Exchange 2013-2010 Co-existence: Mail Flow is not working “451 4.4.0”
This is to address an issue where Exchange 2010 queue has messages in retry status to Exchange 2013 with below Error message “451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve “Exchange Server authentication”
Issue:
Mail is not flowing between Exchange 2013 to 2010
Mail is not flowing between Exchange 2010 to 2013
Mail is not flowing within Exchange 2013 different mailboxes
Mail is not flowing to self on Exchange 2013
Exception:
Sending an email using Telnet working from and to all Exchanges.
Mail is only working within Exchange 2010
Internet mail is flowing to and fro Exchange 2010
Error:
No error or ndr
Exchange 2013 queue is empty
Exchange 2010 queue has messages in retry status to Exchange 2013 with below Error message
“451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve “Exchange Server authentication”.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts”
Troubleshooting Steps:
Telnet to the Exchange 2013 on port 25
Type ehlo
Check the exchange verb. None of the exchange verbs were visible.
Disabled the additional receive connector and restart transport service.
telnet again to the port 25
Run the cmd ehlo
Check the verb.
I would like to see if all exchange verbs starting with X are showing in the screenshot.
Resolution:
In my case we had a same IP range was added in additional connector as the IP of the mailbox server and this connector had only anonymous users and TLS was selected in Security.
I removed he IP range and restarted Microsoft Exchange Transport service and this had started showing my verbs and started the mail flow.
The most import thing to pick up from here is ehlo should show Exchange Verbs. If they are not visible then need to disable the additional connector or remove the changes to the default connector until you see the Exchange verbs.
Also don’t forget to restart Microsoft Exchange Transport Service because your changes will not be applied until you restart Microsoft Exchange Transport Service.
Prabhat Nigam
Microsoft MVP | Exchange Server
team@MSExchangeguru
August 6th, 2013 at 2:41 pm
[…] Mailflow misconfiguration: https://msexchangeguru.com/2013/08/03/e2013-2010mailflowissue/ […]
August 23rd, 2013 at 1:58 pm
Thanks!
Was there a need to create a additional RC when default should work?
August 23rd, 2013 at 2:08 pm
Yes Kunal
You would not like to enable anonymous users on Default RC.
September 26th, 2013 at 8:19 am
Situation:
2 co-existing servers, one Ex2007, one Ex2013
I can mail from -> to:
2007 -> 2007
2007 -> 2013
2007 -> external
external -> 2007
2013 -> 2013
2013 -> external
external -> 2013
I CAN NOT mail :
2013 -> 2007
Any idea where to look at ??
September 26th, 2013 at 5:44 pm
@Jochen
-Did you change any receive connector?
-Telnet from 2013 –> 2007 on port 25 and try to drop an email and share the error. cmds are below: backspace will not work
telnet ip 25
ehlo
mail from: sender email
rcpt to: recipient email
Data
type something
.
enter.
September 27th, 2013 at 12:43 am
On the 2013, I did the telnet-test:
telnet IPexch2007 25
ehlo
mail from: UserOn2013@domeinname.ext
rcpt to: myEmailOn2007@domeinname.ext
Data
This is a test
.
— 250 2.6.0 Queud mail for delivery
–> Mail received in my Mailbox
Second test :
mail from: myEmailOn2007@domeinname.ext
rcpt to: myEmailOn2007@domeinname.ext
Data
This is a test
.
— 250 2.6.0 Queud mail for delivery
–> Mail received in my Mailbox
September 27th, 2013 at 1:16 am
I received a message in the 2013-mailbox from a mail I sended yesterday :
Bronserver: SRV-EXCH2013.InternalDomainname.local
Ontvangende server: exchangeserver.InternalDomainname.local (IPaddress2007)
User2007@ExternalDomainname.be
Remote Server at exchangeserver.InternalDomainname.local (IPaddress2007) returned ‘400 4.4.7 Message delayed’
26/09/2013 16:16:51 – Remote Server at exchangeserver.InternalDomainname.local (IPaddress2007) returned ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was IPaddress2007:25’
Oorspronkelijke berichtkoppen:
Received: from SRV-EXCH2013.InternalDomainname.local (IPaddress2013) by
SRV-EXCH2013.InternalDomainname.local (IPaddress2013) with Microsoft SMTP Server (TLS)
id 15.0.712.22; Thu, 26 Sep 2013 14:24:19 +0200
Received: from SRV-EXCH2013.InternalDomainname.local ([…]) by
SRV-EXCH2013.InternalDomainname.local ([…%12]) with mapi id
15.00.0712.012; Thu, 26 Sep 2013 14:24:13 +0200
Content-Type: application/ms-tnef; name=”winmail.dat”
Content-Transfer-Encoding: binary
From: User2013
To: User2007
Subject: test 14h24
Thread-Topic: test 14h24
Thread-Index: AQHOurNPo/H0bg2uh0WtfKfamUFiBg==
Date: Thu, 26 Sep 2013 14:24:13 +0200
Message-ID:
Accept-Language: nl-NL, nl-BE, en-US
Content-Language: nl-NL
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
MIME-Version: 1.0
X-Originating-IP: [IPaddress I tested from]
Return-Path: User2013@ExternalDomainname.be
September 27th, 2013 at 8:50 pm
@Jochen
Please make sure this authentication is checked on the 2007 receive connector.
“Exchange Server authentication”
April 16th, 2014 at 11:41 am
I am upgrading exchange 2010 to exchange 2013 and currently in coexistence. I cutover the mx to deliver mail to 2013 cas VIP last night and no mail was being received by the 2010 mailboxes, it was all being queued on the 2013 mailbox servers (mailbox and cas servers are separate in this deployment.) There are only a few 2013 mailboxes as I have not yet started migrating them. These 2013 internal mailboxes can not send to exchange 2010 either, but 2010 can send to 2013. 2013 to 2013 mail works fine. I have read somewhere about an issue with a receive connector having the same ip range that includes the mailbox servers, but I’m not clear on really which mailbox servers it is alluding to.
All the exchange 2010 servers are all on the 10.1.1.* network. Exchange 2013 CAS servers are all on the 10.1.1.* network and the 3 exchange mailbox servers are on 10.1.1.*, 10.1.2.* and 10.30.5.*. Only 1 AD site. On one of the 2010 receive connectors there is a scope of 10.1.1.0/24 I’m wondering if this is the culprit and by removing it should fix the problem. Any other ideas would be appreciated.
April 16th, 2014 at 3:09 pm
@Rick
-I would never recommend you to do the cut over until you test the internal mailflow.
-Yes this connector has an issue, you need to all Exchange IPs or ranges
-Additionally you need exchange servers and Exchange server authentication checkbox check. Normally we should not change default receive connector.
-Send email from 2013 server using telnet from command prompt. Telnet client will be required to install from add and remove features. Telnet commands are mentioned below:
telnet ip 25
ehlo
mail from: sender email
rcpt to: recipient email
Data
type something
.
enter.
April 24th, 2014 at 3:08 pm
Prabhat,
Awesome website btw. Got a question for you. I am upgrading 2010 to 2013 (currently in coexistance) Internal mail flow works great between the two systems. My plan is to configure inbound and outbound email to my load balanced FE servers. In order for inbound email to work, I’ve modified the default frontend receive connector to receive email from our cloud based email filter. Do I need to set up an additional send connector to send incoming mail to my hub transport servers internally? Based on what I’ve read on the FE servers, is they have routing tables based on the delivery groups in AD DS and deliver the inbound email through those mechanisms.
April 24th, 2014 at 3:14 pm
Can I configure Exchange 2010 Hubtransport servers on my Outbound Proxy FrontEnd receive connector? Or would it be best just to add them to the Default Frontend connector?
April 24th, 2014 at 3:21 pm
@Steve
You don’t need send connector within same Exchange org and AD forest.
As far as you don’t change default exchange connectors you don’t need to add your exchange servers ip to any receive connectors.
Let me know if this helps
April 24th, 2014 at 6:20 pm
Prabhat,
So If I’m understanding you correctly, in order to send all email (Exchange 2010 and 2013) that is outbound through the load balanced FE’s, I would only need to create send connectors on all Exchange 2010 Hubtransport servers and Exchange 2013 Mailbox servers that point to the Load balanced VIP? The default “Outbound Proxy Frontend” reciever uses port 717. So it looks like the Ex2010 servers would send mail to the FE’s via the “Default Frontend” on port 25 and the Exchange 2013 would use the “Outbound Proxy Frontend” correct?
April 24th, 2014 at 6:21 pm
So If I’m understanding you correctly, in order to send all email (Exchange 2010 and 2013) that is outbound through the load balanced FE’s, I would only need to create send connectors on all Exchange 2010 Hubtransport servers and Exchange 2013 Mailbox servers that point to the Load balanced VIP? The default “Outbound Proxy Frontend” reciever uses port 717. So it looks like the Ex2010 servers would send mail to the FE’s via the “Default Frontend” on port 25 and the Exchange 2013 would use the “Outbound Proxy Frontend” correct?
April 25th, 2014 at 5:51 pm
Send connector is organization level property. You need 1 Send connector. Then you need to add source servers. In source server you can add both 2010 and 2013 until you reach to the 2010 decommission stage. Load balancer is not a server but just a load management device so you just need to use dns to route the emails to internet. Load balancer can be used for incoming emails.
“Outbound Proxy Frontend” reciever uses port 717″
This is the connector to route the emails from the CAS server which is not a requirement.
I would highly recommend you to go through my transport session video. – https://www.youtube.com/watch?v=u23fzR1GsH4
January 4th, 2015 at 10:58 pm
HI,
I have setup a new infrastructure for exchange 2013. I am able to access OWA page through internet however I am not able to send mails to external domains. our existing setup is hosted on third party domain and we are migrating users from their. ON Intranet it is working fine. We have got our IP’s added in MX record with low priority as we do not want users facing any problem before the testing is done and we are ready for migration.
Pls help.
Regards
Pranjal
January 5th, 2015 at 6:57 am
@Pranjal
you need to setup a send connector and make sure you are able to resolve external dns from Exchange server. Also port 25 is open from Exchange to internet.
January 5th, 2015 at 8:08 am
Dear Prabhat, Thanks for your response. Send connector is already setup we are able to resolve external dns from exchange. However I was going through your article that same IP range is added in MX record also. I understand that external connector refers to the MX record which is hosted on NIC server. We have got added two public IP’s there which are netted with one IP which is from the same range of IP’s assigned to CAS server. Since we would be migrating all mailboxes from NIC server to our own setup one plan which I have is to move the MX pointer and ask users to access their mails through OWA and change the outlook setting later.
Can you suggest some better plan with less impact.
Regards
Pranjal
January 5th, 2015 at 8:10 am
Also could it be problem of Mailguard feature in CISCO Firewall.
January 5th, 2015 at 8:21 am
All X verbs are visible in ECHO command
January 5th, 2015 at 11:59 pm
Delivery Report for pranamcomputech@outlook.com (pranamcomputech@outlook.com)
Pending
1/5/2015 9:02 AM blkolmbx2.balmerlawrie.com
The message has been transferred from blkolmbx2.balmerlawrie.com to BLKOLMBX1.BALMERLAWRIE.COM.
Submitted
1/5/2015 3:26 PM blkolmbx2.balmerlawrie.com
The message was submitted to blkolmbx2.balmerlawrie.com.
1/6/2015 3:26 AM blkolmbx2.balmerlawrie.com
I am getting the below error in log
The message was submitted to blkolmbx2.balmerlawrie.com.
Pending
1/6/2015 3:26 AM blkolmbx2.balmerlawrie.com
The message has been queued on server ‘blkolmbx2.balmerlawrie.com’ since 1/6/2015 3:26:22 AM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi. The last attempt to send the message was at 1/6/2015 10:16:44 AM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi and generated the error ‘[{LRT=};{LED=};{FQDN=};{IP=}]’.
1/6/2015 10:19 AM blkolmbx2.balmerlawrie.com
Message delivery is taking longer than expected. There may be system delays. For more information, contact your helpdesk.
January 6th, 2015 at 4:58 am
Do this and share the result
telnet mx1.hotmail.com 25
ehlo YourPublicIP
mail from: sender email
rcpt to: recipient email
Data
type something
.
enter.
January 10th, 2015 at 7:56 am
hi Prabhat…thanks for reply.
Telnet to mx1.hotmail.com on port 25 was successful and I got the email on my junk folder of Hotmail account (sultannaveen@hotmail.co.in). I test the by sending email using telnet from both Edge servers and success.
When I send email from OWA it delivered from mailbox servers (blkolmbx1, blkolmbx2) but stuck on Edge servers (Edge1, Edge2). The log of the message shown the below error…
–Error 1: ———
From Address: administrator@balmerlawrie.com
Status: Ready
Message Source Name: SMTP:Default internal receive connector BLKOLEDGE1
Source IP: 20.20.20.18
SCL: -1
Date Received: 1/9/2015 2:46:54 PM
Expiration Time: 1/11/2015 2:46:54 PM
Last Error:
Queue ID: BLKOLEDGE1\3180
Recipients: jyotirmoydasgupta@gmail.com;2;2;[{LRT=};{LED=};{FQDN=};{IP=}];0;CN=EdgeSync – Default-First-Site-Name to Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={C862DF8D-5B21-455C-81ED-E758CAC21C72};0
—Error 2:—–
Last error : 451 4.4.0 DNS query failed.
Addition information: We have 20.20.20.x series IP range as internal network.
Edge 1 and Edge 2 have IP range: 10.1.1.x…
MBX1 : 20.20.20.18 and DNSDC1: 20.20.20.16
Do I need to change the IP address of Internal Network from 20.x.x.x to (i.e.) 10.2.x.x
Related Article : https://social.technet.microsoft.com/Forums/exchange/en-US/f3f547c0-66ec-4c27-9c4d-fcb6c749a3fb/emails-are-not-going-out-all-emails-stuck-in-queue-exchange-2013?forum=exchangesvrsecuremessaging
‘[{LRT=};{LED=};{FQDN=};{IP=}]’ for Every sent email to any domain.
Also on last error also
January 8th, 2016 at 7:48 am
Excellent article, especially the ehlo remark.
Have exchange 2010 and 2007 in coexistence, could mail to outside email addresses, internal addresses could mail internally but not to the “other” server. Response as stated in the article : “451 4.4.0 Primary …..”
Getting rid of the subnet and mentioning all smtp gateways with their individual ip’s, and also creating new receive connectors for use by exchange only did the trick.
All is fine now, can migrate without headache. And also can leave the exchange 2007 in place until 2017. Don’t need that many new exchange 2010 licenses for now.
September 16th, 2016 at 1:54 am
I solved this problem by enabling Exchange server authentication in default receive connector of 2007