locked
Exchange 2007 error sending emails "451 5.7.3 Cannot achieve Exchange Server authentication" RRS feed

  • Question

  • Hello all!

    I have got 2 Windows 2003 x64 Servers with Exchange 2007 SP1  Rollup Pack 5(version 8.1 Build 240.6), one  Hub Transport and other with Edge Transport. All was working, but now, I can't send or receive emails. Going to "HT > Toolbox > "Queue View" I have got this warning:

    Next Hop Domain: edgesync - default-first-site-name to internet
    Database Rec...: SMTP Relay in Active Directory Site to Edge Transport Server
    Status.........: Retry
    Message Count..: 2
    Last Error.....: 451 4.4.0 Primary target IP address responded with "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

     

    My local LAN for this Servers:


    SERVER LAN

    Hub X.X.20.11
    Edge X.X.0.11


    The Server's LAN is "20" and the DMZ is "0". Comunication between servers are fine, (I can do telnet in the ports 25 and 50636).

    Reading the warning it's like a authentication error (Hub x Edge ?), so I did Edge Subscription again, but the error still happens. I did some changes in the HUB Server before this error:

    - Created news mailbox from existing users;
    - Deleted Storage Group with Public Folder (following this Microsoft How To http://technet.microsoft.com/en-us/library/aa998329.aspx)


    I did see in "Edge Transport > Receive Connectors > Default internal receive connector "NOME-SERVIDOR" > Properties > Authentication" and have the selected options:

    -Transport Layer Security (TLS)
    --Enable Domain Security (Mutual Auth TLS)

    - Exchange Server authentication

     


    That's it. Anyone can help me ???


    Thanks !!!


    =)


    Att.

     

    PS.: Sorry for my awful english. I'm Brazillian.  8)

    Thursday, May 21, 2009 9:48 PM

Answers

  • Hi Cristiano,

     

    If you telnet from HUB to EDGE or in reverse, will it advertise all verbs? Telnet locally and have a compare. Please check if there is some verbs missing.

     

    Is there any third party software installed on the server? Is there some networking device between HUB and EDGE server?  

     

    I suggest we use network monitor 3.1 to capture network traffic on both server when sending email.

     

    Microsoft Network Monitor 3.1

    http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&displaylang=en

     

    How to use Network Monitor

    http://blogs.technet.com/netmon/

     

    1. Start the Network Monitor tool, by default there should be a "Microsoft Network Monitor 3.1" icon on the desktop

    2. Click on Create a new capture tab on the left pane or from the menu File | New | Capture.

    3. Click on Select Networks on the Right pane and check the network interface we wish to monitor.

    4. When you are ready to reproduce the problem start the trace, from the Capture menu select Start or click the Play button.

    5. Reproduce the problem, please note the exact time that the problem reproduces.

    6. Stop the trace, from the Capture menu select Stop or click the stop button.

    7. Save the trace, from the File menu select Save As.

    8. Check the result or send it to me.

     

    Thanks,

     

    Elvis

     

    Monday, May 25, 2009 11:03 AM

All replies

  • Did you follow below article to check Receive Connector authentication setting on Hub Transport Server?

    Troubleshooting Edge Transport Server Queues That Contain Mail Destined to a Hub Transport Server

    Amit Tank | MVP – Exchange Server | MCITP: EMA, MCSA: M | http://ExchangeShare.WordPress.com RSS

    Friday, May 22, 2009 7:09 AM
  • Hi Amit !

    Yes, I saw this article and did all, but didn't fix my probleme.

    In "Edge Transport Server > Receive Connectors > Default connector > Properties > Authentication > I have got this options checked:

    -Transport Layer Security (TLS)
    --Enable Domain Security (Mutual Auth TLS)

    - Exchange Server authentication


    I'm searching a lot in many websites (by google, msexchange.org and others), but I can't see a solution...  =(

    Have you got other idea?


    Thank you soo much for your opnion!

    Friday, May 22, 2009 2:17 PM
  • Hi Cristiano,

     

    If you telnet from HUB to EDGE or in reverse, will it advertise all verbs? Telnet locally and have a compare. Please check if there is some verbs missing.

     

    Is there any third party software installed on the server? Is there some networking device between HUB and EDGE server?  

     

    I suggest we use network monitor 3.1 to capture network traffic on both server when sending email.

     

    Microsoft Network Monitor 3.1

    http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&displaylang=en

     

    How to use Network Monitor

    http://blogs.technet.com/netmon/

     

    1. Start the Network Monitor tool, by default there should be a "Microsoft Network Monitor 3.1" icon on the desktop

    2. Click on Create a new capture tab on the left pane or from the menu File | New | Capture.

    3. Click on Select Networks on the Right pane and check the network interface we wish to monitor.

    4. When you are ready to reproduce the problem start the trace, from the Capture menu select Start or click the Play button.

    5. Reproduce the problem, please note the exact time that the problem reproduces.

    6. Stop the trace, from the Capture menu select Stop or click the stop button.

    7. Save the trace, from the File menu select Save As.

    8. Check the result or send it to me.

     

    Thanks,

     

    Elvis

     

    Monday, May 25, 2009 11:03 AM
  • Hi Cristiano,

    How things are going? If any update, please post here.

    Thanks,

    Elvis
    Friday, May 29, 2009 7:52 AM
  • Hi,

    I've seen something like this. What is your firewall solution for creating DMZ? If you are using ISA please switch of the SMTP filter between the HUB and the EDGE because ISA doesn't support some SMTP verbs (Like X-ANONYMOUSTLS) used in the Edge - Hub communication.

    Regards,
    Zoltán
    http://www.clamagent.org - Free Antivirus for Exchange
    http://www.it-pro.hu
    http://emaildetektiv.hu
    Friday, May 29, 2009 8:15 AM
  • Hello people!

    I was in a travell (for another project) and haven't time to do this things in my Exchange Server.
    Tomorrow I will to my company to work in this case.

    I haven't any third partyr software instlled in the Servers (HUB and EDGE). I have on CISCO PIX between HUB and EDGE, and I follow all steps that I saw in this article, but didn't work:

    http://www.eggheadcafe.com/conversation.aspx?messageid=29662725&threadid=29609967

    *Cisco PIX/ ASA command > "no fixup protocol smtp 25"*


    Tomorrow I will ask for my security team to test the commnication between HUB and EDGE without our firewall. :)

    I don't know this Network Monitor, but I will try use tomorrow!


    Thanks all guys for the help!!! I received much more help here that in my country's forum! I love you, people!
    And not, I'm not gay!

     :)
    Friday, May 29, 2009 3:08 PM
  • Hello Zoltan!

    I'm not using ISA, I'm using CISCO PIX. I did try disable the SMTP filter, but didn't solve my probleme.  :(
    Tomorrow I will try remove the firewall from my way!  ;)


    Att.
    Friday, May 29, 2009 3:11 PM
  • People,

    The probleme was solved! We turned off the security police in CISCO PIX about ESMTP and the Servers have a fine communication!

    Thanks all for help me!


    =D


    Att.

    ________________________________
    Cristiano Santos


    *** BRASIL, um PAÍS the TODOS ***
    Sunday, May 31, 2009 4:59 PM