with it some how also.

Offending Line:

2016-05-17 13:12:32 66.110.xx.xxx OutboundConnectionCommand MAILSVR01 - 25 BDAT 43574+LAST 0 0 4 0 16 SMTP - -

So the solution was to disable BDAT, BINARYMIME and CHUNKING on the local SMTP Server.

Credit/Source Link:

https://adaptivethinking.wordpress.com/2010/12/21/smtp-esmtp-and-the-bdat-baddie/

https://joekiller.com/2007/09/19/bdat-causing-smtp-service-to-drop-email/

In case the link is no longer available here are the steps they outlined.

Telnet to the mail host and issue the ehlo command. Check the verbs the server returns. It should have BINARYMIME and CHUNKING listed. After these steps you will not have these.

Verify BINARYMIME and CHUNKING are turned on.:
telnet localhost 25

Type ehlo

220 MAILSVR Microsoft ESMTP MAIL Service, Version: 7.5.76
01.17514 ready at  Tue, 14 Mar 2017 12:18:50 -0400
ehlo
250-MAILSVR Hello [168.1.1.1]
250-TURN
250-SIZE 51200000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-BINARYMIME
250-CHUNKING
250-8bitmime
250-VRFY
250-TLS
250-STARTTLS
250 OK

Install IIS6.0 Resource Kit

Open IIS Metabase Explorer

Navigate to LM\SmtpSvc\1

Look for SmtpInboundCommandSupportOptions

Here the default value was 7697601. I knew that I wanted to disable the BINARYMIME and CHUNKING verbs so using the table here I subtracted 2097152 (BINARYMIME) and 1048576 (CHUNKING) from 7697601:

7697601 - (2097152 + 1048576) = 4551873

Set the SmtpInboundCommandSupportOptions value to 4551873

Disable BDAT

Navigate to LM\SmtpSvc

Change value of SmtpOutboundCommandSupportOptions from 7 to 5

Close the IIS Metabase Explorer and restarted the IIS Admin Service (which in turn restarts the Simple Mail Transfer Protocol (SMTP) service).

Repeat the steps to connect to the server via telnet and verify they have been removed. If they have not make sure you are in the \1 subdirectory when you make the changes.

Related Topic