none
Delivery is delayed to these recipients or groups: Diagnostic-Code: smtp;400 4.4.7 (TLS)

    Question

  • Hi Guys,

    I have the same problem like others but a bit different, that's why I decided to post here.

    Yesterday I set TLS on my Exchange Server 2010 WS 2008 Standard R2. It is set to force TLS for the BANK domains. One of our user sent an email to bank and received this message:

    From: Microsoft Outlook <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@domain.com>
    Date: 20 October 2011 20:09:44 GMT+01:00
    To: <myuser
    @domain.com>
    Subject: Delivery delayed:ABC - TLS Setup [Scanned]

    Delivery is delayed to these recipients or groups:

    external.user@bank.com (external.user@bank.com)

    Subject: ABC - TLS Setup [Scanned]

    This message hasn't been delivered yet. Delivery will continue to be attempted.

    The server will keep trying to deliver this message for the next 1 days, 19 hours and 55 minutes. You'll be notified if the message can't be delivered by that time.

    Reporting-MTA: dns;EXCHANGE.domain.local Received-From-MTA: dns;domain.com Arrival-Date: Thu, 20 Oct 2011 15:05:35 +0000 Final-Recipient: rfc822;external.user@bank.com Action: delayed Status: 4.4.7 Diagnostic-Code: smtp;400 4.4.7 Message delayed Will-Retry-Until: Sat, 22 Oct 2011 16:05:35 +0100 X-Display-Name: external.user@bank.com

    Received: from EXCHANGE.domain.local ([fe80::447f:389d:5620:98de]) by exchange.domain.local ([fe80::447f:389d:5620:98de%10]) with mapi; Thu, 20 Oct 2011 16:05:35 +0100 From: My User To: "External.User@bank.com" Subject: ABC - TLS Setup [Scanned] Thread-Topic: ABC - TLS Setup [Scanned] Thread-Index: AcyPObfcRLGCe4V9Tz2pHoqdJ2CXfw== Date: Thu, 20 Oct 2011 15:05:34 +0000 Message-ID: <37525C232131684E9F89431019B673BE01310487@exchange.domain.local> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Content-Type: multipart/related; boundary="_006_37525C232131684E9F89431019B673BE01310487exchange2010icw_"; type="multipart/alternative" MIME-Version: 1.0

    I don't receive this message when sending to any other user externaly.  Thanks Guys


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    • Edited by Mshak Friday, October 21, 2011 10:10 AM spelling
    Friday, October 21, 2011 10:04 AM

Answers

  •  

    Hi Guys,

    In the end I had to log a call with Microsoft and found the problem.

    I was using the default send connector to send TLS email which was causing problem to stay in the queue and this error Delivery is delayed to these recipients or groups: Diagnostic-Code: smtp;400 4.4.7.

    After creating new send connector and putting all the Bank's domains in new connector everything was working fine.

    Bank received the email in TLS which very good BUT when they were trying to send an email or (make a telnet session) they were getting the message that my domain doesn't support TLS the reason is why my client (the domain I am working on) they were using 3rd party (I think eclipse or something) for spam filtering which was the first contact the emails go and they deliver the email after the filter and they do not support TLS so that's why the Bank had problem sending us TLS email.

    So how did we fix this problem:

    I sent the Bank my public IP address so they created a new send connector in there side so they can send the email directly to my exchange Server not to 3rd party spam filter company. ( If you want to do this make sure you TRUST that company and know they will not send spams).

    Everything is working fine.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.

    • Marked as answer by Mshak Wednesday, March 28, 2012 9:21 AM
    Wednesday, March 28, 2012 9:21 AM

All replies

  • Hi,

    Try to enable SMTP logging on the send connector and see if that tells you what the problem with the connection is.

    Leif

    Friday, October 21, 2011 10:11 AM
  • Hi Guys,

    Yes I have enabled the SMTP Logs on Send and Receive Connector, but don’t understand themJ

    Just quick update. I have seen Error 11016 in the event and I have tried to send the email again to bank and I have seen there are 4 messages in the Exchange Queue with the following message: 451 4.4.0 Primary Target IP address responded with "421.4.4.2 unable to connect. “attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Friday, October 21, 2011 10:56 AM
  • Hi,

    Maybe you can then post a small part of the send connector log here - the part where it tries to connect to the bank. You can edit the trace for security

    You know for sure that the bank accepts TLS traffic?

    Leif

    Friday, October 21, 2011 11:03 AM
  • Hi Leif,

    Thanks for the reply. Here is the send connector logs 1.1.1.1:25 is the Bank IP

    This is what I think you were looking for if not then please let me know.

    2011-10-21T11:13:14.166Z,To Internet,08CE5DF9182397D1,0,,1.1.1.1:25,*,,attempting to connect

    2011-10-21T11:13:14.182Z,To Internet,08CE5DF9182397D1,1,10.0.0.16:62589, 1.1.1.1:25,+,,

    2011-10-21T11:13:14.198Z,To Internet,08CE5DF9182397D1,2,10.0.0.16:62589, 1.1.1.1:25,<,220 symailserver.bank.co.uk,

    2011-10-21T11:13:14.198Z,To Internet,08CE5DF9182397D1,3,10.0.0.16:62589, 1.1.1.1:25,>,EHLO exchange2010.mycompany.local,

    2011-10-21T11:13:14.212Z,To Internet,08CE5DF9182397D1,4,10.0.0.16:62589,1.1.1.1:25,<,250-ESMTP Server Ready,

    2011-10-21T11:13:14.212Z,To Internet,08CE5DF9182397D1,5,10.0.0.16:62589, 1.1.1.1:25,<,250-SIZE 52428800,

    2011-10-21T11:13:14.212Z,To Internet,08CE5DF9182397D1,6,10.0.0.16:62589, 1.1.1.1:25,<,250-DSN,

    2011-10-21T11:13:14.212Z,To Internet,08CE5DF9182397D1,7,10.0.0.16:62589, 1.1.1.1:25,<,250-STARTTLS,

    2011-10-21T11:13:14.213Z,To Internet,08CE5DF9182397D1,8,10.0.0.16:62589, 1.1.1.1:25,<,250 TLS,

    2011-10-21T11:13:14.213Z,To Internet,08CE5DF9182397D1,9,10.0.0.16:62589, 1.1.1.1:25,>,STARTTLS,

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,10,10.0.0.16:62589, 1.1.1.1:25,<,220 Server ready Ready to start TLS,

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,11,10.0.0.16:62589, 1.1.1.1:25,*,,Sending certificate

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,12,10.0.0.16:62589, 1.1.1.1:25,*,CN=exchange2010,Certificate subject

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,13,10.0.0.16:62589, 1.1.1.1:25,*,CN=exchange2010,Certificate issuer name

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,14,10.0.0.16:62589, 1.1.1.1:25,*,2699D175847CCDAE422D20E4FC31E9F7,Certificate serial number

    2011-10-21T11:13:14.227Z,To Internet,08CE5DF9182397D1,15,10.0.0.16:62589, 1.1.1.1:25,*,93ED1EDD4B49F710083D155011480955FD8C02DF,Certificate thumbprint

    2011-10-21T11:13:14.228Z,To Internet,08CE5DF9182397D1,16,10.0.0.16:62589,193.108.72.62:25,*,exchange2010;exchange2010mycompany.local,Certificate alternate names

    2011-10-21T11:13:14.266Z,To Internet,08CE5DF9182397D1,17,10.0.0.16:62589, 1.1.1.1:25,*,,Received certificate

    2011-10-21T11:13:14.266Z,To Internet,08CE5DF9182397D1,18,10.0.0.16:62589, 1.1.1.1:25,*,0241A7ED0C2E620EB313ADD0486B759F31686C4D,Certificate thumbprint

    2011-10-21T11:13:14.267Z,To Internet,08CE5DF9182397D2,0,,1.1.1.2:25,*,,attempting to connect
    2011-10-21T11:13:14.268Z,To Internet,08CE5DF9182397D1,19,10.0.0.16:62589,1.1.1.1:25,>,QUIT,
    2011-10-21T11:13:14.283Z,To Internet,08CE5DF9182397D1,20,10.0.0.16:62589,1.1.1.1:25,<,221 Service closing transmission channel closing connection,
    2011-10-21T11:13:14.283Z,To Internet,08CE5DF9182397D1,21,10.0.0.16:62589,1.1.1.1:25:25,-,,Local


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    • Edited by Mshak Friday, October 21, 2011 11:59 AM more detail
    Friday, October 21, 2011 11:55 AM
  • Update

    I have bought new SSL certificate for TLS and imported into exchange. There was already an old CA certificate in exchange with message This certificate is not valid for exchange so that's why I bought new one. And this certificate is still in the exchange I haven't removed it from the exchange. My new certificate is the default certificate.

    Now I have configured the TLS and the similar message is in the Queue:

    "451 4.4.0 Primary Target IP address responded with 454 4.7.5 Certificate Validation Failure....Attempted failover to alternative host but that did not succeed. Either there are no alternative hosts or delivery failed to all alternative hosts"

    Guy any help?

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Friday, October 28, 2011 1:46 PM
    1. Can  you get out on the interne from that Exch sevrer?
    2. The 'old'certificate, if not being used can you remove that if it's assigned to any service?
    3. Use Get-ExchangeCertificate too see what cert are there and what they are asigned to
    4. The new cert you got, doesn that match the FQDN of the server/send connector?
    5. I assume this issue is for only TLS connections?  If yes, it it for all external TLS comms or just this one bank?

    Sukh
    Friday, October 28, 2011 3:10 PM
  • Hi Sukh

    1: Yes I can go to internet send and receive emails.

    2: Ol Cert is still in exchange I didn't remove it. The Services assigned to it are: POP, IMAP and SMTP. My Manager said no he can't remove that until new is working fone.

    New Cert has Services Assigned to it POP, IMAP, IIS and SMTP

    3: Yes I can see all three Cert in Shell: 1= Self, 2=Old (CA) and 3=New Cert (CA)

    4: Send connector has name server.company.local but New Cert doesn't. This is what we are try to change with Go Daddy

    5: When the TLS was enabled the email sent to bank.com was stayed in the queue with the same message as above, but once I temprarly disabled the TLS and removed the Bank.com from secure send domain list it delivered the message.

    But same time my Exchange is get very long queue doesn't matter if the TLS is on or not with "421.4.4.2 unable to connect."attempted failover to alternate host and "421.4.4.2 DNS Query Failed.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Friday, October 28, 2011 3:47 PM
  • But same time my Exchange is get very long queue doesn't matter if the TLS is on or not with "421.4.4.2 unable to connect."attempted failover to alternate host and "421.4.4.2 DNS Query Failed.

    hi had the same error ... 421.4.2.2. DNs query failed and i end up with reverse DNS error... please check if ur reverse DNS entries are resolving fine...

    Thanks
    Happiness Always
    Jatin
    Friday, October 28, 2011 3:58 PM
    1. What about sending to other domains?
    2. Any other partners that use TLS?
    3. Also check you OTR record as mentioned, make sure it has the correct IP?
    4. If the queues are clear, at any time, what happens when you send to google or hotmail?

    Sukh
    Friday, October 28, 2011 6:50 PM
  • Update

    Thanks Guys for reply, It was weekend here so couldn't test anything.

    We have changed something in our Certificate I think something subject Alternative name. I have enabled the TLS again, and seen some logs in send Connector. I can see the ehlo and other messages between mail servers. Then it asks for TLS and starts the TLS and send the certificate and I can see our certificate CA name and our server names or Alternative names and then certificate received message. But this is with our tired party company not with bank domain. I am not sure in logs if anything happening or it worked fine, I don't know if this is working or not.

    Is there any chance I can you the logs and you can have look?

    We have checked the Revers DNS and everything looks fine


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Monday, October 31, 2011 12:35 PM
  • You can post the logs if you wish, but the test with the bank would be good, that's where you had the issue, can't you test that ?
    Sukh
    Monday, October 31, 2011 12:57 PM
  • hi sukh

    I have sent an email to the Bank and it is still in the queue with 454 4.7.5 Certificate Validation Failure error message.

    I have found this TLS with some other domain, couldn't see anything with the Bank domain in send connector logs.

    2011-10-31T14:00:19.298Z,To Internet,08CE65E69D46F0DB,17,10.0.0.16:56071,192.109.148.32:25,-,,Local
    2011-10-31T14:00:29.320Z,To Internet,08CE65E69D46F0DD,0,,194.106.220.51:25,*,,attempting to connect
    2011-10-31T14:00:29.341Z,To Internet,08CE65E69D46F0DD,1,10.0.0.16:56073,194.106.220.51:25,+,,
    2011-10-31T14:00:29.356Z,To Internet,08CE65E69D46F0DD,2,10.0.0.16:56073,194.106.220.51:25,<,220 server-15.tower-92.messagelabs.com ESMTP,
    2011-10-31T14:00:29.356Z,To Internet,08CE65E69D46F0DD,3,10.0.0.16:56073,194.106.220.51:25,>,EHLO mail.icwuk.com,
    2011-10-31T14:00:29.366Z,To Internet,08CE65E69D46F0DD,4,10.0.0.16:56073,194.106.220.51:25,<,250-server-15.tower-92.messagelabs.com,
    2011-10-31T14:00:29.366Z,To Internet,08CE65E69D46F0DD,5,10.0.0.16:56073,194.106.220.51:25,<,250-STARTTLS,
    2011-10-31T14:00:29.366Z,To Internet,08CE65E69D46F0DD,6,10.0.0.16:56073,194.106.220.51:25,<,250-PIPELINING,
    2011-10-31T14:00:29.366Z,To Internet,08CE65E69D46F0DD,7,10.0.0.16:56073,194.106.220.51:25,<,250 8BITMIME,
    2011-10-31T14:00:29.366Z,To Internet,08CE65E69D46F0DD,8,10.0.0.16:56073,194.106.220.51:25,>,STARTTLS,
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,9,10.0.0.16:56073,194.106.220.51:25,<,220 ready for TLS,
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,10,10.0.0.16:56073,194.106.220.51:25,*,,Sending certificate
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,11,10.0.0.16:56073,194.106.220.51:25,*,"CN=icwuk.com, OU=Domain Control Validated, O=icwuk.com",Certificate subject
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,12,10.0.0.16:56073,194.106.220.51:25,*,"SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=""GoDaddy.com, Inc."", L=Scottsdale, S=Arizona, C=US",Certificate issuer name
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,13,10.0.0.16:56073,194.106.220.51:25,*,0792086AFA48A5,Certificate serial number
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,14,10.0.0.16:56073,194.106.220.51:25,*,78D2860AB67B67AAB37EFB55B6748B64DF8F63FF,Certificate thumbprint
    2011-10-31T14:00:29.400Z,To Internet,08CE65E69D46F0DD,15,10.0.0.16:56073,194.106.220.51:25,*,icwuk.com;www.icwuk.com;owa.icwuk.com;mail.icwuk.com;autodiscover.icwuk.com;autodiscover.icwuk.local;autodiscover.incorporatewear.co.uk;icwuk.local;inworkwear.com;incorporatewear.co.uk;exchange2010.icwuk.local,Certificate alternate names
    2011-10-31T14:00:29.538Z,To Internet,08CE65E69D46F0DD,16,10.0.0.16:56073,194.106.220.51:25,*,,Received certificate
    2011-10-31T14:00:29.538Z,To Internet,08CE65E69D46F0DD,17,10.0.0.16:56073,194.106.220.51:25,*,645879D368025355683022530BE151ABABEA75B3,Certificate thumbprint
    2011-10-31T14:00:29.538Z,To Internet,08CE65E69D46F0DD,18,10.0.0.16:56073,194.106.220.51:25,>,EHLO mail.icwuk.com,
    2011-10-31T14:00:29.554Z,To Internet,08CE65E69D46F0DD,19,10.0.0.16:56073,194.106.220.51:25,<,250-server-15.tower-92.messagelabs.com,
    2011-10-31T14:00:29.554Z,To Internet,08CE65E69D46F0DD,20,10.0.0.16:56073,194.106.220.51:25,<,250-PIPELINING,
    2011-10-31T14:00:29.554Z,To Internet,08CE65E69D46F0DD,21,10.0.0.16:56073,194.106.220.51:25,<,250 8BITMIME,
    2011-10-31T14:00:29.555Z,To Internet,08CE65E69D46F0DD,22,10.0.0.16:56073,194.106.220.51:25,*,2945111,sending message
    2011-10-31T14:00:29.555Z,To Internet,08CE65E69D46F0DD,23,10.0.0.16:56073,194.106.220.51:25,>,MAIL FROM:<user.name@icwuk.com>,
    2011-10-31T14:00:29.555Z,To Internet,08CE65E69D46F0DD,24,10.0.0.16:56073,194.106.220.51:25,>,RCPT TO:<external.user@stagecoachbus.com>,
    2011-10-31T14:00:29.608Z,To Internet,08CE65E69D46F0DD,25,10.0.0.16:56073,194.106.220.51:25,<,250 OK,
    2011-10-31T14:00:29.609Z,To Internet,08CE65E69D46F0DD,26,10.0.0.16:56073,194.106.220.51:25,<,250 OK,
    2011-10-31T14:00:29.609Z,To Internet,08CE65E69D46F0DD,27,10.0.0.16:56073,194.106.220.51:25,>,DATA,
    2011-10-31T14:00:29.618Z,To Internet,08CE65E69D46F0DD,28,10.0.0.16:56073,194.106.220.51:25,<,354 go ahead,
    2011-10-31T14:00:29.765Z,To Internet,08CE65E69D46F0DD,29,10.0.0.16:56073,194.106.220.51:25,<,250 ok 1320069629 qp 15191 server-15.tower-92.messagelabs.com!1320069629!59591446!1,
    2011-10-31T14:00:29.766Z,To Internet,08CE65E69D46F0DD,30,10.0.0.16:56073,194.106.220.51:25,>,QUIT,
    2011-10-31T14:00:29.777Z,To Internet,08CE65E69D46F0DD,31,10.0.0.16:56073,194.106.220.51:25,<,221 server-15.tower-92.messagelabs.com,
    2011-10-31T14:00:29.777Z,To Internet,08CE65E69D46F0DD,32,10.0.0.16:56073,194.106.220.51:25,-,,Local

     

    I,m not sure where I am going wrong, I'm not sure if my TLS configuration is working or not.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Monday, October 31, 2011 2:27 PM
  • Update  These are receive connector's logs. We are not receiving email from the bank.

    2011-10-31T13:29:39.623Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,3,10.0.0.16:25,212.104.129.56:54878,<,EHLO punt02css.ch.as12513.net,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,4,10.0.0.16:25,212.104.129.56:54878,>,250-exchange2010.icwuk.local Hello [212.104.129.56],
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,5,10.0.0.16:25,212.104.129.56:54878,>,250-SIZE,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,6,10.0.0.16:25,212.104.129.56:54878,>,250-PIPELINING,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,7,10.0.0.16:25,212.104.129.56:54878,>,250-DSN,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,8,10.0.0.16:25,212.104.129.56:54878,>,250-ENHANCEDSTATUSCODES,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,9,10.0.0.16:25,212.104.129.56:54878,>,250-STARTTLS,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,10,10.0.0.16:25,212.104.129.56:54878,>,250-AUTH,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,11,10.0.0.16:25,212.104.129.56:54878,>,250-8BITMIME,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,12,10.0.0.16:25,212.104.129.56:54878,>,250-BINARYMIME,
    2011-10-31T13:29:39.624Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,13,10.0.0.16:25,212.104.129.56:54878,>,250 CHUNKING,
    2011-10-31T13:29:39.639Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,14,10.0.0.16:25,212.104.129.56:54878,<,MAIL FROM:<bank.user@hsbc.com> SIZE=8826,
    2011-10-31T13:29:39.639Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,15,10.0.0.16:25,212.104.129.56:54878,*,Tarpit for '0.00:00:30',
    2011-10-31T13:30:09.651Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,16,10.0.0.16:25,212.104.129.56:54878,>,530 5.7.1 Not authenticated,
    2011-10-31T13:30:09.651Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,17,10.0.0.16:25,212.104.129.56:54878,<,RCPT TO:<company.user@icwuk.com>,
    2011-10-31T13:30:09.651Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,18,10.0.0.16:25,212.104.129.56:54878,*,Tarpit for '0.00:00:05',
    2011-10-31T13:30:14.659Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,19,10.0.0.16:25,212.104.129.56:54878,>,503 5.5.2 Need mail command,
    2011-10-31T13:30:14.659Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,20,10.0.0.16:25,212.104.129.56:54878,<,DATA,
    2011-10-31T13:30:14.660Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,21,10.0.0.16:25,212.104.129.56:54878,*,Tarpit for '0.00:00:05',
    2011-10-31T13:30:19.691Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,22,10.0.0.16:25,212.104.129.56:54878,>,503 5.5.2 Need mail command,
    2011-10-31T13:30:19.705Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,23,10.0.0.16:25,212.104.129.56:54878,<,RSET,
    2011-10-31T13:30:19.705Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,24,10.0.0.16:25,212.104.129.56:54878,*,Tarpit for '0.00:00:05',
    2011-10-31T13:30:24.707Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,25,10.0.0.16:25,212.104.129.56:54878,>,250 2.0.0 Resetting,
    2011-10-31T13:30:24.707Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,26,10.0.0.16:25,212.104.129.56:54878,<,QUIT,
    2011-10-31T13:30:24.707Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,27,10.0.0.16:25,212.104.129.56:54878,>,221 2.0.0 Service closing transmission channel,
    2011-10-31T13:30:24.707Z,EXCHANGE2010\Default EXCHANGE2010,08CE65E69D46EF9E,28,10.0.0.16:25,212.104.129.56:54878,-,,Local
    2011


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.
    Monday, October 31, 2011 3:53 PM
  • I found this. It might be helpfull for you...

    "We opened a case with Microsoft and the first thing they asked us is if we have a Cisco firewall.  We said yes, then I looked at the log and it clearly shows the firewall is the culprit here:

    Oct 29 2011 11:09:42: %ASA-4-507003: tcp flow from outside:<destination mail server IP>/39165 to inside:<internal ip address>/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.

    It turns out that our Cisco ASA firewall had esmtp inspection (PIX equivalent of fixup protocol smtp)turned on. They sent us this article: http://support.microsoft.com/kb/320027 and we disabled fixup protocol smtp 25, and this seems to have more permanently resolved our problem."

    The KB of Microsoft states:
    "This issue may occur in the following situation:
    The Exchange server is placed behind a Cisco PIX or Cisco ASA firewall device.
    -and-
    The PIX or ASA firewall has the Mailguard feature turned on.
    The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall, and this makes the system think that you are relaying from a non-local domain.
    Note: Besides the Cisco PIX or Cisco ASA firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are mentioned earlier in this article.

    The following is a list of firewall manufacturers whose products have SMTP Proxy features: Watchguard Firebox, Checkpoint and Raptor."

     

    • Proposed as answer by Drs Q Tuesday, November 08, 2011 2:57 PM
    Tuesday, November 08, 2011 2:57 PM
  •  

    Hi Guys,

    In the end I had to log a call with Microsoft and found the problem.

    I was using the default send connector to send TLS email which was causing problem to stay in the queue and this error Delivery is delayed to these recipients or groups: Diagnostic-Code: smtp;400 4.4.7.

    After creating new send connector and putting all the Bank's domains in new connector everything was working fine.

    Bank received the email in TLS which very good BUT when they were trying to send an email or (make a telnet session) they were getting the message that my domain doesn't support TLS the reason is why my client (the domain I am working on) they were using 3rd party (I think eclipse or something) for spam filtering which was the first contact the emails go and they deliver the email after the filter and they do not support TLS so that's why the Bank had problem sending us TLS email.

    So how did we fix this problem:

    I sent the Bank my public IP address so they created a new send connector in there side so they can send the email directly to my exchange Server not to 3rd party spam filter company. ( If you want to do this make sure you TRUST that company and know they will not send spams).

    Everything is working fine.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Or please vote as helpful.

    • Marked as answer by Mshak Wednesday, March 28, 2012 9:21 AM
    Wednesday, March 28, 2012 9:21 AM