Solved

Installed new 3rd party cert Exchange 2010 outlook web App and email not working after reboot

Posted on 2010-08-25
17
958 Views
Last Modified: 2012-05-10
I am running Exchange 2010 rollup 4 on Server 2008sp2

I have installed  a new 3rd party SSL cert and my users were getting the message that the names did not match. So I did this to fix:

Set-ClientAccessServer -Identity russellmail -AutodiscoverServiceInternalUri https://mail.domain.net/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “russellmail\EWS (Default Web Site)” -InternalUrl https://mail.domain.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “russellmail\oab (Default Web Site)” -InternalUrl https://mail.domain.net/oab

Email was working just fine as well as OWA.

We also changed ISP's, so my IP addresses changed and I made changes to DNS. After propigation all worked just fine. It is when I rebooted the server that every thing stopped working. OWA and incomming and outgoing email.

To complicate matters further, we use Microsoft forefront online protection and mail is bouncing back from their servers. (The following organization rejected your message: TX2EHSMHS044.bigfish.com; TX2EHSMHS044.bigfish.com #550 5.4.1 Relay Access Denied ##) I have a ticket open with them and they said they would get back to me when they found something.

I am not sure the OWA not working (Times out) is related to our incomming and outgoing mail not working.

I can give more info if needed.
 
Thanks
0
Comment
Question by:Rebel_Scum
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 8

Assisted Solution

by:Mkris9
Mkris9 earned 166 total points
ID: 33520920
are you able to access OWA internally ?
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 33520961
You need internal dns registries to mail.domain.net.. they need to be resolvable internal as you configured internal url pointing to those names...

mail bouncing is a different problem.. you dont have authorization on your hub transport receive connector to accept relay from the external source (microsoft forefront online)... are mail directly delivered to your internal exchange, from forefront online? if so you need to allow the ips of forenfront online to relay on your internal hub.. and also check for authentication configured on hub transport
0
 

Author Comment

by:Rebel_Scum
ID: 33520976
No, not with the internal url.
Thanks
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 167 total points
ID: 33521340
a) You setup your autodiscover and SCP's to point to this
https://mail.domain.net/
Do you have an internal DNS entry for mail.domain.net > pointing to IP Address of Exchange Server.

b) Whats your internal domain name and external domain name ? Are they same / different ?

c) Go here
www.testexchangeconnectivity.com/

Test for inbound / outbound email.

After ISP change, did you change your IP address in MX records
Check yours here
www.mxtoolbox.com

did you ask your ISP to create a PTR record for your external FQDN to point to your public IP.
In your case, I think you will have to check with forefront team on that.

Please post back questions.
0
 

Author Comment

by:Rebel_Scum
ID: 33521648
I can change my own DNS. I if I need to do anything let me know.

Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

Performing Real-Time Blackhole List (RBL) Test
 Your IP address wasn't found on any of the block lists selected.
 Test Steps
 Checking Block List "SpamHaus Block List (SBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Exploits Block List (XBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamHaus Policy Block List (PBL)"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SpamCop Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "NJABL.ORG Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "SORBS Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "MSRBL Combined Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "UCEPROTECT Level 1 Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xxx.xx was not found on RBL

Checking Block List "AHBL Block List"
 The address isn't on the block list.
 Additional Details
 IP xxx.xxx.xx.xx was not found on RBL



Performing Sender ID validation
 Sender ID validation failed
 Test Steps
 ExRCA is attempting to find the SPF record using a DNS TEXT record query.
 Found SPF Record
 Additional Details
 SPF Record found: "v=spf1 include:spf.messaging.microsoft.com ip4:xxx.xxx.xxx.xx -all"


Parsing SPF record and evaluating mechanisms and modifiers
 SPF Record evaluation resulted in a Sender ID failure.
 Additional Details
 The SPF record could not be parsed. Resulting in a PermError
0
 
LVL 15

Assisted Solution

by:GreatVargas
GreatVargas earned 167 total points
ID: 33522254
Performing Outbound SMTP Test
 Outbound SMTP Test Failed
 Test Steps
 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

you need a reverse dns configured for your mx record ip.,.. need to ask your ISP fot that..

how are the inbound tests? can you receive mail?
0
 

Author Comment

by:Rebel_Scum
ID: 33522278
I can get to OWA internally now. I added it to DNS. Mail is getting to Forefront servers, but not to mine still.

What do I need to do to fix this:(below)

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33522301
You need to call your ISP and ask them to setup a PTR record for your IP  Address
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 15

Expert Comment

by:GreatVargas
ID: 33522382

 Attempting reverse DNS lookup for IP 216.248.108.33
 Reverse-DNS Lookup failed
 Additional Details
 IP Address xxx.xxx.xxx.xx does not have a PTR record in DNS

How do I set my internal DNS for mail.domain.com? I have and A record for my external IP

you need to ask your ISP for them to confiugure the DNS where you have your A record associated with the IP 216.248.108.33.. you need a ptr record for your external domain record

you need to allow forefront servers to relay on your receive connectors
0
 

Author Comment

by:Rebel_Scum
ID: 33522411
I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
0
 

Author Comment

by:Rebel_Scum
ID: 33522450
I have added all of the IP's for Microsofts servers to my receive connector. All mail had been working prior to the above events.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 33522501
open queue viewer on exchange to see if mail is stuck in queue.. also enable verbose on the receive connector that gets mail from Internet for us to check for errors.
0
 

Author Comment

by:Rebel_Scum
ID: 33523391
OK, This is the part where everyone laughs at me. Here is hat happened. One of our external IP's was added to the firewall to point the the mail server for remote desktop. I am not sure why this would cause a problem, but it did. I figured this out when one of our blacberry users showd me the ip on his phone which was the new ip that was added. I removed the ip from the firewall and imediatelly all mail started to come in. Strange.

Well if someone wants points: What do I do with this? Is it  a problem.

I ran the best practices anylizer and this was the only error I received.

Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33523428
One of our external IP's was added to the firewall to point the the mail server for remote desktop.
>> This was added where in firewall ?
So your firewall had 2 public IP's


I ran the best practices anylizer and this was the only error I received.
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639
>> You can ignore this. That's a signature error in BPA
0
 

Author Comment

by:Rebel_Scum
ID: 33523556
Yes, my firewall has more that 1 public ip, it has 3 right now. We also have a VOIP server that has an external IP and two others assigned. I can setup secondary IP addresses and do a 1to1 NAT.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33523638
Ok.
Let me know if there are any other issues, or you can close this case

Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 33523705
Active Directory domain 'RUSSELL' has an unrecognized Exchange signature. Current DomainPrep version: 12639

Thanks everyone for your input.

like sunny said you can ignore that error..
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now