none
Delivering mail directly to passive DAG server, getting SMTP error 5.7.1

    Question

  • I'm in the process of getting rid of a legacy Exchange 2003 environment that is currently still doing mail routing for us.  This is in order to allow us to migrate from Exchange 2010 to 2016.  Essentially my inbound mail currently does this:

    From internet -> Barracuda Email Security Firewall -> Exchange 2003 Front-End Server -> Exchange 2003 Back-End Server -> Exchange 2010 DAG Server 1.

    We also are using a Kemp load balance appliance, which is what our Outlook and mobile devices connect to.

    When we first migrated from 2003 to 2010 I wanted to point mail directly to our Kemp appliance, however that had the result of masking the mail headers and making it appear that all mail was originating from the Kemp (obviously not desirable).

    We have since added the Barracuda device, and I learned that I could tell the Barracuda to deliver to more than one host.  I set up a temporary personal domain and told the Barracuda to deliver mail to both Exchange 2010 DAG Server 1 and Exchange 2010 DAG Server 2.  I sent myself a test email and it worked fine.

    So yesterday I decided to switch our primary domain on the Barracuda to also deliver to these servers.  However inbound mail started getting rejected with the following error:

    host 10.1.6.4[10.1.6.4] said: 550 5.7.1 Message rejected. (in reply to end of DATA command)

    After pondering it a bit it occurred to me that 10.1.6.4 is server 2 in the DAG, and no mailbox databases are currently active on that (all the databases are currently active on server 1). 

    Is the above error cause by an issue similar to previous versions of Exchange requiring a Front-end/Back-end environment if you're having multiple mailbox database servers?  I know in playing with that years ago if I tried to deliver mail to server 1 but the mailbox was on server 2 then it would fail, however if I set up a front-end server then it would determine which server to connect to.

    Is there a way to configure my 2010 environment so if an SMTP connection comes into a server that doesn't host the active copy of the mailbox database that it can deliver it to the server that does? I'm looking for a more elegant solution than the solution offered by Kemp (which is isolate the Exchange servers on their own subnet and set the Kemp up in a two-armed configuration and all communication with the servers must go through the Kemp; that's their solution for the message header conundrum).


    • Edited by JGrover Thursday, March 16, 2017 5:29 PM
    Thursday, March 16, 2017 5:28 PM

Answers

  • Both 2010 servers have all roles installed on them.

    Ok, then that should work.

    Are there are any anti-spam products or is anti-spam enabled on the 2010 servers?


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    • Marked as answer by JGrover Friday, March 17, 2017 12:51 PM
    Thursday, March 16, 2017 6:49 PM
    Moderator
  • In typing out my last response I had an idea, and the issue is now resolved.  When we first were going to deploy the 2010 servers we had been using a program called Open Relay Filter (which is a really nice little program) and the service for that program was still running on server 2.  My filters in that program were set to block senders that were spoofing our domain name (and that filter predated our move to this helpdesk system, so nothing in there was set to accept mail on their behalf).

    I stopped the service and configured the Barracuda to deliver mail only to server 2 and updated my test helpdesk ticket and received the email fine, so that was that problem.

    I'm still not sure about the message headers, and why server 1 is involved in the process at all when my mailbox is active on server 2.

    OK, that was my original thought based on the rejection notice - that it was some content filtering thing.

    As to you second question. 2010/2013/16 uses shadow redundancy to ensure messages aren't lost. You are going to see message tracking touching both servers all the time. Its a good thing.


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?


    Friday, March 17, 2017 12:51 PM
    Moderator

All replies

  • I'm in the process of getting rid of a legacy Exchange 2003 environment that is currently still doing mail routing for us.  This is in order to allow us to migrate from Exchange 2010 to 2016.  Essentially my inbound mail currently does this:

    From internet -> Barracuda Email Security Firewall -> Exchange 2003 Front-End Server -> Exchange 2003 Back-End Server -> Exchange 2010 DAG Server 1.

    We also are using a Kemp load balance appliance, which is what our Outlook and mobile devices connect to.

    When we first migrated from 2003 to 2010 I wanted to point mail directly to our Kemp appliance, however that had the result of masking the mail headers and making it appear that all mail was originating from the Kemp (obviously not desirable).

    We have since added the Barracuda device, and I learned that I could tell the Barracuda to deliver to more than one host.  I set up a temporary personal domain and told the Barracuda to deliver mail to both Exchange 2010 DAG Server 1 and Exchange 2010 DAG Server 2.  I sent myself a test email and it worked fine.

    So yesterday I decided to switch our primary domain on the Barracuda to also deliver to these servers.  However inbound mail started getting rejected with the following error:

    host 10.1.6.4[10.1.6.4] said: 550 5.7.1 Message rejected. (in reply to end of DATA command)

    After pondering it a bit it occurred to me that 10.1.6.4 is server 2 in the DAG, and no mailbox databases are currently active on that (all the databases are currently active on server 1). 

    Is the above error cause by an issue similar to previous versions of Exchange requiring a Front-end/Back-end environment if you're having multiple mailbox database servers?  I know in playing with that years ago if I tried to deliver mail to server 1 but the mailbox was on server 2 then it would fail, however if I set up a front-end server then it would determine which server to connect to.

    Is there a way to configure my 2010 environment so if an SMTP connection comes into a server that doesn't host the active copy of the mailbox database that it can deliver it to the server that does? I'm looking for a more elegant solution than the solution offered by Kemp (which is isolate the Exchange servers on their own subnet and set the Kemp up in a two-armed configuration and all communication with the servers must go through the Kemp; that's their solution for the message header conundrum).



    Where is the hub role for the 2010 servers? Are the DAG servers multi-role?

    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    Thursday, March 16, 2017 6:40 PM
    Moderator
  • Both 2010 servers have all roles installed on them.
    Thursday, March 16, 2017 6:46 PM
  • Both 2010 servers have all roles installed on them.

    Ok, then that should work.

    Are there are any anti-spam products or is anti-spam enabled on the 2010 servers?


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    • Marked as answer by JGrover Friday, March 17, 2017 12:51 PM
    Thursday, March 16, 2017 6:49 PM
    Moderator
  • No, we are only using the Barracuda for that purpose.

    I'm looking at a post on the Barracuda forums and the user was advised they will need to set up a receive connector on both servers for the Barracuda with the proper authentication settings.  In looking at the receive connectors I have set up currently, both servers apparently have receive connectors to receive mail from anywhere.  One that includes TLS, Basic and Integrated Windows Authentication, and another that has those as well as Exchange Server authentication.

    Thursday, March 16, 2017 7:12 PM
  • No, we are only using the Barracuda for that purpose.

    I'm looking at a post on the Barracuda forums and the user was advised they will need to set up a receive connector on both servers for the Barracuda with the proper authentication settings.  In looking at the receive connectors I have set up currently, both servers apparently have receive connectors to receive mail from anywhere.  One that includes TLS, Basic and Integrated Windows Authentication, and another that has those as well as Exchange Server authentication.


    Ah yes. I assumed you had that. Sorry about that. That error message threw me, typically it would say "Not authorized" in those scenarios. I would create a new internet receive connector on each server with allowing anonymous and with a remote IP range of the barracuda.

    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    Thursday, March 16, 2017 7:19 PM
    Moderator
  • Sounds good, I'll give that a shot after hours tonight and report back.  Thanks.

    What should I set the authentication settings to?  I set Anonymous on the Permissions tab, but not sure what to use for Authentication (TLS, Basic, etc). 
    • Edited by JGrover Thursday, March 16, 2017 8:32 PM
    Thursday, March 16, 2017 8:21 PM
  • Sounds good, I'll give that a shot after hours tonight and report back.  Thanks.

    What should I set the authentication settings to?  I set Anonymous on the Permissions tab, but not sure what to use for Authentication (TLS, Basic, etc). 

    When you create the type "internet", it will take care of that for you. TLS will be enabled for Opportunistic TLS by default.


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    Thursday, March 16, 2017 9:16 PM
    Moderator
  • No dice.  I couldn't make one of the type Internet as it said it conflicted with a connector I already have.  I made one that was Custom and set it to to TLS, Basic, and Offer Basic only after starting TLS, and set permissions to Anonymous but still got the same error.

    I also made my database active on that server and still got the error, so it doesn't appear to be a problem with the SMTP connection hitting the passive server.

    It is interesting to note that if I use telnet to connect to port 25 on server 2 I can issue SMTP commands and send a message just fine.


    • Edited by JGrover Friday, March 17, 2017 12:08 PM
    Friday, March 17, 2017 12:03 PM
  • No dice.  I couldn't make one of the type Internet as it said it conflicted with a connector I already have.  I made one that was Custom and set it to to TLS, Basic, and Offer Basic only after starting TLS, and set permissions to Anonymous but still got the same error.

    I also made my database active on that server and still got the error, so it doesn't appear to be a problem with the SMTP connection hitting the passive server.

    Well, you have tell us what the conflict is.

    List all your receive connectors. What other connector did you already make? You can use that one instead possibly.

    Get-ReceiveConnector |FL

    and no, the passive /active thing is not an issue, Exchange will handle the message no matter which server receives it.


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    Friday, March 17, 2017 12:09 PM
    Moderator
  • I have a default connector that listens on all available IP addresses on port 25, and receives mail from all remote IPs.  

    Authentication has everything selected except Domain Security and Externally Secured.

    Permission Groups has all checked except for Partners.

    That's the connector it said it conflicted with when I tried to create it.

    I have two other connectors for external scan-to-email units that uses nonstandard ports (one for port 5200 and one for port 5201)


    • Edited by JGrover Friday, March 17, 2017 12:17 PM
    Friday, March 17, 2017 12:16 PM
  • An interesting thing to note that may or may not mean anything.

    - Tests I sent via Gmail were working fine.  Tests I sent via our helpdesk system (which uses help@ourdomain.com as the From: address) did not unless I removed delivery to server 2 as an option and only delivered to server 1.

    - The tests I sent via Gmail had something odd (to me) in the headers.  It basically showed that the email was received by our Barracuda from Gmail's server, and was received by server 2 from the Barracuda...but then shows it was received by server 2 from server 1.  Nothing in the header indicates the message was received by server 1 at any point (and my mailbox database was active on server 2).

    We do block incoming mail claiming to be from @ourdomain.com via our Barracuda, but our helpdesk system's servers are whitelisted. 


    • Edited by JGrover Friday, March 17, 2017 12:28 PM
    Friday, March 17, 2017 12:27 PM
  • I have a default connector that listens on all available IP addresses on port 25, and receives mail from all remote IPs.  

    Authentication has everything selected except Domain Security and Externally Secured.

    Permission Groups has all checked except for Partners.

    That's the connector it said it conflicted with when I tried to create it.

    I have two other connectors for external scan-to-email units that uses nonstandard ports (one for port 5200 and one for port 5201)


    When you create a new internet connector, you need to ensure its bound to the IP of the server itself, not to all IPs

     

    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    Friday, March 17, 2017 12:28 PM
    Moderator
  • In typing out my last response I had an idea, and the issue is now resolved.  When we first were going to deploy the 2010 servers we had been using a program called Open Relay Filter (which is a really nice little program) and the service for that program was still running on server 2.  My filters in that program were set to block senders that were spoofing our domain name (and that filter predated our move to this helpdesk system, so nothing in there was set to accept mail on their behalf).

    I stopped the service and configured the Barracuda to deliver mail only to server 2 and updated my test helpdesk ticket and received the email fine, so that was that problem.

    I'm still not sure about the message headers, and why server 1 is involved in the process at all when my mailbox is active on server 2.

    Friday, March 17, 2017 12:41 PM
  • In typing out my last response I had an idea, and the issue is now resolved.  When we first were going to deploy the 2010 servers we had been using a program called Open Relay Filter (which is a really nice little program) and the service for that program was still running on server 2.  My filters in that program were set to block senders that were spoofing our domain name (and that filter predated our move to this helpdesk system, so nothing in there was set to accept mail on their behalf).

    I stopped the service and configured the Barracuda to deliver mail only to server 2 and updated my test helpdesk ticket and received the email fine, so that was that problem.

    I'm still not sure about the message headers, and why server 1 is involved in the process at all when my mailbox is active on server 2.

    OK, that was my original thought based on the rejection notice - that it was some content filtering thing.

    As to you second question. 2010/2013/16 uses shadow redundancy to ensure messages aren't lost. You are going to see message tracking touching both servers all the time. Its a good thing.


    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?


    Friday, March 17, 2017 12:51 PM
    Moderator