locked
No mail flow between Exchange servers RRS feed

  • Question

  • I apologize in advance for the multipost, but I'm not getting much of a response in the SBS group...

    I first noticed this problem when trying to move my Public Folders during a SBS 2003 (SBS SP1, Windows SP2, Exchange SP2) to 2011 Standard (Windows SP1, Exchange SP2) migration.

    It seems that mail flow between my two Exchange servers (2003 and 2010 in SBS 2003 and SBS 2011 respectively) isn't working in either direction.

    On my source server, my routing group connector queue is in retry with the last error status "An SMTP protocol error occurred". If I increase the logging level on MSExchangeTransport on the 2003 server, I receive the following in the Application log:

    Event Type:    Error
    Event Source:    MSExchangeTransport
    Event Category:    SMTP Protocol
    Event ID:    7004
    Date:        7/10/2012
    Time:        11:36:41 AM
    User:        N/A
    Computer:    2003SERVER
    Description:
    This is an SMTP protocol error log for virtual server ID 1, connection #288. The remote host "x.x.x.x", responded to the SMTP command "mail" with "530 5.7.1 Client was not authenticated  ". The full command sent was "MAIL FROM:<2003SERVER-IS@hhsllp.com>  ".  This will probably cause the connection to fail.

    On the SBS 2011 server, the RGC queue last error status is "451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed...."

    As expected, I can telnet to each server on port 25. Here are the EHLO responses if they're of interest:

    SBS 2011 -> SBS 2003:
    250-SIZE
    250-DSN
    250-VRFY
    250-AUTH GSSAPI NTLM
    250 OK

    SBS 2003 -> SBS 2011
    250-SIZE
    250-DSN
    250 AUTH

    - no firewalls or antivirus active
    - Routing Group Connectors have been recreated
    - Tried creating a new Internal receive connector on the SBS 2011 box specifically for the SBS 2003 box (Permission groups: Exchange Servers, Legacy Exchange Servers; Authentication: TLS and Exchange Server)
    - Integrated Windows authentication is enabled on the 2003 Default SMTP Virtual Server
    - No smart host is configured for the 2003 Default SMTP Virtual Server
    - The server's clocks are in sync
    - BPA on 2003 doesn't report any problems.
    - ExBPA on 2011 doesn't report any problems.

    Everything else in this migration has gone smoothly, but with this I'm stumped. Anyone have any ideas?

    Thanks in advance.

    Friday, July 13, 2012 2:15 PM

Answers

  • Yes this is a simple relaying issue, the receive connectors are denying relaying. It's failing because you're trying to do Exchange Server Authentication. The issue is unless you've set up service accounts on each end to do the Exchange Server Auth it will fail. The simplest solution is to just use externally secured and add each Exchange server in the relay list. Create a separate connector called relay for example.

    Allowing application servers to relay off Exchange Server 2007
    http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Castinlu Sunday, July 22, 2012 3:39 AM
    Friday, July 13, 2012 2:40 PM
  • Thanks for the help, all. In the end, I was unable to find a solution and ended up manually extracting what little data was required, forcibly removing the PF store on the 2003 server and creating a new PF store on the 2010 server.

    • Marked as answer by jayatnos Monday, July 23, 2012 2:44 PM
    Monday, July 23, 2012 2:44 PM

All replies

  • Yes this is a simple relaying issue, the receive connectors are denying relaying. It's failing because you're trying to do Exchange Server Authentication. The issue is unless you've set up service accounts on each end to do the Exchange Server Auth it will fail. The simplest solution is to just use externally secured and add each Exchange server in the relay list. Create a separate connector called relay for example.

    Allowing application servers to relay off Exchange Server 2007
    http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by Castinlu Sunday, July 22, 2012 3:39 AM
    Friday, July 13, 2012 2:40 PM
  • Thanks for the reply, @Jamestechman:

    If I enable "Anonymous users" on the receive connector, I can relay from 2003 to 2010. However, with that enabled, the error in the receive connector transport log changes from "530 5.7.1 Client was not authenticated," to "451 4.7.0 Timeout waiting for client input"

    Friday, July 13, 2012 4:46 PM
  • hi,

    According to the error information, i think we must make sure that the network in fine. It means that you should check the bandwidth of  connection. Everytime i see the error, always is caused by the bandwidth.

    On exchange side you can increase the timeouts. Try below cmd:
    get-ReceiveConnector | Set-ReceiveConnector -ConnectionInactivityTimeout 00:05:00   This will set from the default 1 min to 5 min.
    get-ReceiveConnector | Set-ReceiveConnector -ConnectionTimeout 00:10:00   This will set from the default 5 min to 10 min.

    hope can help you

    thanks,


    CastinLu

    TechNet Community Support

    • Marked as answer by Castinlu Sunday, July 22, 2012 3:39 AM
    • Unmarked as answer by jayatnos Monday, July 23, 2012 2:41 PM
    Monday, July 16, 2012 8:16 AM
  • Thanks for the help, all. In the end, I was unable to find a solution and ended up manually extracting what little data was required, forcibly removing the PF store on the 2003 server and creating a new PF store on the 2010 server.

    • Marked as answer by jayatnos Monday, July 23, 2012 2:44 PM
    Monday, July 23, 2012 2:44 PM