Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Event ID 7004 Errors: XEXCH50 "504 Need to authenticate first" between external servers

Posted on 2004-08-19
Medium Priority
Last Modified: 2011-08-18
First the basics:  Exchange 2003 (no SP1) running on Windows Server 2003.  

I have been seeing numerous 7004 errors in my Application log that look like this:

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            8/19/2004
Time:            1:44:11 PM
User:            N/A
Computer:      PARIS_2K3_MAIL
This is an SMTP protocol error log for virtual server ID 1, connection #1145. The remote host "", responded to the SMTP command "xexch50" with "504 Need to authenticate first  ". The full command sent was "XEXCH50 2432 2  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

These errors are not followed or preceded by any other errors.  The SMTP log will go something like this for outbound:

2004-08-19 20:10:40 25 - - 220+server.ifs.local+Microsoft+ESMTP+MAIL+Service,+Version:+5.0.2195.6713+ready+at++Thu,+19+Aug+2004+15:08:31+-0500+ 0 SMTP -
2004-08-19 20:10:40 25 EHLO - mail.parispresents.com 0 SMTP -
2004-08-19 20:10:40 25 - - 250-server.ifs.local+Hello+[] 0 SMTP -
2004-08-19 20:10:40 25 MAIL - FROM:<a@realaddress.com> 0 SMTP -
2004-08-19 20:10:40 25 - - 250+2.1.0+a@realaddress.com....Sender+OK 0 SMTP -
2004-08-19 20:10:40 25 RCPT - TO:<another@outsidecompany.com> 0 SMTP -
2004-08-19 20:10:40 25 - - 250+2.1.5+another@outsidecompany.com+ 0 SMTP -
2004-08-19 20:10:40 25 XEXCH50 - 2444+2 0 SMTP -
2004-08-19 20:10:40 25 - - 504+Need+to+authenticate+first 0 SMTP -
2004-08-19 20:10:40 25 BDAT - 165738+LAST 0 SMTP -
2004-08-19 20:10:43 25 - - 250+2.6.0++<C6B47B7F65A1E14691F584FFA0D268229B5C06@paris_2k3_mail.PARIS_PRESENTS>+Queued+mail+for+delivery 0 SMTP -
2004-08-19 20:10:43 25 QUIT - - 0 SMTP -
2004-08-19 20:10:43 25 - - 221+2.0.0+server.ifs.local+Service+closing+transmission+channel 0 SMTP -

I've changed the email addresses in the example above for privacy reasons.  But the a@realaddress.com is a real user in my domain and the another@outsidecompany.com is a legit message at the outside company.  Now this outside company doesn't seem to have any problems sending emails into my server.  The SMPT log looks rather normal:  

2004-08-19 13:20:07 0 xxxx - +server.ifs.local 500 SMTP -
2004-08-19 13:20:07 0 HELO - +server.ifs.local 250 SMTP -
2004-08-19 13:20:07 0 MAIL - +FROM:<another@outsidecompany.com> 250 SMTP -
2004-08-19 13:20:07 0 RCPT - +TO:<a@realaddress.com> 250 SMTP -
2004-08-19 13:20:07 0 DATA - +<C3FA8860FD0B4C4BBEF37AA951A1008B033966@server.ifs.local> 250 SMTP -
2004-08-19 13:20:07 0 QUIT - server.ifs.local 240 SMTP -

This error only seems to occur with this domain and a very small handful of others.  The vast majority of domains send/receive with no problems at all.  I have reviewed KB article 843106 and didn't find anything that really applies because it seems to be discussing Exchange servers within the same Org.  These are two external totally non-related servers in my situation.

Any help would be appreciated.


Question by:hstahl76
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
LVL 12

Accepted Solution

ColinRoyds earned 2000 total points
ID: 11846371
you may want to read through this carefully

"From a newsgroup post: "If the only problem you are seeing is that XEXCH50 is being denied in some cases, but there is no mail flow problem, it sounds like everything is ok as long as XEXCH50 is only being denied from servers outside of your Exchange Organization and mail is still being received.
Exchange 2003 only accepts XEXCH50 protocol data from clients who authenticate and have been granted "Send As" permission on the receiving SMTP virtual server object in the AD. In this respect, Exchange 2003 behaves differently than Exchange 2000. Within a single Exchange organization, Exchange setup takes care of ensuring that all Exchange servers have the necessary "Send As" right on all of the SMTP virtual servers, through the ACL on the Exchange organization object in the AD which inherits down to all of the SMTP virtual server objects. Because of this, the XEXCH50 command should be properly sent and received between servers within a single Exchange organization. It is expected that Exchange 2003 will block inbound XEXCH50 data from other Exchange organizations by default, and in this regard, the fact that it is responding with "504 Need to authenticate first" is actually correct, if the remote server is not part of the same Exchange organization. If you are seeing this between servers in the same Exchange organization, that is potentially an authentication or ACLing problem that should be looked into. You can use “ADSIEdit.msc” to investigate the ACLs of the Exchange objects in the configuration container if you suspect that the necessary Exchange server security groups have not been granted the “Send As” access that they need on the SMTP virtual servers. If you are seeing this between servers in different Exchange organizations, it is normal expected behavior, and should not actually block mail flow. When Exchange 2003 rejects an inbound XEXCH50 attempt, it allows the client to continue without the XEXCH50 data. When Exchange 2000 or 2003 attempt to send an XEXCH50 command and are denied, they continue to try to send their message data".  


Author Comment

ID: 11851791
You're right Colin.  After re-reading that KB article that does appear to be normal behavior between any two E2K3 boxes.  I wasn't expecting them to try to do a XEXCH50 exchage because they weren't related to each other.  I should have paid more attention to the line following the XEXCH50 error where the actual data is transferred.  Sure enough I tracked the messages in System Manager and they were delivered and the recipient on my end reported no problems getting emails from the sender.  Guess I need to turn down my level of SMTP logging a bit so I can stop getting freaked out by all the Errors in the log.  LOL.  Thanks for clearing that up.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Expert Comment

ID: 12227544
I have the same messages here but one clietn is failing to send it's messages.  tehy session hangs for 10 minutes and then fails.  it then restarts the connection.  these hang all day and eventually they get throguh.  i have only one client that this is happening to.

Expert Comment

ID: 12782757
I have the same problem.
A connection to only some foreign domains is hanging on an XEXCH50 for 10 minutes until it breaks. All mails to this domain can't be sent and a NDR (non delivery report) is sent back to the the originator in my mail domain.
If I set up a mail trough a telnet connection from my mailserver, I can send a mail properly.

I get the error: 504 Need to authenticate first in my eventviewer as well as I sniff with Etherreal on the connection.

Mail sent to domains, wherer I can send them properly are being sent without this command.

Can anybody please help ?

Expert Comment

ID: 14331628
I have the same "hanging" instance of this. The original question above came about due to someone looking maybe too closley at the logs ;). But mine came from a customer's email that never made it to the client, and like 1eEurope above, a NDR was received. I checked and the message sat in the queue for that domain and never left it--after days, still there. I had them send another simple test email to the same domain and it went. The offending message had a small MS Excel attachment, which previously such attachments had been delivered properly. But always, that same XEXCH50 "must authenticate" error. So it sounds like the XEXCH50 is a normal error you would receive on ALL emails sent outside your Exchange 2003 organization. So on my failing emails, there must be something else stopping them from reaching a small handful of domains. Soooooo, what could stop email from reaching a few domains only, and what should i look at log-wise? (I can tell you, that when i try to force these "stuck" emails to go out, the only error i could see (i have max. logging on the transport) is that XEXCH50 one.

Expert Comment

ID: 14411701
I'm having the same problem as tauby.  My mail will sit there all day unless i intervene.  I've created a connector in E2K3 instead of using the default SMTP engine.  This way, I can force message to go out using HELO instead of EHLO.  After this, the mail goes out, but I'd rather send using the more secure EHLO format.  Any ideas out there?  Thanks.

Expert Comment

ID: 14489141
We have same problem too with a SBS 2003 on a client server changing mails with some other external exchange servers ... just want to get down security level and make exchange to work. We use towork with Qmail or MDaemon, but don't know how to fix this issue. Is this ticket opened ? original post date is one year ago :)

Plese help.


Expert Comment

ID: 14489179
I never quite resolved the issue... it just sort-of "went away"... let me know if you learn anyting else :)

Expert Comment

ID: 14489227
I've just seen a post saying than problem was norton antivirus.


MY customes is got a corporate license of McAffee ....  i'll check it ... but not think it may work.

I'll let U know !


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question