How to Check Exchange Transport Logs / Troubleshooting Strange Rejections

The agent logs log every message as it comes in, and gives information on rejection/acceptance. If you are trying to figure out where an email is getting blocked, check here to see if it is hitting the server. The logs roll over daily so make sure you open the right one, then Ctrl+F and search for your address. Note that in this case of an example company, the source address was bcgwp@yahoo.com and not his broadcast address of user@domain.com, they have yahoo hosted email and It appears to translate to a yahoo address on their outgoing server. In this instance you may search for bcgwp@yahoo.com. Having the full rejection notice helps in these cases.

C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

Other things to note are the anti-spam components built into exchange. You can view the IP block/allow lists at Server Configuration -> Hub Transport -> Anti-Spam.

You can enable/disable the content filter, block list, allow list, recipient filter, sender filter, sender id (Checks for spoofed addresses) and sender reputation modules under Organization Configuration -> Hub Transport -> Anti-Spam

Its best to tend to disable the content, sender, and  recipient filtering modules on servers behind Cyberoam that have issues with strange blocks/rejections, and usually doing that works fine.

If the content filter is enabled, you can also add exceptions to the sender filter by this command: (all emails FROM this address pass untouched)

Set-ContentFilterConfig –BypassedSenders address@domain1.com,address@domain2.com,

or use –BypassedSenderDomains domain1.com,domain2.com

Or add an exception to the recipient filter by this command: (all emails TO this address pass untouched

Set-ContentFilterConfig –BypassedRecipients local@address.com

This should all be the same between 2007 and 2010. 2010 also has another way of doing it by creating a transport rule under edge transport, and making it set the SCL to 0 of any emails coming from a certain address (this works as an email address whitelist, in essence)