Installed new 3rd party cert Exchange 2010 outlook web App and email not working after reboot

I am running Exchange 2010 rollup 4 on Server 2008sp2

I have installed  a new 3rd party SSL cert and my users were getting the message that the names did not match. So I did this to fix:

Set-ClientAccessServer -Identity russellmail -AutodiscoverServiceInternalUri https://mail.domain.net/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “russellmail\EWS (Default Web Site)” -InternalUrl https://mail.domain.net/ews/exchange.asmx 

Set-OABVirtualDirectory -Identity “russellmail\oab (Default Web Site)” -InternalUrl https://mail.domain.net/oab

Email was working just fine as well as OWA.

We also changed ISP's, so my IP addresses changed and I made changes to DNS. After propigation all worked just fine. It is when I rebooted the server that every thing stopped working. OWA and incomming and outgoing email.

To complicate matters further, we use Microsoft forefront online protection and mail is bouncing back from their servers. (The following organization rejected your message: TX2EHSMHS044.bigfish.com; TX2EHSMHS044.bigfish.com #550 5.4.1 Relay Access Denied ##) I have a ticket open with them and they said they would get back to me when they found something.

I am not sure the OWA not working (Times out) is related to our incomming and outgoing mail not working.

I can give more info if needed.
 
Thanks
Rebel_ScumAsked:
Who is Participating?
 
sunnyc7Connect With a Mentor Commented:
a) You setup your autodiscover and SCP's to point to this
https://mail.domain.net/
Do you have an internal DNS entry for mail.domain.net > pointing to IP Address of Exchange Server.

b) Whats your internal domain name and external domain name ? Are they same / different ?

c) Go here
www.testexchangeconnectivity.com/

Test for inbound / outbound email.

After ISP change, did you change your IP address in MX records
Check yours here
www.mxtoolbox.com

did you ask your ISP to create a PTR record for your external FQDN to point to your public IP.
In your case, I think you will have to check with forefront team on that.

Please post back questions.
0
 
Mkris9Connect With a Mentor Commented:
are you able to access OWA internally ?
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
You need internal dns registries to mail.domain.net.. they need to be resolvable internal as you configured internal url pointing to those names...

mail bouncing is a different problem.. you dont have authorization on your hub transport receive connector to accept relay from the external source (microsoft forefront online)... are mail directly delivered to your internal exchange, from forefront online? if so you need to allow the ips of forenfront online to relay on your internal hub.. and also check for authentication configured on hub transport
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Rebel_ScumAuthor Commented:
No, not with the internal url.
Thanks
0
 
Rebel_ScumAuthor Commented:
I can change my own DNS. I if I need to do anything let me know.

Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

Performing Real-Time Blackhole List (RBL) Test
 Your IP address wasn't found on any of the block lists selected.
 Test Steps
 Checking Block List "SpamHaus Block List (SBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Exploits Block List (XBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Policy Block List (PBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamCop Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "NJABL.ORG Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SORBS Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "MSRBL Combined Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "UCEPROTECT Level 1 Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "AHBL Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xx.xx was not found on RBL



Performing Sender ID validation
 Sender ID validation failed
 Test Steps
 ExRCA is attempting to find the SPF record using a DNS TEXT record query.
 Found SPF Record
 Additional Details
 SPF Record found: "v=spf1 include:spf.messaging.microsoft.com ip4:xxx.xxx.xxx.xx -all"


Parsing SPF record and evaluating mechanisms and modifiers
 SPF Record evaluation resulted in a Sender ID failure.
 Additional Details
 The SPF record could not be parsed. Resulting in a PermError
0
 
Antonio VargasConnect With a Mentor Microsoft Senior Cloud ConsultantCommented:
Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

you need a reverse dns configured for your mx record ip.,.. need to ask your ISP fot that..

how are the inbound tests? can you receive mail?
0
 
Rebel_ScumAuthor Commented:
I can get to OWA internally now. I added it to DNS. Mail is getting to Forefront servers, but not to mine still.

What do I need to do to fix this:(below)

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP.

0
 
sunnyc7Commented:
You need to call your ISP and ask them to setup a PTR record for your IP  Address
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP

you need to ask your ISP for them to confiugure the DNS where you have your A record associated with the IP 216.248.108.33.. you need a ptr record for your external domain record

you need to allow forefront servers to relay on your receive connectors
0
 
Rebel_ScumAuthor Commented:
I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
0
 
Rebel_ScumAuthor Commented:
I have added all of the IP's for Microsofts servers to my receive connector. All mail had been working prior to the above events.
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
open queue viewer on exchange to see if mail is stuck in queue.. also enable verbose on the receive connector that gets mail from Internet for us to check for errors.
0
 
Rebel_ScumAuthor Commented:
OK, This is the part where everyone laughs at me. Here is hat happened. One of our external IP's was added to the firewall to point the the mail server for remote desktop. I am not sure why this would cause a problem, but it did. I figured this out when one of our blacberry users showd me the ip on his phone which was the new ip that was added. I removed the ip from the firewall and imediatelly all mail started to come in. Strange.

Well if someone wants points: What do I do with this? Is it  a problem.

I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.
0
 
sunnyc7Commented:
One of our external IP's was added to the firewall to point the the mail server for remote desktop.
>> This was added where in firewall ?
So your firewall had 2 public IP's


I ran the best practices anylizer and this was the only error I received.
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
>> You can ignore this. That's a signature error in BPA
0
 
Rebel_ScumAuthor Commented:
Yes, my firewall has more that 1 public ip, it has 3 right now. We also have a VOIP server that has an external IP and two others assigned. I can setup secondary IP addresses and do a 1to1 NAT.
0
 
sunnyc7Commented:
Ok.
Let me know if there are any other issues, or you can close this case

Thanks
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.

like sunny said you can ignore that error..
0
All Courses

From novice to tech pro — start learning today.