MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013-2010 Co-existence: Mail Flow is not working “451 4.4.0”

This is to address an issue where Exchange 2010 queue has messages in retry status to Exchange 2013 with below Error message “451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve “Exchange Server authentication”

Issue:

Mail is not flowing between Exchange 2013 to 2010

Mail is not flowing between Exchange 2010 to 2013

Mail is not flowing within Exchange 2013 different mailboxes

Mail is not flowing to self on Exchange 2013

Exception:

Sending an email using Telnet working from and to all Exchanges.

Mail is only working within Exchange 2010

Internet mail is flowing to and fro Exchange 2010

 

Error:

No error or ndr

Exchange 2013 queue is empty

Exchange 2010 queue has messages in retry status to Exchange 2013 with below Error message
“451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve “Exchange Server authentication”.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts”
Troubleshooting Steps:

Telnet to the Exchange 2013 on port 25

Type ehlo

Check the exchange verb. None of the exchange verbs were visible.

Disabled the additional receive connector and restart transport service.

telnet again to the port 25

Run the cmd ehlo

Check the verb.

I would like to see if all exchange verbs starting with X are showing in the screenshot.

Exchange Verbs

 

 Resolution:

In my case we had a same IP range was added in additional connector as the IP of the mailbox server and this connector had only anonymous users and TLS was selected in Security.

I removed he IP range and restarted Microsoft Exchange Transport service and this had started showing my verbs and started the mail flow.

The most import thing to pick up from here is ehlo should show Exchange Verbs. If they are not visible then need to disable the additional connector or remove the changes to the default connector until you see the Exchange verbs.

Also don’t forget to restart Microsoft Exchange Transport Service because your changes will not be applied until you restart Microsoft Exchange Transport Service.

 

Prabhat Nigam

Microsoft MVP | Exchange Server

team@MSExchangeguru

26 Responses to “Exchange 2013-2010 Co-existence: Mail Flow is not working “451 4.4.0””

  1. Exchange 2010/2007 to 2013 Migration and Co-existence Guide « MSExchangeGuru.com Says:

    […] Mailflow misconfiguration: http://msexchangeguru.com/2013/08/03/e2013-2010mailflowissue/ […]

  2. Kunal Says:

    Thanks!

    Was there a need to create a additional RC when default should work?

  3. Prabhat Nigam Says:

    Yes Kunal
    You would not like to enable anonymous users on Default RC.

  4. Jochen Andries Says:

    Situation:
    2 co-existing servers, one Ex2007, one Ex2013

    I can mail from -> to:
    2007 -> 2007
    2007 -> 2013
    2007 -> external
    external -> 2007
    2013 -> 2013
    2013 -> external
    external -> 2013

    I CAN NOT mail :
    2013 -> 2007

    Any idea where to look at ??

  5. Prabhat Nigam Says:

    @Jochen
    -Did you change any receive connector?
    -Telnet from 2013 –> 2007 on port 25 and try to drop an email and share the error. cmds are below: backspace will not work

    telnet ip 25
    ehlo
    mail from: sender email
    rcpt to: recipient email
    Data
    type something
    .
    enter.

  6. Jochen Says:

    On the 2013, I did the telnet-test:

    telnet IPexch2007 25
    ehlo
    mail from: UserOn2013@domeinname.ext
    rcpt to: myEmailOn2007@domeinname.ext
    Data
    This is a test
    .

    — 250 2.6.0 Queud mail for delivery
    –> Mail received in my Mailbox

    Second test :
    mail from: myEmailOn2007@domeinname.ext
    rcpt to: myEmailOn2007@domeinname.ext
    Data
    This is a test
    .

    — 250 2.6.0 Queud mail for delivery
    –> Mail received in my Mailbox

  7. Jochen Says:

    I received a message in the 2013-mailbox from a mail I sended yesterday :

    Bronserver: SRV-EXCH2013.InternalDomainname.local
    Ontvangende server: exchangeserver.InternalDomainname.local (IPaddress2007)
    User2007@ExternalDomainname.be
    Remote Server at exchangeserver.InternalDomainname.local (IPaddress2007) returned ‘400 4.4.7 Message delayed’
    26/09/2013 16:16:51 – Remote Server at exchangeserver.InternalDomainname.local (IPaddress2007) returned ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was IPaddress2007:25’
    Oorspronkelijke berichtkoppen:
    Received: from SRV-EXCH2013.InternalDomainname.local (IPaddress2013) by
    SRV-EXCH2013.InternalDomainname.local (IPaddress2013) with Microsoft SMTP Server (TLS)
    id 15.0.712.22; Thu, 26 Sep 2013 14:24:19 +0200
    Received: from SRV-EXCH2013.InternalDomainname.local ([…]) by
    SRV-EXCH2013.InternalDomainname.local ([…%12]) with mapi id
    15.00.0712.012; Thu, 26 Sep 2013 14:24:13 +0200
    Content-Type: application/ms-tnef; name=”winmail.dat”
    Content-Transfer-Encoding: binary
    From: User2013
    To: User2007
    Subject: test 14h24
    Thread-Topic: test 14h24
    Thread-Index: AQHOurNPo/H0bg2uh0WtfKfamUFiBg==
    Date: Thu, 26 Sep 2013 14:24:13 +0200
    Message-ID:
    Accept-Language: nl-NL, nl-BE, en-US
    Content-Language: nl-NL
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    MIME-Version: 1.0
    X-Originating-IP: [IPaddress I tested from]
    Return-Path: User2013@ExternalDomainname.be

  8. Prabhat Nigam Says:

    @Jochen
    Please make sure this authentication is checked on the 2007 receive connector.
    “Exchange Server authentication”

  9. rick Says:

    I am upgrading exchange 2010 to exchange 2013 and currently in coexistence. I cutover the mx to deliver mail to 2013 cas VIP last night and no mail was being received by the 2010 mailboxes, it was all being queued on the 2013 mailbox servers (mailbox and cas servers are separate in this deployment.) There are only a few 2013 mailboxes as I have not yet started migrating them. These 2013 internal mailboxes can not send to exchange 2010 either, but 2010 can send to 2013. 2013 to 2013 mail works fine. I have read somewhere about an issue with a receive connector having the same ip range that includes the mailbox servers, but I’m not clear on really which mailbox servers it is alluding to.

    All the exchange 2010 servers are all on the 10.1.1.* network. Exchange 2013 CAS servers are all on the 10.1.1.* network and the 3 exchange mailbox servers are on 10.1.1.*, 10.1.2.* and 10.30.5.*. Only 1 AD site. On one of the 2010 receive connectors there is a scope of 10.1.1.0/24 I’m wondering if this is the culprit and by removing it should fix the problem. Any other ideas would be appreciated.

  10. Prabhat Nigam Says:

    @Rick
    -I would never recommend you to do the cut over until you test the internal mailflow.
    -Yes this connector has an issue, you need to all Exchange IPs or ranges
    -Additionally you need exchange servers and Exchange server authentication checkbox check. Normally we should not change default receive connector.
    -Send email from 2013 server using telnet from command prompt. Telnet client will be required to install from add and remove features. Telnet commands are mentioned below:
    telnet ip 25
    ehlo
    mail from: sender email
    rcpt to: recipient email
    Data
    type something
    .
    enter.

  11. Steve T Says:

    Prabhat,

    Awesome website btw. Got a question for you. I am upgrading 2010 to 2013 (currently in coexistance) Internal mail flow works great between the two systems. My plan is to configure inbound and outbound email to my load balanced FE servers. In order for inbound email to work, I’ve modified the default frontend receive connector to receive email from our cloud based email filter. Do I need to set up an additional send connector to send incoming mail to my hub transport servers internally? Based on what I’ve read on the FE servers, is they have routing tables based on the delivery groups in AD DS and deliver the inbound email through those mechanisms.

  12. Steve T Says:

    Can I configure Exchange 2010 Hubtransport servers on my Outbound Proxy FrontEnd receive connector? Or would it be best just to add them to the Default Frontend connector?

  13. Prabhat Nigam Says:

    @Steve
    You don’t need send connector within same Exchange org and AD forest.

    As far as you don’t change default exchange connectors you don’t need to add your exchange servers ip to any receive connectors.

    Let me know if this helps

  14. Steve T Says:

    Prabhat,

    So If I’m understanding you correctly, in order to send all email (Exchange 2010 and 2013) that is outbound through the load balanced FE’s, I would only need to create send connectors on all Exchange 2010 Hubtransport servers and Exchange 2013 Mailbox servers that point to the Load balanced VIP? The default “Outbound Proxy Frontend” reciever uses port 717. So it looks like the Ex2010 servers would send mail to the FE’s via the “Default Frontend” on port 25 and the Exchange 2013 would use the “Outbound Proxy Frontend” correct?

  15. Steve T Says:

    So If I’m understanding you correctly, in order to send all email (Exchange 2010 and 2013) that is outbound through the load balanced FE’s, I would only need to create send connectors on all Exchange 2010 Hubtransport servers and Exchange 2013 Mailbox servers that point to the Load balanced VIP? The default “Outbound Proxy Frontend” reciever uses port 717. So it looks like the Ex2010 servers would send mail to the FE’s via the “Default Frontend” on port 25 and the Exchange 2013 would use the “Outbound Proxy Frontend” correct?

  16. Prabhat Nigam Says:

    Send connector is organization level property. You need 1 Send connector. Then you need to add source servers. In source server you can add both 2010 and 2013 until you reach to the 2010 decommission stage. Load balancer is not a server but just a load management device so you just need to use dns to route the emails to internet. Load balancer can be used for incoming emails.

    “Outbound Proxy Frontend” reciever uses port 717″
    This is the connector to route the emails from the CAS server which is not a requirement.

    I would highly recommend you to go through my transport session video. – https://www.youtube.com/watch?v=u23fzR1GsH4

  17. pranjal Singh Says:

    HI,
    I have setup a new infrastructure for exchange 2013. I am able to access OWA page through internet however I am not able to send mails to external domains. our existing setup is hosted on third party domain and we are migrating users from their. ON Intranet it is working fine. We have got our IP’s added in MX record with low priority as we do not want users facing any problem before the testing is done and we are ready for migration.

    Pls help.

    Regards
    Pranjal

  18. Prabhat Nigam Says:

    @Pranjal
    you need to setup a send connector and make sure you are able to resolve external dns from Exchange server. Also port 25 is open from Exchange to internet.

  19. pranjal Singh Says:

    Dear Prabhat, Thanks for your response. Send connector is already setup we are able to resolve external dns from exchange. However I was going through your article that same IP range is added in MX record also. I understand that external connector refers to the MX record which is hosted on NIC server. We have got added two public IP’s there which are netted with one IP which is from the same range of IP’s assigned to CAS server. Since we would be migrating all mailboxes from NIC server to our own setup one plan which I have is to move the MX pointer and ask users to access their mails through OWA and change the outlook setting later.
    Can you suggest some better plan with less impact.

    Regards
    Pranjal

  20. pranjal Singh Says:

    Also could it be problem of Mailguard feature in CISCO Firewall.

  21. pranjal Singh Says:

    All X verbs are visible in ECHO command

  22. pranjal Singh Says:

    Delivery Report for pranamcomputech@outlook.com ‎(pranamcomputech@outlook.com)‎

    Pending
    1/5/2015 9:02 AM blkolmbx2.balmerlawrie.com
    The message has been transferred from blkolmbx2.balmerlawrie.com to BLKOLMBX1.BALMERLAWRIE.COM.
    Submitted
    1/5/2015 3:26 PM blkolmbx2.balmerlawrie.com
    The message was submitted to blkolmbx2.balmerlawrie.com.

    1/6/2015 3:26 AM blkolmbx2.balmerlawrie.com
    I am getting the below error in log

    The message was submitted to blkolmbx2.balmerlawrie.com.
    Pending
    1/6/2015 3:26 AM blkolmbx2.balmerlawrie.com
    The message has been queued on server ‘blkolmbx2.balmerlawrie.com’ since 1/6/2015 3:26:22 AM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi. The last attempt to send the message was at 1/6/2015 10:16:44 AM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi and generated the error ‘[{LRT=};{LED=};{FQDN=};{IP=}]’.

    1/6/2015 10:19 AM blkolmbx2.balmerlawrie.com
    Message delivery is taking longer than expected. There may be system delays. For more information, contact your helpdesk.

  23. Prabhat Nigam Says:

    Do this and share the result

    telnet mx1.hotmail.com 25
    ehlo YourPublicIP
    mail from: sender email
    rcpt to: recipient email
    Data
    type something
    .
    enter.

  24. Naveen Kumar Says:

    hi Prabhat…thanks for reply.

    Telnet to mx1.hotmail.com on port 25 was successful and I got the email on my junk folder of Hotmail account (sultannaveen@hotmail.co.in). I test the by sending email using telnet from both Edge servers and success.

    When I send email from OWA it delivered from mailbox servers (blkolmbx1, blkolmbx2) but stuck on Edge servers (Edge1, Edge2). The log of the message shown the below error…

    –Error 1: ———

    From Address: administrator@balmerlawrie.com
    Status: Ready
    Message Source Name: SMTP:Default internal receive connector BLKOLEDGE1
    Source IP: 20.20.20.18
    SCL: -1
    Date Received: 1/9/2015 2:46:54 PM
    Expiration Time: 1/11/2015 2:46:54 PM
    Last Error:
    Queue ID: BLKOLEDGE1\3180
    Recipients: jyotirmoydasgupta@gmail.com;2;2;[{LRT=};{LED=};{FQDN=};{IP=}];0;CN=EdgeSync – Default-First-Site-Name to Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C862DF8D-5B21-455C-81ED-E758CAC21C72};0

    —Error 2:—–
    Last error : 451 4.4.0 DNS query failed.

    Addition information: We have 20.20.20.x series IP range as internal network.

    Edge 1 and Edge 2 have IP range: 10.1.1.x…
    MBX1 : 20.20.20.18 and DNSDC1: 20.20.20.16

    Do I need to change the IP address of Internal Network from 20.x.x.x to (i.e.) 10.2.x.x

    Related Article : https://social.technet.microsoft.com/Forums/exchange/en-US/f3f547c0-66ec-4c27-9c4d-fcb6c749a3fb/emails-are-not-going-out-all-emails-stuck-in-queue-exchange-2013?forum=exchangesvrsecuremessaging

    ‘[{LRT=};{LED=};{FQDN=};{IP=}]’ for Every sent email to any domain.
    Also on last error also

  25. Harold Snippert Says:

    Excellent article, especially the ehlo remark.
    Have exchange 2010 and 2007 in coexistence, could mail to outside email addresses, internal addresses could mail internally but not to the “other” server. Response as stated in the article : “451 4.4.0 Primary …..”
    Getting rid of the subnet and mentioning all smtp gateways with their individual ip’s, and also creating new receive connectors for use by exchange only did the trick.
    All is fine now, can migrate without headache. And also can leave the exchange 2007 in place until 2017. Don’t need that many new exchange 2010 licenses for now.

  26. Chandan Says:

    I solved this problem by enabling Exchange server authentication in default receive connector of 2007

Leave a Reply

ad

Categories

Archives