none
Exchange 2010/213 Coexistence with Exchange 2013 Edge Server

    Question

  • We have Exchange 2010/Exchange 2013 in a coexistence setup and mail has been working fine for a few years.  We're making some changes to our edge, removing the current SMTP Relay Device and replacing it with an Exchange 2013 Edge Server.  I've installed the edge server and Start-EdgeSyncronization shows a success result and Test-EdgeSyncronization shows SyncStatus: Normal.

    Additionally I can connect to port 25 from a PowerShell window just fine.  For test purposes, I've limited the EdgeSync - site to Internet connector to a single domain.  When I try to send mail to a user in that domain I can see the mail stuck in a queue:

    Next Hop                                                 Delivery Type                                                                        Status

    EdgeSync - site to Internet connector        SMTP Relay in Active Directory Site to Edge Transport Server     Retry

    The last Error is:

    451 4.4.0 Primary target IP Address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

    I've tried searching on that but I haven't found anything relevant to my situation (i.e. a lot of Solutions referencing prior versions of Exchange but none that I can make work for me).

    Any suggestions?

    Thursday, October 29, 2015 2:24 PM

Answers

  • Ok so there was an ASA doing inspections, now we've setup a rule to not inspect my test traffic, and it's still an unrecognized command

    I would disable the inspections entirely and test. If you can telnet on port 25 to the same server within the LAN and can see the EHLO verbs, you still have a firewall problem.

    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, October 29, 2015 9:30 PM

All replies

  • Have you messed with the on-prem default receive connector at all or have a custom receive connector that has the IP of the Edge Server in it?

    When you telnet from the Edge to the Exchange server on port 25 and issue an EHLO, what verbs do you see? Can you post that?

    Note Edge syncs to an AD site, not a domain.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, October 29, 2015 3:02 PM
  • Just for clarification, I'm not trying to sync to a domain, I'm just limiting that connector to sending e-mail to one external domain for test purposes. But that's of course not working :)

    To the first point, the DMZ where the new edge server has been placed is new, so the IP hasn't been defined anywhere prior to building this out.

    To the second point, that result is as bad as the error message suggests. The EHLO comes back with "Unrecognized command" so not much of a screen shot to show.

    I'm inclined to believe there's an auth error somewhere, many of the posts I've found on this reference changing the permissions on the receive connector, but this has been for prior versions of Exchange, for the 2013 edge I don't see a defined receive connector in the admin tools or a way to create one (as shown in old posts).  The only connectors I see are the two default connectors created when the subscription was configured.

    As for the Edge server directly, it's basically a new install:

    [PS] E:\temp$>Get-ReceiveConnector | fl


    AuthMechanism                                     : Tls, ExchangeServer
    Banner                                                 :
    BinaryMimeEnabled                               : True
    Bindings                                               : {0.0.0.0:25}
    ChunkingEnabled                                  : True
    DefaultDomain                                     :
    DeliveryStatusNotificationEnabled          : True
    EightBitMimeEnabled                            : True
    SmtpUtf8Enabled                                 : False
    BareLinefeedRejectionEnabled               : False
    DomainSecureEnabled                          : True
    EnhancedStatusCodesEnabled               : True
    LongAddressesEnabled                         : False
    OrarEnabled                                        : False
    SuppressXAnonymousTls                      : False
    ProxyEnabled                                      : False
    AdvertiseClientSettings                        : False
    Fqdn                                                  : FQDN Replaced
    ServiceDiscoveryFqdn                         :
    TlsCertificateName                              :
    Comment                                           :
    Enabled                                             : True
    ConnectionTimeout                             : 00:05:00
    ConnectionInactivityTimeout                : 00:01:00
    MessageRateLimit                               : 600
    MessageRateSource                            : IPAddress
    MaxInboundConnection                       : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                                   : 128 KB (131,072 bytes)
    MaxHopCount                                    : 60
    MaxLocalHopCount                             : 5
    MaxLogonFailures                               : 3
    MaxMessageSize                                : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                              : 5
    MaxRecipientsPerMessage                   : 200
    PermissionGroups                              : AnonymousUsers, ExchangeServers, Partners
    PipeliningEnabled                              : True
    ProtocolLoggingLevel                         : None
    RemoteIPRanges                              : {0.0.0.0-255.255.255.255}
    RequireEHLODomain                         : False
    RequireTLS                                      : False
    EnableAuthGSSAPI                           : False
    ExtendedProtectionPolicy                  : None
    LiveCredentialEnabled                      : False
    TlsDomainCapabilities                      : {}
    Server                                            : ServerName
    TransportRole                                 : HubTransport
    SizeEnabled                                   : Enabled
    TarpitInterval                                : 00:00:05
    MaxAcknowledgementDelay            : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                            : 0.1 (8.0.535.0)
    Name                                            : Default internal receive connector ServerName
    DistinguishedName                         : CN=Default internal receive connector ServerName,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=ServerName,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                              Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={FAB62B12-
                                              566A-4000-9F9F-C3D16ACC2D11}
    Identity                                : ServerName\Default internal receive connector ServerName
    Guid                                    : a95db765-a1a9-4c9a-a96a-a1a89813073a
    ObjectCategory                          : CN=ms-Exch-Smtp-Receive-Connector,CN=Schema,CN=Configuration,CN={FAB62B12-566
                                              A-4000-9F9F-C3D16ACC2D11}
    ObjectClass                                 : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 9/30/2015 5:17:59 PM
    WhenCreated                              : 9/30/2015 4:49:05 PM
    WhenChangedUTC                        : 9/30/2015 9:17:59 PM
    WhenCreatedUTC                         : 9/30/2015 8:49:05 PM
    OrganizationId                            :
    Id                                             :ServerName\Default internal receive connector ServerName
    OriginatingServer                       : localhost
    IsValid                                      : True
    ObjectState                              : Unchanged

    Thursday, October 29, 2015 3:36 PM
  • To the second point, that result is as bad as the error message suggests. The EHLO comes back with "Unrecognized command" so not much of a screen shot to show.

    Sounds like you have a Firewall in between the servers that is using SMTP inspection? Perhaps a CISCO?


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, October 29, 2015 4:53 PM
  • Hmmm, we do have a CISCO ASA in there, I'll have to grab my network guy when he's free.  It's supposed to be open but this wouldn't be the first time something was only partly open.
    Thursday, October 29, 2015 5:52 PM
  • Ok so there was an ASA doing inspections, now we've setup a rule to not inspect my test traffic, and it's still an unrecognized command
    Thursday, October 29, 2015 9:18 PM
  • Ok so there was an ASA doing inspections, now we've setup a rule to not inspect my test traffic, and it's still an unrecognized command

    I would disable the inspections entirely and test. If you can telnet on port 25 to the same server within the LAN and can see the EHLO verbs, you still have a firewall problem.

    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Thursday, October 29, 2015 9:30 PM
  • Thanks for the pointer, the network guy was insisting that it was configured correctly. I still have some work to do to make this work, but to prove the point we temporarily moved the Interface (the Edge server is a VM) to the same VLAN as the Exchange server I'm testing the connection from with telnet and that worked as expected, so something in the firewall is killing my traffic.
    Friday, October 30, 2015 3:39 PM