none
No mail flow between Ex2007 and Ex2013

    Question

  •  I have the cert installed on both 2007 and 2013. I am trying to keep them running in coexistence mode, but not working as advertised.  I moved one test user over from 2007 to the new 2013 box. I can send/recv mail fine to myself,  but when sending mail to other internal users it never delivers.  Unable to reply.  I have not setup the connector as of yet, as I am just testing internal mail.  What am I doing wrong?

    Thanks!

    Wednesday, October 4, 2017 11:32 PM

Answers

  • Update:  Mail is now flowing in all directions..

    2013 users - 2013 users
    2013 users - 2007 users
    2007 users - 2013 users

    Users from both servers to/from the Internet.

    Issue seems to have been related to a security policy on the 2007 box.  I enable "FIPS compliant algorithms for encryption", then did gpupdate /force.   Now this may break other things, I don't know yet.  

    The steps I took: 

    1 - In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2 -In Local Security Settings, expand Local Policies, and then click Security Options.

    3 - Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    I was alerted of this issue by a bunch of new Event ID 36871 Schannel errors in system log on 2007 box. So I followed some fix I found online and applied it, and within seconds the queue on the 2007 was empty!  

    Just before this change, I also changed the FQDN name given in the receive connector on the 2013 box,  and made it match the FQDN banner of the 2007 box.  I was seeing warning errors in the event log on one of the boxes which prompted that change. This did not seem to help,  but in the event it was a delayed reaction I am listing the change just in case it helps.     Seems the FIPS compliant algorithms was the magic for me anyway.  

    Thanks again to ALL that jumped in and tried to help!  Nowhere in any place online did I ever see any FIPS compliant algo chatter about mail flow on exchange, so I hope it is of some help to others. 

    Now I need to see if users can connect fine to the new 2013 box and I can start moving mailboxes over. 


    DJ

    • Proposed as answer by Jason.ChaoModerator Thursday, October 26, 2017 1:30 AM
    • Marked as answer by test1500 Thursday, October 26, 2017 3:21 AM
    Wednesday, October 25, 2017 6:57 PM

All replies

  • Hi,

    Thanks for contacting our forum.

    Does all the mail flow from 2013 to 2007 or from 2007 to 2013 not work?

    Did you receive any NDR messages if yes, please post out in detail?

    Please check if the default receive connector on server 2007 checked as below:

    And the Exchange server 2013 receive connector as below:

    Restart the transport services on both servers.

    If it still doesn’t work please run the following command and post out the results:

    • Get-receiveconnector | fl
    • Get-acceptdomain | fl
    • Get-exchangecertificate | fl

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 5, 2017 5:26 AM
    Moderator
  • check if you are able to ping both servers from each server and telnet on port 25

    Thanks & Regards Ramandeep Singh

    Thursday, October 5, 2017 6:39 AM
  • Thank you for the quick reply Jason

    So no mail flows from either server.  I get a delayed message from the 2007 server.

    That message:  

    "Delivery is delayed to these recipients or distribution lists:
     
    Mary L - TEST USER - disabled test 5-27-2016
     
    Subject: test 4444
     
    This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.
     
    Delivery of this message will be attempted until 10/6/2017 3:22:50 PM (GMT-08:00) Pacific Time (US & Canada). Microsoft Exchange will notify you if the message can't be delivered by that time. "

     

    No notification on the 2013 server from the test user. But message does not send. 

    I checked the receive connectors,  the one on my 2007 server (EXSRV01 in this example) looks same as your example.  

    On the new server (EXSRV13 in my example), all are checked except exchange users.  I checked it off to match your example.  I see default connector for HubTransport and FrontendTransport.  I left the HubTransport alone. 

    I restarted the transport service on EXSRV13.  Not sure if I can restart transport on the 01 box yet,  so will schedule that then report back.  

    Thank you again.  

    Thursday, October 5, 2017 3:50 PM
  • Yes,  can confirm ping from both boxes,  and telnet to both, and get the proper response from a ehlo command.  All good on the base level,  just no mail flow yet.   Thank you.   I just want to be sure everything is working before I bring the users over,  we have a small environment and only one server with an edge MTA spam appliance to hand off the outside mail.  

    Thursday, October 5, 2017 3:53 PM
  • Had some issues with my test machine not connecting.  Latest delay response from the test user:

    (personal detail has been masked)

    Generating server: EXSRV13.local.my.domain.ca.gov
    Receiving server: EXSRV01.local.my.domain.ca.gov (X.X.6.47)

    Remote Server at EXSRV01.local.my.domain.ca.gov (X.X.6.47) returned '400 4.4.7 Message delayed'
    10/5/2017 2:16:42 AM - Remote Server at EXSRV01.local.my.domain.ca.gov (10.45.6.47) returned '451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was X.X.6.47:25'

    So looks like an authentication issues between servers??  

    Thursday, October 5, 2017 6:25 PM
  • The receive connectors output is too large to post here...  Not sure how to share it here?

    Thursday, October 5, 2017 6:49 PM
  • UPDATE:  

    Mail now flows from 2013 to 2007.  Mail flows to outside from 2013, but no replies yet.

    So mail appears to not be flowing to Exchange2013 test recipient.  But mail out from test user on 2013 is working now!  Progress!!   

    Waiting on the failure messages,  possibly same authentication issue.  I checked all my connectors and none conflict with the default connector. 

    Thursday, October 5, 2017 7:25 PM
  • Update 2:

    Really confused with all of the receive connectors on the new Ex2013 box.  I have 5 connectors:

    Client Frontend EXSRV13
    Client Proxy EXSRV13
    Default EXSRV13
    Default Frontend EXSRV13
    Outbound Proxy Frontend EXSRV13

    Both 'Default' connectors have the same scoping, with Default EXSRV13 using port 2525, and Default Frontend using port 25.   We have several on the existing box that I have yet to move over.  I will try disabling all the RCV connectors and just leave the one.  But I have yet to wrap my head around the need to exclude the old mail server from the new connector.  Thanks again for all the help,  had no idea this would be so finicky!

    Thursday, October 5, 2017 9:22 PM
  • Output for certificates (detail scrubbed)

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {MY.DOMAIN.ca.gov}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=MY.DOMAIN.ca.gov
    NotAfter           : 10/5/2022 2:03:06 PM
    NotBefore          : 10/5/2017 2:03:06 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : null
    Services           : SMTP
    Status             : Valid
    Subject            : CN=MY.DOMAIN.ca.gov
    Thumbprint         : null
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {fax.MY.DOMAIN.ca.gov}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=fax.MY.DOMAIN.ca.gov
    NotAfter           : 10/5/2022 1:49:20 PM
    NotBefore          : 10/5/2017 1:49:20 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : null
    Services           : SMTP
    Status             : Valid
    Subject            : CN=fax.MY.DOMAIN.ca.gov
    Thumbprint         : null
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.MY.DOMAIN.ca.gov, www.mail.MY.DOMAIN.ca.gov, owa.MY.DOMAIN.ca.gov, legacy.local.
                         MY.DOMAIN.ca.gov, exsrv01.local.MY.DOMAIN.ca.gov, exsrv13.local.MY.DOMAIN.ca.gov}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
                         .com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 10/3/2020 4:12:01 PM
    NotBefore          : 10/4/2017 9:10:01 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : null
    Services           : IMAP, POP, IIS
    Status             : Valid
    Subject            : CN=mail.MY.DOMAIN.ca.gov, OU=Domain Control Validated
    Thumbprint         : null
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {jalanws.MY.DOMAIN.ca.gov, www.jalanws.MY.DOMAIN.ca.gov, owa.MY.DOMAIN.ca.gov, exsrv01
                         .local.MY.DOMAIN.ca.gov, owa.MYDOMAIN.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
                         .com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 12/11/2017 9:56:16 AM
    NotBefore          : 1/23/2015 11:27:50 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : null
    Services           : SMTP
    Status             : Valid
    Subject            : CN=jalanws.MY.DOMAIN.ca.gov, OU=Domain Control Validated
    Thumbprint         : null
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {EXSRV01, EXSRV01.local.MY.DOMAIN.ca.gov}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=EXSRV01
    NotAfter           : 7/30/2015 9:04:43 AM
    NotBefore          : 7/30/2014 9:04:43 AM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : null
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=EXSRV01
    Thumbprint         : null


    • Edited by test1500 Thursday, October 5, 2017 10:19 PM typo
    Thursday, October 5, 2017 10:18 PM
  • Attempt 1 to post receive connectors:

    RunspaceId                              : 9ccecb0d-00ed-45b6-bd5a-27cb3313882d
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:25, 0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV01.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : Unlimited
    MaxInboundConnectionPercentagePerSource : 100
    MaxHeaderSize                           : 64 KB (65,536 bytes)
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 20 MB (20,971,520 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 5000
    PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV01
    TransportRole                           : HubTransport
    SizeEnabled                             : EnabledWithoutValue
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default EXSRV01
    DistinguishedName                       : CN=Default EXSRV01,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV01,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV01\Default EXSRV01
    Guid                                    : 907c46fd-fe04-4d2e-982e-f852c9a800bc
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 2/20/2015 4:17:14 PM
    WhenCreated                             : 7/30/2014 9:04:58 AM
    WhenChangedUTC                          : 2/21/2015 12:17:14 AM
    WhenCreatedUTC                          : 7/30/2014 4:04:58 PM
    OrganizationId                          :
    Id                                      : EXSRV01\Default EXSRV01
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    RunspaceId                              : 9ccecb0d-00ed-45b6-bd5a-27cb3313882d
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:587, 0.0.0.0:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV01.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 600
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64 KB (65,536 bytes)
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 20 MB (20,971,520 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : AnonymousUsers, ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : True
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV01
    TransportRole                           : HubTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client EXSRV01
    DistinguishedName                       : CN=Client EXSRV01,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV01,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV01\Client EXSRV01
    Guid                                    : b42c5998-5266-44f9-9855-2bf78106bd86
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 1/20/2015 10:58:37 AM
    WhenCreated                             : 7/30/2014 9:04:58 AM
    WhenChangedUTC                          : 1/20/2015 6:58:37 PM
    WhenCreatedUTC                          : 7/30/2014 4:04:58 PM
    OrganizationId                          :
    Id                                      : EXSRV01\Client EXSRV01
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged
    RunspaceId                              : 9ccecb0d-00ed-45b6-bd5a-27cb3313882d
    AuthMechanism                           : Tls, ExternalAuthoritative
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : FSSRV01.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 64 KB (65,536 bytes)
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 20 MB (20,971,520 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : AnonymousUsers, ExchangeServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {X.X.6.14-X.X.6.14}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV01
    TransportRole                           : HubTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : FsSrv01-BMail
    DistinguishedName                       : CN=FsSrv01-BMail,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV01,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV01\FsSrv01-BMail
    Guid                                    : e71f9f0b-2847-4c18-a078-5373ef99aeb1
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 5/14/2015 8:21:29 AM
    WhenCreated                             : 10/28/2014 11:31:02 AM
    WhenChangedUTC                          : 5/14/2015 3:21:29 PM
    WhenCreatedUTC                          : 10/28/2014 6:31:02 PM
    OrganizationId                          :
    Id                                      : EXSRV01\FsSrv01-BMail
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    Thursday, October 5, 2017 10:33 PM
  • Queue as of COB today:  Still stuck

    Identity         : EXSRV01\79122
    DeliveryType     : SmtpRelayWithinAdSite
    NextHopDomain    : hub version 15
    NextHopConnector : 61027a30-e9a9-4c2d-acb5-c1efc96d5d8b
    Status           : Retry
    MessageCount     : 9
    LastError        : 451 4.4.0 Primary target IP address responded with: "421 4.4.1 Connection timed out." Attempted fail
                       over to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery f
                       ailed to all alternate hosts.
    LastRetryTime    : 10/5/2017 4:32:58 PM
    NextRetryTime    : 10/5/2017 4:37:58 PM
    IsValid          : True
    ObjectState      : Unchanged

    Thursday, October 5, 2017 11:36 PM
  • Try to Assign the go daddy certificate to all services - IMAP, POP, IIS, SMTP

    I see that your certificate is now assigned to SMTP only.

    IISReset, after assigning services..

    Friday, October 6, 2017 12:47 AM
  • Thanks for your detailed information.

    From your description, I found that the mail flows from 2013 to 2007 now but not flows from 2007 to 2013 right?

    It’s recommended to create a new mailbox on Exchange server 2013 and have a  test, if it’s still the same error.

    I didn’t found the detailed info of the receive connectors of Exchange server 2013.

    Given the error message below:

    ----------------------------------------------------------------------------------------

    451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was X.X.6.47:25

    ----------------------------------------------------------------------

    It seems a authentication issue between servers, please check if you’ve checked the “Exchange server Authentication” on the default and default frontend connectors as below:

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 6, 2017 2:07 AM
    Moderator
  • Jason,  Yes. Verified once again that exchange server authentication is checked on both connectors, and is set on the old box connector.   The cert has all services enabled on new box, should be good.  Will send updated output, but queue is still stuck. Bumped transport service a few times. on both.   I have the firewall disabled, and no firewall in between, on same subnet.  I will post the connector output tomorrow as soon as I can. 

    Still scratching my head lol

    Should I try a dedicated receive connector for both with server authentication set, since we have so many custom connectors.?

    Thanks 

    Friday, October 6, 2017 3:44 AM
  • look for system attendant service on exchange 2007 and try to restart it.

    try to telnet hubtransport on 25 port and send email through telnet


    Thanks & Regards Ramandeep Singh

    Friday, October 6, 2017 3:56 AM
  • Certificate is bound to all services:

    CertificateDomains : {mail.MY.DOMAIN.ca.gov, www.mail.MY.DOMAIN.ca.gov, owa.MY.DOMAIN.ca.gov,
                         legacy.local.MY.DOMAIN.ca.gov, exsrv01.local.MY.DOMAIN.ca.gov,
                         exsrv13.local.MY.DOMAIN.ca.gov}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
                         O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 10/3/2020 4:12:01 PM
    NotBefore          : 10/4/2017 9:10:01 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 0
    Services           : IMAP, POP, IIS, SMTP
    Status             : RevocationCheckFailure
    Subject            : CN=mail.MY.DOMAIN.ca.gov, OU=Domain Control Validated

    The revocation check failure is because the server has no internet connection at the moment,  just on the server subnet, as clients were attempting to connect to it, so the default gateway is currently 0.0.0.0.

    Friday, October 6, 2017 3:35 PM
  • I can send mail fine using telnet from either side,  it says message was queued and stays in the queue, only when sending from 2007 exchange.  When I send from 2013 it goes right through just fine to the recipient.  Will try and bump the attendant service again.  This is really frustrating, I just don't get it!   Going to try a custom receive connector on the 2013 box as the issue seems specific to receiving on the 2013 box.  

    Friday, October 6, 2017 3:53 PM
  • I setup a fresh user on the 2013 box just to rule this out as it was suggested by Jason.  Still the same pattern,  mail only flows from 2013 to 2007,  mail does not flow from 2007 mailboxes to 2013 mailboxes. I have checked, rechecked triple checked the certs, the receive connectors, I tried adding a custom receive connector, wouldn't let me, so I scoped the defaults to just the 2007 server, did not seem to help at all. As well I have rebooted the entire 2013 server, and I have restarted the system attendant on 2007.   Still no mail flow. 

    Friday, October 6, 2017 4:45 PM
  • I wanted to add,  I took a look at the send connector on the 2007 server and it is set to send to the smarthost, and to our fax server via SMTP.   So I am thinking we are missing something, as there seems to be no send connector to transfer mail over to the 2013 box.  Would I need to add a send connector to allow coexistence in my scenario?  

    Thanks

    Friday, October 6, 2017 5:48 PM
  • You do not need a Send connector to route mails from 2007 to 2013, Can you send a snapshot of telnet from 2007 to 2013 with EHLO , so we can confirm if all verbs are in place.

    Regards,

    Fazal

     

    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 6, 2017 6:57 PM
  • Funny you mention that Fazal,  I was just doing the same!

    I am missing XEXCH50 verb on the 2013 box, so connector issue.

    Compare:  

    2013 box

    250-EXSRV13.local.some.domain.ca.gov Hello [X.X.7.97]
    250-SIZE 37748736
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XRDST

    2007 box

    250-EXSRV01.local.some.domain.ca.gov Hello [X.X.7.97]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250 XRDST

    Now I just wish I knew what magic combination on the receive connectors I need to get it to work!?  I have tried about every combo I can think of.  Will keep at it,  40 hours on one problem LOL  

    Friday, October 6, 2017 7:23 PM
  • Default Receive connectors on 2013 box:

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:2525, [::]:2525}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : True
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : Unlimited
    MaxInboundConnectionPercentagePerSource : 100
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 5000
    PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {0.0.0.0-255.255.255.255, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : HubTransport
    SizeEnabled                             : EnabledWithoutValue
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default EXSRV13
    DistinguishedName                       : CN=Default EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Default EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:19 PM
    WhenCreated                             : 8/3/2017 11:50:51 AM
    WhenChangedUTC                          : 10/6/2017 8:29:19 PM
    WhenCreatedUTC                          : 8/3/2017 6:50:51 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Default EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged
    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:25, 0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 36 MB (37,748,736 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default Frontend EXSRV13
    DistinguishedName                       : CN=Default Frontend EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Default Frontend EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:32:37 PM
    WhenCreated                             : 8/3/2017 12:00:27 PM
    WhenChangedUTC                          : 10/6/2017 8:32:37 PM
    WhenCreatedUTC                          : 8/3/2017 7:00:27 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Default Frontend EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    Friday, October 6, 2017 9:57 PM
  • Default receive connector on 2007 box: (all other connectors are scoped to specific host IP)

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:25, 0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : True
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV01.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : Unlimited
    MaxInboundConnectionPercentagePerSource : 100
    MaxHeaderSize                           : 64 KB (65,536 bytes)
    MaxHopCount                             : 30
    MaxLocalHopCount                        : 8
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 20 MB (20,971,520 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 5000
    PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV01
    TransportRole                           : HubTransport
    SizeEnabled                             : EnabledWithoutValue
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Default EXSRV01
    DistinguishedName                       : CN=Default EXSRV01,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV01,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV01\Default EXSRV01
    Guid                                    : 907c46fd-fe04-4d2e-982e-f852c9a800bc
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 2:26:28 PM
    WhenCreated                             : 7/30/2014 9:04:58 AM
    WhenChangedUTC                          : 10/6/2017 9:26:28 PM
    WhenCreatedUTC                          : 7/30/2014 4:04:58 PM
    OrganizationId                          :
    Id                                      : EXSRV01\Default EXSRV01
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    Friday, October 6, 2017 10:01 PM
  • Other connectors on 2013 box:


    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:465, 0.0.0.0:465}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 5
    MessageRateSource                       : User
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers, ExchangeServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : True
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : HubTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client Proxy EXSRV13
    DistinguishedName                       : CN=Client Proxy EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Client Proxy EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:25 PM
    WhenCreated                             : 8/3/2017 11:50:51 AM
    WhenChangedUTC                          : 10/6/2017 8:29:25 PM
    WhenCreatedUTC                          : 8/3/2017 6:50:51 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Client Proxy EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:717, 0.0.0.0:717}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : True
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 36 MB (37,748,736 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Outbound Proxy Frontend EXSRV13
    DistinguishedName                       : CN=Outbound Proxy Frontend EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Outbound Proxy Frontend EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:38 PM
    WhenCreated                             : 8/3/2017 12:00:27 PM
    WhenChangedUTC                          : 10/6/2017 8:29:38 PM
    WhenCreatedUTC                          : 8/3/2017 7:00:27 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Outbound Proxy Frontend EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:587, 0.0.0.0:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 5
    MessageRateSource                       : User
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : True
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client Frontend EXSRV13
    DistinguishedName                       : CN=Client Frontend EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Client Frontend EXSRV13
    Guid                                    : 4cnull
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:30 PM
    WhenCreated                             : 8/3/2017 12:00:27 PM
    WhenChangedUTC                          : 10/6/2017 8:29:30 PM
    WhenCreatedUTC                          : 8/3/2017 7:00:27 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Client Frontend EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    Friday, October 6, 2017 10:11 PM
  • Other connectors on 2013 box:


    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:465, 0.0.0.0:465}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 5
    MessageRateSource                       : User
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers, ExchangeServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : True
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : HubTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client Proxy EXSRV13
    DistinguishedName                       : CN=Client Proxy EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Client Proxy EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:25 PM
    WhenCreated                             : 8/3/2017 11:50:51 AM
    WhenChangedUTC                          : 10/6/2017 8:29:25 PM
    WhenCreatedUTC                          : 8/3/2017 6:50:51 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Client Proxy EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:717, 0.0.0.0:717}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : True
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 36 MB (37,748,736 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeServers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Outbound Proxy Frontend EXSRV13
    DistinguishedName                       : CN=Outbound Proxy Frontend EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Outbound Proxy Frontend EXSRV13
    Guid                                    : null
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:38 PM
    WhenCreated                             : 8/3/2017 12:00:27 PM
    WhenChangedUTC                          : 10/6/2017 8:29:38 PM
    WhenCreatedUTC                          : 8/3/2017 7:00:27 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Outbound Proxy Frontend EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae
    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {[::]:587, 0.0.0.0:587}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : 5
    MessageRateSource                       : User
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeUsers
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : None
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : True
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : EXSRV13
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Client Frontend EXSRV13
    DistinguishedName                       : CN=Client Frontend EXSRV13,CN=SMTP Receive
                                              Connectors,CN=Protocols,CN=EXSRV13,CN=Servers,CN=Exchange Administrative
                                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MY
                                              DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=local,DC=MY,
                                              DC=DOMAIN,DC=ca,DC=gov
    Identity                                : EXSRV13\Client Frontend EXSRV13
    Guid                                    : 4cnull
    ObjectCategory                          : local.MY.DOMAIN.ca.gov/Configuration/Schema/ms-Exch-Smtp-Receive-Connecto
                                              r
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 10/6/2017 1:29:30 PM
    WhenCreated                             : 8/3/2017 12:00:27 PM
    WhenChangedUTC                          : 10/6/2017 8:29:30 PM
    WhenCreatedUTC                          : 8/3/2017 7:00:27 PM
    OrganizationId                          :
    Id                                      : EXSRV13\Client Frontend EXSRV13
    OriginatingServer                       : ADSRV01.local.MY.DOMAIN.ca.gov
    IsValid                                 : True
    ObjectState                             : Unchanged

    Friday, October 6, 2017 10:13 PM
  • FWIW: I disabled ALL receive connectors except the default frontend (on port 25) and used telnet port 25 to try various authentication settings, changed the IP scope to only the 2007 server. I tried just eliminating all variables and tried a custom connector with only exchange server authentication, wide scope, and to only host. Reset transport services each time, and after 10 or 20 different combinations mail never flows, and I never see all of the X verbs in telnet.  I have read dozens of posts online for the same issue, have tried everything to the point of disabling connectors on the 2007 box and breaking mail flow for the entire enterprise. 

    My first question is the problem on the 2013 box (can't receive) or is the problem on the 2007 box. I checked all the connectors on the 2007 box and only the default is scoped to 0.0.0.0-255.255.255.255, all others are host IP only. 

    My second question is the problem authentication related, or IP scope causing the issue? I see lots of posts where more than one connector had the same scope, or the scope included the old mail server.  

    I'm running out of things to try, so calling it a day for now.  

    Friday, October 6, 2017 10:21 PM
  • Latest NDR:

    Microsoft Exchange has been trying to deliver this message without success and has stopped trying. Please try sending this message again, or provide the following diagnostic text to your system administrator.
      _____ 
    Sent by Microsoft Exchange Server 2007
    Diagnostic information for administrators:
    Generating server: EXSRV01.local.MY.DOMAIN.ca.gov
    mlamb@MY.DOMAIN.ca.gov
    #550 4.4.7 QUEUE.Expired; message expired ##
    Original message headers:
    Received: from EXSRV01.local.MY.DOMAIN.ca.gov
     ([fe80::5872:f3a1:8388:7799]) by EXSRV01.local.MY.DOMAIN.ca.gov
     ([fe80::5872:f3a1:8388:7799%11]) with mapi; Wed, 4 Oct 2017 15:22:50 -0700
    Content-Type: application/ms-tnef; name="winmail.dat"
    Content-Transfer-Encoding: binary
    From: Bogus User <joeblow@MY.DOMAIN.ca.gov>
    To: Mary L - TEST USER - disabled test 5-27-2016 <mlamb@MY.DOMAIN.ca.gov>
    Date: Wed, 4 Oct 2017 15:22:50 -0700
    Subject: test 4444
    Thread-Topic: test 4444
    Thread-Index: AdM9X0rWZ166zRsBRdajwQw7SM7xiQ==
    Message-ID: <7D84A25998F9BC448A0FBE63673AAAD378845B40E8@EXSRV01.local.MY.DOMAIN.ca.gov>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator: <7D84A25998F9BC448A0FBE63673AAAD378845B40E8@EXSRV01.local.MY.DOMAIN.ca.gov>
    MIME-Version: 1.0

    Friday, October 6, 2017 10:55 PM
  • Playing around in telnet more I was able to get the new server to spit out the following (as from the 2007 server)

    220 EXSRV13.local.some.domain.ca.gov Microsoft ESMTP MAIL Service ready at Fri
    , 6 Oct 2017 16:03:57 -0700
    EHLO
    250-EXSRV13.local.some.domain.ca.gov Hello [X.X.6.47]
    250-SIZE 37748736
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XRDST
    MAIL FROM:mlamb@some.domain.ca.gov
    530 5.7.1 Client was not authenticated

    C:\Users\administrator.DOMAIN>


    Edit: This issue was fixed by selection anon users under the receive connector on 2013 box. 
    • Edited by test1500 Friday, October 6, 2017 11:11 PM update post
    • Proposed as answer by Jason.ChaoModerator Monday, October 16, 2017 2:09 AM
    • Unproposed as answer by test1500 Monday, October 16, 2017 3:27 PM
    Friday, October 6, 2017 11:08 PM
  • Hi,

    Thanks for your response. It seems your issue has been resolved?

    ---------------------------------------------------------------------------------------------------

    RunspaceId                              : 016af15a-1620-4c13-bd02-4f40676644ae AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer Banner                                  :  BinaryMimeEnabled                       : True Bindings                                : {[::]:25, 0.0.0.0:25} ChunkingEnabled                         : True DefaultDomain                           :  DeliveryStatusNotificationEnabled       : True EightBitMimeEnabled                     : True SmtpUtf8Enabled                         : False BareLinefeedRejectionEnabled            : False DomainSecureEnabled                     : False EnhancedStatusCodesEnabled              : True LongAddressesEnabled                    : False OrarEnabled                             : False SuppressXAnonymousTls                   : False ProxyEnabled                            : False AdvertiseClientSettings                 : False Fqdn                                    : EXSRV13.local.MY.DOMAIN.ca.gov ServiceDiscoveryFqdn                    :  TlsCertificateName                      :  Comment                                 :  Enabled                                 : True ConnectionTimeout                       : 00:10:00 ConnectionInactivityTimeout             : 00:05:00 MessageRateLimit                        : Unlimited MessageRateSource                       : IPAddress MaxInboundConnection                    : 5000 MaxInboundConnectionPerSource           : 20 MaxInboundConnectionPercentagePerSource : 2 MaxHeaderSize                           : 128 KB (131,072 bytes) MaxHopCount                             : 60 MaxLocalHopCount                        : 5 MaxLogonFailures                        : 3 MaxMessageSize                          : 36 MB (37,748,736 bytes) MaxProtocolErrors                       : 5 MaxRecipientsPerMessage                 : 200 PermissionGroups                        : ExchangeUsers, ExchangeServers, ExchangeLegacyServers PipeliningEnabled                       : True ProtocolLoggingLevel                    : Verbose RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} RequireEHLODomain                       : False RequireTLS                              : False EnableAuthGSSAPI                        : False ExtendedProtectionPolicy                : None LiveCredentialEnabled                   : False TlsDomainCapabilities                   : {} Server                                  : EXSRV13 TransportRole                           : FrontendTransport SizeEnabled                             : Enabled TarpitInterval                          : 00:00:05 MaxAcknowledgementDelay                 : 00:00:30 AdminDisplayName                        :  ExchangeVersion                         : 0.1 (8.0.535.0) Name                                    : Default Frontend EXSRV13

    ----------------------------------------------------------------------------------

    In the default front end receive connector we need to check the anonymous permission group.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 16, 2017 2:09 AM
    Moderator
  • Hello Jason!

    I was on vacation last week so sorry for the delay in responding.  No the issue is still the same, still no mail flow from 2007 users to 2013 users.  Anonymous users is checked on the default frontend connector.  I have checked it on the default hubtransport as well.  Still no mail flow,  it has never worked and I have tried so many combinations I have lost track.  The issue has been so frustrating I needed to take some time off.  Soon I hope to tackle it more.

    Here is one of the latest NDR's while I was out.

    Generating server: EXSRV01.local.MY.DOMAIN.ca.gov
    mlamb@MY.DOMAIN.ca.gov
    #550 4.4.7 QUEUE.Expired; message expired ##
    Original message headers:

    Received: from EXSRV01.local.MY.DOMAIN.ca.gov
     ([fe80::5872:f3a1:8388:7799]) by EXSRV01.local.MY.DOMAIN.ca.gov
     ([fe80::5872:f3a1:8388:7799%11]) with mapi; Thu, 5 Oct 2017 12:10:23 -0700
    Content-Type: application/ms-tnef; name="winmail.dat"
    Content-Transfer-Encoding: binary
    From: Test USER <dUSER@MY.DOMAIN.ca.gov>
    To: Mary L - TEST USER - disabled test 5-27-2016 <mlamb@MY.DOMAIN.ca.gov>
    Date: Thu, 5 Oct 2017 12:10:21 -0700
    Subject: RE: test 9999
    Thread-Topic: test 9999
    Thread-Index: AdM+DYdxQL2SuQNETe6BFWJXFbhp9QAAAt0Q
    Message-ID: <7D84A25998F9BC448A0FBE63673AAAD378845B41B4@EXSRV01.local.MY.DOMAIN.ca.gov>
    References: <3f2b25e9829b48d780bc67a3a3cd726f@EXSRV13.local.MY.DOMAIN.ca.gov>
    In-Reply-To: <3f2b25e9829b48d780bc67a3a3cd726f@EXSRV13.local.MY.DOMAIN.ca.gov>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator: <7D84A25998F9BC448A0FBE63673AAAD378845B41B4@EXSRV01.local.MY.DOMAIN.ca.gov>
    MIME-Version: 1.0

    I'm sure it is something simple, but I still can't figure it out.  


    DJ

    Monday, October 16, 2017 3:22 PM

  • For testing can you try disabling the default receive connector on 2013, Create a new test connector with 

    Role-Hub
    Type-Internal
    Under IP range, just allow 2007 internal IPs
    Auth- check all except externally secured
    Permissions Groups-Exchange Servers,legacy Exchange Servers,Exchange users

    Regards,
    Fazal

    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Monday, October 16, 2017 7:53 PM
  • Fazal,  every time I have tried to crate a custom connector I always get the error that the IP range conflicts with 'Default frontend SERVER" connector,  even when disabled.  I will try to blank out the IP range on the default connectors,  but I always run into some conflict since they cover the same IP range.   

    DJ

    Monday, October 16, 2017 8:06 PM
  • Fazal,   can you outline the steps to do this?  Apparently I am not understanding the connectors, as no matter what I do (aside from deleting the default connectors) it will not let me create a custom connector.  

    I get:  

    "The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector "SERVER\Default Frontend SERVER". Receive connectors assigned to different Transport roles on a single server must listen on unique local IP address & port bindings."

    I only have one NIC in this server.  Am I required to bring up a second NIC just to setup a connector now?  I am worried if I delete the default connectors I will never be able to get them back as the connectors would likely conflict.   I would like to try a custom connector but I always get denied due to the default connector. 


    DJ

    Monday, October 16, 2017 8:13 PM
  • Fazal,   I deleted BOTH of the default connectors - it was my only option to create a custom receive connector.  I restarted transport services and still waiting for mail to flow, nothing yet. 

    The custom connector is 'Coexist'.

    Here are the receive connectors on the 2013 box to confirm if I did it correctly:

    Name             : Client Proxy EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    TransportRole    : HubTransport
    PermissionGroups : ExchangeUsers, ExchangeServers
    Name             : Outbound Proxy Frontend EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    TransportRole    : FrontendTransport
    PermissionGroups : ExchangeServers
    Name             : Client Frontend EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
    RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    TransportRole    : FrontendTransport
    PermissionGroups : ExchangeUsers
    Name             : Coexist
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {X.X.6.47}
    TransportRole    : HubTransport
    PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers

    • Edited by test1500 Monday, October 16, 2017 9:04 PM added list
    Monday, October 16, 2017 8:57 PM
  • Hi, have you added the 2013 to the AD server account with full control and the 2007 box to the 2013 AD server account, full control under each computer / server object security account?  

    You'll need to reboot after doing so.

    This could also be a DNS issue.  Setup your hosts file with servernames (smarthosts included) and see if the problem goes away.  Most likely you have a bad A record or ptr.

    One other thing, Add the intermediate cert from the 2007 box to the intermediate store on the 2013 box and vice versa.  



    Steve W. MCSA,CCNA,MCP,A+,SEC+,CIW

    Monday, October 16, 2017 9:58 PM
  • With the 'Coexist' custom connector,  here is what I see from telnet:

    220 EXSRV13.local.MY.DOMAIN.ca.gov Microsoft ESMTP MAIL Service ready at Mon
    , 16 Oct 2017 14:59:31 -0700
    ehlo
    250-EXSRV13.local.MY.DOMAIN.ca.gov Hello [X.X.6.47]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250-XRDST
    250 XSHADOWREQUEST

    Looks good,  but still no mail flow.  Now mail is not flowing in either direction from/to 2013 to 2007 and vice versa.  


    DJ

    Monday, October 16, 2017 10:02 PM
  • Hi, have you added the 2013 to the AD server account with full control and the 2007 box to the 2013 AD server account, full control under each computer / server object security account?  

    You'll need to reboot after doing so.

    This could also be a DNS issue.  Setup your hosts file with servernames (smarthosts included) and see if the problem goes away.  Most likely you have a bad A record or ptr.

    One other thing, Add the intermediate cert from the 2007 box to the intermediate store on the 2013 box and vice versa.  



    Steve W. MCSA,CCNA,MCP,A+,SEC+,CIW

    "have you added the 2013 to the AD server account with full control and the 2007 box to the 2013 AD server account, full control under each computer / server object security account?"

    No, this is the first I have heard of this.  I will have to search on how this is done as I have never messed with the server accounts.  Do you mean the local admin account?

    Both servers are running the new cert, and is the same cert on both mail servers. 

    I don't think I have ever rebooted the 2007 server since standing up the new 2013 server.  Wondering if I need to rule that out before digging into DNS.  I have broke so many other things trying to sort this out I am not sure I want to tear into DNS just yet.  


    DJ

    Monday, October 16, 2017 10:12 PM
  • You add the servers as administrators of themselves by using Active Directory Users and computers.  You right click on the 2007 and 2013 server objects, select the security Tab, and Slecct Object types, Put a check mark on COMPUTERS, and then find the servers (2013 for the 2007 server object, and 2007 for the 2013 server object).  

    Give both full control to each.

    As far as the certificates go, I'm referring to the 2013's intermediate certificate (not the GoDaddy certificate). You'll need to use the Certificates MMC on both 2013 and 2007 boxes and EXPORT the 2013.server.com intermediate cert,  to the 2007 Intermediate cert folder, and do the same for the 2007 box to the 2013 box.


    Steve W. MCSA,CCNA,MCP,A+,SEC+,CIW

    Monday, October 16, 2017 10:34 PM
  • Thanks Steve,  I was able to fudge my way, and added both servers with full control in ADUC.  Will need to schedule the reboot of the 2007 box. 

    As for the certs,  I see a few under intermediate on both boxes.  Is it the 'Root Agency' cert I need to export?  or the godaddy root certificate authority?  The others are expired.  Do I want  DER/Base64 .CER or .P7B format on the export?  

    Thank you


    DJ

    Monday, October 16, 2017 10:46 PM
  • Actually you should be ok with just exporting the personal cert on both to the local trusted cert authority on both.  So you'll export a .p7B (check the box for exporting metadata).

    on each server, select to export the SERVERNAME that you are on and export it.  If your 2007 box is EX2007 then navigate to Trusted root certificate authority and export THAT certificate.  Import it to the 2013 box to the same location.  Repeat for the 2013 box.

    Granted, others may read this and see that this is not a fix, but I have personally ran into this issue with a 2007 box, and I was able to get things running smoothly after doing this very thing.

    Also, it may have already been mentioned, but navigate to https://testconnectivity.microsoft.com/ on both servers, and see what happens when you run it.  It may be a little confusing, but it seems that you are getting out on your 2013 server so that will give us a clue on where it is getting hung up.


    Steve W. MCSA,CCNA

    Monday, October 16, 2017 11:06 PM
  • Ok will do.  Not sure if it matters, but the personal cert on the 2007 box expired in 2015.  

    I have been fighting with this 2013 server since day one,  so I will try anything at this point!  

    I should point out that the 2013 server does not currently have full access to the LAN or the Internet. The reason is users Outlook clients were trying to connect to the new server and getting errors and it was flogging the help desk guy with email requests.  Once I know mail is flowing, then I can try and see if users can connect without getting errors,  or just give up on the hope of coexistence. 


    DJ

    Monday, October 16, 2017 11:14 PM
  • Exchange used opportunistic TLS for transport between HUB servers so self signed cert expiry should not matter, Please allow anonymous access as well on the Front end receive connector. 

    To confirm the message is exiting the outbox & just dies in the queue?

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Tuesday, October 17, 2017 12:00 AM
  • Please refer to the article below to create the receive connector you've deleted:

    https://technet.microsoft.com/en-us/library/aa996395(v=exchg.160).aspx

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 17, 2017 2:04 AM
    Moderator
  • Fazal, Yes they leave the outbox, and just expire.  Not getting the authentication errors, just no mail flow. 


    DJ

    Tuesday, October 17, 2017 3:09 PM
  • Jason,  so I should delete the custom connector and just try to re-add the default connectors?  I will give it a try. 

    DJ

    Tuesday, October 17, 2017 3:12 PM
  • Ok so I put the connectors back ;

    Name             : Default EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {0.0.0.0-255.255.255.255}
    TransportRole    : HubTransport
    PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    Bindings         : {0.0.0.0:2525}
    Name             : Default Frontend EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {0.0.0.0-255.255.255.255}
    TransportRole    : FrontendTransport
    PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
    Bindings         : {0.0.0.0:25}

    Mail is now once again flowing from 2013 users to 2007 users.  Mail does not flow from 2007 users to 2013 users. So back to one way flow. 


    DJ

    Tuesday, October 17, 2017 3:32 PM
  • Latest output from the queue;

    RunspaceId                       : cf7209df-9723-4f51-ab1d-98043f0fea57
    DeliveryType                     : SmtpRelayWithinAdSite
    NextHopDomain                    : hub version 15
    TlsDomain                        :
    NextHopConnector                 : 61027a30-e9a9-4c2d-acb5-c1efc96d5d8b
    Status                           : Retry
    MessageCount                     : 5
    LastError                        : 451 4.4.0 Primary target IP address responded with: "421 4.4.1 Connection timed
                                       out." Attempted failover to alternate host, but that did not succeed. Either there
                                       are no alternate hosts, or delivery failed to all alternate hosts.
    RetryCount                       : 0
    LastRetryTime                    : 10/17/2017 8:27:50 AM
    NextRetryTime                    : 10/17/2017 8:37:50 AM
    FirstRetryTime                   :
    DeferredMessageCount             : 0
    LockedMessageCount               : 0
    MessageCountsPerPriority         :
    DeferredMessageCountsPerPriority :
    RiskLevel                        : Normal
    OutboundIPPool                   : 0
    NextHopCategory                  : Internal
    IncomingRate                     : 0
    OutgoingRate                     : 0
    Velocity                         : 0
    OverrideSource                   :
    QueueIdentity                    : EXSRV01\80629
    PriorityDescriptions             : {High, Normal, Low, None}
    Identity                         : EXSRV01\80629
    IsValid                          : True
    ObjectState                      : New

    451 4.4.0 Primary target IP address responded with: "421 4.4.1 Connection timed out."


    DJ

    Tuesday, October 17, 2017 3:39 PM
  • Just curious,  if we use a smarthost for the send connector on the existing 2007 box, would mail destined for users on the 2013 box be routed through the smarthost?    I ask as the 2013 box is not currently configured on the smarthost, the smarthost box only routes inbound mail to the 2007 box.  I am wondering if this is why I see the "connection timed out" error on mail to users on the 2013 box.  

    DJ

    Tuesday, October 17, 2017 3:59 PM
  • Thanks for your information.

    After you’ve create a connector, it’s recommended to restart all the transport service.

    Given the error it seems a network issue:

    Please run the command: ipconfig /flushDNS in cmd and check the results.

    And also check: if network properties and under IPV4---> Properties---> Advanced---> DNS the option " Register this connection's address in DNS" was unchecked, please check it if it’s not. After that restart the transport services.

    It’s also recommended to add a record of the exchange 2013 to Exchange server 2007.

    Hope it helps.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 18, 2017 2:13 AM
    Moderator
  • Thanks Jason,

    When I query either box from the other in nslookup by host name or FQDN they resolve correctly.  Local pings resolve to the IPv6 address on both servers, and pings to the other host resolve to the v4 address. Both servers have DNS records, and the DNS option to add a record is checked.  I have flushed the DNS cache on both servers.  I have not spotted any DNS errors in any logs, or in the queue errors. Just the same "421 4.4.1 connection timed out" error. 

    RunspaceId                       : e957e8e2-5d38-4614-992a-3b6da3b833a4
    DeliveryType                     : SmtpRelayWithinAdSite
    NextHopDomain                    : hub version 15
    TlsDomain                        :
    NextHopConnector                 : 61027a30-e9a9-4c2d-acb5-c1efc96d5d8b
    Status                           : Retry
    MessageCount                     : 8
    LastError                        : 451 4.4.0 Primary target IP address responded with: "421 4.4.1 Connection timed
                                       out." Attempted failover to alternate host, but that did not succeed. Either there
                                       are no alternate hosts, or delivery failed to all alternate hosts.
    RetryCount                       : 0
    LastRetryTime                    : 10/18/2017 8:14:36 AM
    NextRetryTime                    : 10/18/2017 8:24:36 AM

    I know when I search that error I see many solved it with DNS changes.  DNS is solid.  and I can't find any errors to point me toward DNS. 

    Is it time to open a case with MS??  I have checked the firewall on the 2013 box, all rules are there, I have even turned off the firewall to see. No change. I have the certs matches up. 

    What I did find in the log on the 2007 box, event ID 2006:

    Send connector Intra-Organization SMTP Send Connector: the connection to X.X.6.39:25 was disconnected by the remote server.

    This may be a clue?

    Found on 2013 box:  Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.

    Edit: FWIW I added our smarthost, and the 2013 box using the transportconfig command, so I no longer see the warning on the 2013 box about the internal SMTP list being empty.  I also put the malware filter feature on bypass on the 2013 box to rule that out,  restarted the transport service many times today already.  I can watch the events rack up by the second, then each minute, then five minutes, then ten minutes, and back to the normal cycle of send/failure error.   Ready to pull my hair out again. 


    DJ


    • Edited by test1500 Wednesday, October 18, 2017 5:49 PM
    Wednesday, October 18, 2017 3:56 PM
  • Here is a snapshot of the connectivity log on the 2007 box:

    2017-10-18T00:58:33.514Z,08D5158550CAF10D,SMTP,hub version 15,+,61027a30-e9a9-4c2d-acb5-c1efc96d5d8b
    2017-10-18T00:58:33.514Z,08D5158550CAF10D,SMTP,hub version 15,>,EXSRV13.local.some.domain.ca.gov[X.X.6.39]
    2017-10-18T00:58:33.514Z,08D5158550CAF10D,SMTP,hub version 15,>,Established connection to X.X.6.39
    2017-10-18T00:58:33.514Z,08D5158550CAF10D,SMTP,hub version 15,-,Retry

    All entries for the new server look like this.  Hoping this might help lead to what I need to check?  Grasping at straws at this point.


    DJ


    • Edited by test1500 Wednesday, October 18, 2017 6:06 PM
    Wednesday, October 18, 2017 6:06 PM
  • If the servers are in the same network, All firewall issues have been ruled out, You need to then re-verify the Exchange receive connector settings on the 2013 server, Additionally make sure you have not added the Exchange 2007 IP to any relay connector. check the link below to match permissions again or Recreate all receive connectors using script in the link. It also has a script to backup current config of connectors.

    https://www.petenetlive.com/KB/Article/0001314

    This may have been already provided by you, but please update the exact 2007 & 2013 SP/RU/CU levels.

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Wednesday, October 18, 2017 7:04 PM
  • Here are the versions in use;

    2007 box: SP3 - Version 8.3  Build 83.6

    2013 Box:  CU16 - Version 15.0 Build 1293.2

    When you say "make sure you have not added the exchange 2007 IP to any relay connector" can I assume you mean receive connector?  And if so, the default connectors scope the entire span (0.0.0.0-255.255.255.255) so yes, they do include the 2007 IP address.    However,  when I deleted the defaults and created a custom connector with only the IP of the 2007 box, this did not solve the mail flow issue,  it did give the correct X verbs in a telnet session however.  

    I was advised by Jason here to add the defaults back in,  so the defaults do include an IP address range that overlaps the 2007 box.  I am not sure how to avoid this without using custom connectors scoped to individual IP addresses.  


    DJ

    Wednesday, October 18, 2017 7:45 PM
  • The only thing that my connectors vary from the default, is I have verbose logging enabled.  All other settings are identical,  one thing I had to change was the local hop count from 5 to 12.


    DJ

    Wednesday, October 18, 2017 8:47 PM
  • I applied CU18 to the 2013 server, and rebooted both servers.  No change, I have each server with full admin rights to the other in AD, same certs applied, I have checked/deleted/recreated and rechecked my receive connectors, DNS pointers, added all SMTP servers in the global settings, checked the max connections. 


    DJ

    Thursday, October 19, 2017 2:44 AM
  • What is the RU level for Exchange 2007?

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Thursday, October 19, 2017 1:11 PM
  • Ru is 14 on the 2007 box:  08.03.0379.002

    Per TechNet  - 

    Update Rollup 14 for Exchange Server 2007 SP3

    August 26, 2014

    08.03.0379.002


    DJ

    Thursday, October 19, 2017 3:22 PM
  • Here are the versions in use;

    2007 box: SP3 - Version 8.3  Build 83.6

    2013 Box:  CU16 - Version 15.0 Build 1293.2

    When you say "make sure you have not added the exchange 2007 IP to any relay connector" can I assume you mean receive connector?  And if so, the default connectors scope the entire span (0.0.0.0-255.255.255.255) so yes, they do include the 2007 IP address.    However,  when I deleted the defaults and created a custom connector with only the IP of the 2007 box, this did not solve the mail flow issue,  it did give the correct X verbs in a telnet session however.  

    I was advised by Jason here to add the defaults back in,  so the defaults do include an IP address range that overlaps the 2007 box.  I am not sure how to avoid this without using custom connectors scoped to individual IP addresses.  


    DJ

    The range for default connector is fine, I wanted to be sure if the Exchange 2007 IP is explicitly part of some 'Anonymous relay' or any other connector. Did you try backing,deleting &recreating all connectors on 2013?

    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.


    • Edited by Fazal Zaidi Thursday, October 19, 2017 5:39 PM
    Thursday, October 19, 2017 5:39 PM
  • Thanks Fazal,

    Yes for the most part the default connectors have the range 0.0.0.0-255.255.255.255 with everything as default.  I have scoped them down to just the 2007 box to see what changes from telnet.  I have deleted and recreated the receive connectors twice by hand,  once by script.  I have been leaving them in the default config for authentication and scoping as changing them only gives other errors, such as connection refused, or authentication errors if I change the security groups or the authentication options.  So currently the connectors are as they came on the box at the moment. 

    I have sent test messages from both servers via telnet,  and if I enter in an invalid email address (destined for the 2013 server) it will give "#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##" in the NDR.  So the 2013 server had to communicate to give the 550 response code.    

    I am just monitoring the queue and trying different combinations,  but I always get the same error "421 4.4.1 connection timed out." 


    DJ

    Thursday, October 19, 2017 6:38 PM
  • Hi DJ, do you happen to have a mobile password setup on the 2007 or 2013 for active sync setup?  If so, remove it and ensure that anonymous is setup on both.

    Steve W. MCSA,CCNA,MCP,A+,SEC+,CIW

    Thursday, October 19, 2017 6:41 PM
  • Steve, 

    I don't believe we do.  When I look in (2013) mobile device mailbox policy require password is not checked. 

    When I look at the 2007 box we have require password unchecked as well. 

    Outlook anywhere has basic authentication checked with no SSL offloading. 

    FYI


    DJ

    Thursday, October 19, 2017 7:12 PM
  • Can you add the Exchange 2007 IP address to the default FE(25) connector explicitly, I know it has the entire range, Just add the 2007 IP, restart transport services.

    Regards,

    Fazal

     

    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Thursday, October 19, 2017 7:40 PM
  • Fazal,  I have done this probably a half dozen times already,  (as indicated in my previous post: "I have scoped them down to just the 2007 box to see what changes from telnet")  but I will give it another shot. 

    Just to make it different, I added the 2007 box as it's own scope with just it's IP address. - and left the default range on it. Still same error. 


    DJ


    • Edited by test1500 Thursday, October 19, 2017 8:37 PM
    Thursday, October 19, 2017 8:16 PM
  • Just to verify the connector status as it has been left.  I think I can rule out receive connector issue after trying dozens of combinations, deleting them, recreating and doing many tests in telnet.  

    Howver,  mail still only flows from 2013 user to 2007 user, not from 2007 to 2013 users.

    Name             : Default EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    TransportRole    : HubTransport
    PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    Name             : Default Frontend EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {0.0.0.0-255.255.255.255, X.X.6.47, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff}
    TransportRole    : FrontendTransport
    PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers

    Any other clues or advise I am open. 

    Thanks


    DJ


    • Edited by test1500 Thursday, October 19, 2017 10:57 PM
    Thursday, October 19, 2017 10:56 PM
  • If its not connectors, The only thing I can see is a Network issue between these servers, It could be a switch port,network routes, Windows firewall on 2013 or Antivirus,Scanmail etc. have you checked all those?.. Are these in the same LAN/VLAN?

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 20, 2017 3:15 PM
  • Both mail servers are on the same vlan, on the same VM host, so they connect via virtual switch. 

    I'm wondering if having anon users group enabled on the frontend connector would cause issues.  The only time I was able to get telnet to show the proper X verbs in telnet session was when I created a custom connector with exchange authentication, anything else (such as the default recv connectors) some of the X verbs are missing that are visible on the 2007 box.  So that seems to be the direction to go from what I can gather.   It is strange as the error is timeout, so I would assume network issues,  but I have nothing to replace or try aside from running the box outside our VM infrastructure. 


    DJ

    Friday, October 20, 2017 3:28 PM
  • So you do not have all the verbs visible right now from 2007 to 2013?.. Try removing Anon & add Exchange users to the default FE conn-25.

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 20, 2017 3:53 PM
  • No,  only when I created a custom connector and deleted the default rec connectors did I see ALL the correct X verbs,  This is stated above with what was shown on that connector.

    Here is what I have at the moment using telnet from the 2007 box. This is with anon removed, and Ex users checked after transport service restart. 

    I think I have tried about every possible combination, still no mail flow.  and the error only changes when I remove the bindings, or I do not include the 2007 server in the scope,  then I get connection refused,  or it just won't connect at all.  

    250-EXSRV13.local.domain.com Hello [x.x.7.97]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XRDST

    If I telnet to the same box via port 2525

    Here is what I get in telnet-

    250-EXSRV13.domain.com Hello [x.x.7.97]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250-XRDST
    250 XSHADOWREQUEST


    DJ

    Friday, October 20, 2017 4:07 PM
  • Is this the same Exchange 2007 IP added to 2013 default FE conn?

    EXSRV13.domain.com Hello [x.x.7.97]

    In conn its different

     {0.0.0.0-255.255.255.255, X.X.6.47, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff}

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 20, 2017 4:48 PM
  • 7.97 is my workstation,  I just captured the output from my PC,  I see the same output from the 2007 server at 6.47. 

    Here is the current connector as of this morning (I added my PC as I made changes then test from my PC).

    Name             : Default Frontend EXSRV13
    AuthMechanism    : Tls, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {X.X.7.97, X.X.6.47}
    TransportRole    : FrontendTransport
    PermissionGroups : ExchangeServers, ExchangeLegacyServers
    Bindings         : {0.0.0.0:25}


    DJ

    Friday, October 20, 2017 4:55 PM
  • I do not see Exchange users in the permissions group.

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 20, 2017 5:09 PM
  • And you have added both boxes to eachothers hosts files with fqdn and without? 

    So on the 2013 hosts file you would have entries like so (with your IPs and names of course)

    192.168.0.1   2007SERVER

    192.168.0.1   2007SERVER.contoso.com       

    Vice versa on the 2007 box.

    Also, where did you get with the test connectivity link? 

    https://testconnectivity.microsoft.com/


    Steve W. MCSA,CCNA,MCP,A+,SEC+,CIW

    Friday, October 20, 2017 5:12 PM
  • Added them back in:

    Name             : Default Frontend EXSRV13
    AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    RemoteIPRanges   : {X.X.2.12, X.X.7.97, X.X.6.47}
    TransportRole    : FrontendTransport
    PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
    Bindings         : {0.0.0.0:25}

    2.12 is my smarthost MTA

    7.97 is test box

    FYI


    DJ

    Friday, October 20, 2017 5:49 PM
  • Yes I have manual entries in the hosts file on both servers, with FQDn and hostname. 

    On the testconnectivity it passes, "

    Connectivity Test Successful"

    Did the activesync, web services, and inbound and outbound tests,  all succeed.  Keep in mind these target the 2007 box as I have not swung services over to 2013 for obvious reasons. 


    DJ

    Friday, October 20, 2017 5:53 PM
  • One thing to note,  maybe this is normal, but when I deselect Anonymous users permission group, I am not able to send test messages via telnet on the 2013 box.  If I enable anon users then I can send mail back and forth between test users on the 2013 box.   

    Here is the error I get when anon users is not selected.  Once this is selected then test mail flow works fine, on the 2013 box.  

    530 5.7.1 Client was not authenticated

    Please note no matter what combination I use on the connectors on 2013 I ALWAYS get the timeout error. We have anon users group selected on the 2007 box.  So I assume we need this selected for mail to flow,  even though it makes no difference. 


    DJ

    Friday, October 20, 2017 6:45 PM
  • Anon users has to be selected as anyone outside the network would be anon, But within the network it should work without anon selected.

    Do you have hostfiles setup in Exchange 2007 for 2013/ ? are you pointing to the Exchange internal IP/?


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Friday, October 20, 2017 7:06 PM
  • Two questions.. 

    1. have you rebooted the client you are sending messages too? 

    1-1. Have you done an Ipconfig /Flushdns ? 

    2. Have you reconfigured the A record for the older 2007 box to Legacy.domain.com ? 


    Rob

    Friday, October 20, 2017 7:19 PM
  • Ok, I will leave it checked.

    Yes both servers have the other mail server in the host file,  with FQDN and hostname.   Yes, I am using the internal IP for both servers.  I don't currently have the 2013 box natted to the outside, so no outside address for it. 


    DJ

    Friday, October 20, 2017 7:34 PM
  • I went ahead and rebooted the test machine running the outlook client.  No change.

    I have done /flushdns on both sides, has no change.

    I added an A record in DNS with the legacy name.  I had not done this up till now, as I felt it would not have any effect on server to server communication at the IP level.  Record is now created. 


    DJ


    • Edited by test1500 Friday, October 20, 2017 7:44 PM
    Friday, October 20, 2017 7:38 PM
  • So is the host file on both exchange servers set as 

    (2013 Server IP) Mail.Domain.com 

    (Old server IP) Legacy.Domain.com 

    This above should also be set on the Test system you are using if it's not physically testing from the server itself. 

    So are you just planning a migration here then where you keep both up for a small amount of time and migrate off to 2013? 

    Or are you trying to keep both alive indefinitely? 

    Have you made the OA changes yet for the Public Folders? 


    Rob


    Friday, October 20, 2017 7:55 PM
  • Hi Rob,

    I actually have the IP first.  Like this:

    X.X.6.47  EXSRV01
    X.X.6.47  EXSRV01.domain.com

    This is just a migration coexistence,  so once I have all the mailboxes, public folders and custom connectors for our fax, and other email devices then I will decommission the 2007 box.  Then it all starts over to move to Ex2016.  No changes to the public folders yet. I do have OA enabled though.  Once this stumped me I have not moved forward much on the other tasks.  The coexistence is needed as I am not allowed to work OT,  so I have to do 90+% of the migration steps during normal hours. Quite a challenge!  

    Thanks


    DJ


    • Edited by test1500 Friday, October 20, 2017 9:19 PM
    Friday, October 20, 2017 9:17 PM
  • Just to add,  not sure if this will be any help,

    I tried to do a manual smtp test via telnet and was not able to get it to authenticate.  Maybe I didn't do the base64 conversion right, but all I get using a few different user combinations is "535 5.7.3 Authentication unsuccessful".

    Will try to plug away at it more next week.  Going on 135 hours on this one issue,  Thanks to all that have tried to help.


    DJ

    Friday, October 20, 2017 11:30 PM
  • Hi,

    The version of the Exchange 2007 server you installed is SP3 - Version 8.3 Build 83.6, based on my research, the latest version is update rollup 23 for Exchange Server 2007 SP3, if it is possible, could you install this update and check the result?

    Update Rollup 23 for Exchange Server 2007 Service Pack 3

    https://support.microsoft.com/en-us/help/4011325/update-rollup-23-for-exchange-server-2007-service-pack-3

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 1:39 AM
    Moderator
  • Thanks Jason,  I thought of doing that,  seems like a long shot but I do have it downloaded.  I will try and schedule the time as it has to be done after hours.   


    DJ

    Monday, October 23, 2017 4:13 PM
  • Thanks, please keep updating.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 24, 2017 2:07 AM
    Moderator
  • Update:  This morning I applied update rollup 23 onto the 2007 box.  I also rebooted the 2013 box as well to freshen things up.    For some reason I am now not able to connect my test client,  gives the password prompt to login when outlook is opened.   I didn't make any other changes so I am surprised to see the client connect issue as it has worked every time.  I will look at the connectors and the event logs.

    DJ

    Tuesday, October 24, 2017 3:14 PM
  • Back to the same issue,  disregard the client issue in my last post above,  was quickly fixed by setting NTLM authentication in OA.  Just want to note, the problem of mail flow has not changed at all since my October 5th post.  Mail flows from 2013 to 2007 users, and to the Internet,  just not from 2007 users to 2013 users. 


    DJ

    Tuesday, October 24, 2017 10:05 PM
  • Update:  Mail is now flowing in all directions..

    2013 users - 2013 users
    2013 users - 2007 users
    2007 users - 2013 users

    Users from both servers to/from the Internet.

    Issue seems to have been related to a security policy on the 2007 box.  I enable "FIPS compliant algorithms for encryption", then did gpupdate /force.   Now this may break other things, I don't know yet.  

    The steps I took: 

    1 - In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

    2 -In Local Security Settings, expand Local Policies, and then click Security Options.

    3 - Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

    I was alerted of this issue by a bunch of new Event ID 36871 Schannel errors in system log on 2007 box. So I followed some fix I found online and applied it, and within seconds the queue on the 2007 was empty!  

    Just before this change, I also changed the FQDN name given in the receive connector on the 2013 box,  and made it match the FQDN banner of the 2007 box.  I was seeing warning errors in the event log on one of the boxes which prompted that change. This did not seem to help,  but in the event it was a delayed reaction I am listing the change just in case it helps.     Seems the FIPS compliant algorithms was the magic for me anyway.  

    Thanks again to ALL that jumped in and tried to help!  Nowhere in any place online did I ever see any FIPS compliant algo chatter about mail flow on exchange, so I hope it is of some help to others. 

    Now I need to see if users can connect fine to the new 2013 box and I can start moving mailboxes over. 


    DJ

    • Proposed as answer by Jason.ChaoModerator Thursday, October 26, 2017 1:30 AM
    • Marked as answer by test1500 Thursday, October 26, 2017 3:21 AM
    Wednesday, October 25, 2017 6:57 PM
  • Great! Glad to hear that the issue has been resolved and thanks for your kindly sharing!

    Please help to mark the reply as answer and it could be helpful for others.

    Thanks again for your time.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 26, 2017 1:34 AM
    Moderator