Cannot receive e-mail from Exchange 2000 server on Exchange 2010 server

Cheers reinadmin,

I see that your linux environment is working great, so let me clarify:
Is your exchange 2010 standard not receiving any mails from any domain, or it does not receive particular email from this costumer E2000 server that is showing the "temporary auth failure"?

Can you please post their domain name and IP address together with your domain name and IP address so that I / we can run tests for you and hopefully narrow down the problem quickly for you.

I appreciate you may not want to post the details, but I can obscure them / delete them once you have posted them and protect your identity.

It really would help speed up a solution for you, otherwise we will have to rely on guesswork!

Run the message tracker within exchange 2010

Ask the someone on the exchange 2000 side to send you a mail to your email address with a specific subject that you pick.

Once they receive the error have them forward it to you.

Filter in exchange 2010 with your email address, the subject they used in the mail. This should show you whether the mail reached you or not. if the message tracker finds anything then it will have the information you need to fix the problem in that which you find and the error that the other side received.

Post both of those here for us so we can have a look at them, make sure you change all the sensitive information like your domain/IP's and the senders information to generic ones
 (eg. IP's -  xxx.xxx.xxx.xxx - domain names and servers  - 2010server.domain.com/2000server.domain.com)

Once you post it bqack here then we can get the error codes and figure out where the problem comes from.

So as to keep the momentum up I'm answering as many questions as I can now.  

E2010 receives messages from the rest of the world without issue.  Only this particular E2K mail server can not deliver mail to us - that I am aware of.  If anyone is running E2K and wishes to test with me I would love to do so to see if this can be replicated.  

It appears as though E2K sends an e-mail to our primary MX (E2010) they receive a 4.7.0 Temporary Authentication Failure and then it moves on to the next preferred MX (Linux) and it delivers the e-mail there.  I do know that the E2K server is running GFI.  I can ask the administrator there to either chime in here in this thread or I can relay answers to any questions you may have for him.  His name is Jerry.

I will ask for another test message and try the E2010 filter (I haven't used this before though).

alanhardisty I'm not sure how you can obscure this information.  What you're asking for seems "public" enough though but still curious.  I absolutely need this resolved however so I am willing to.

I've just asked the admin from the E2K side to provide his temp auth failure log as well as any bounce messages, etc. that are relevant.

thank you everyone for your attention with this.  

I am a Zone Advisor, so have the ability to hide / delete / modify any comments in a question.  If you post the details, I can quickly make them disappear !!!

Which IP are you sending mail from?  The 63.xxxxxx or the 209.xxxx or a completely different one?

aprod cannot deliver to 63
instead it delivers it to 209

we can send to aprod successfully.

I'll step out of this one then since I can't see the posted information.

Good Luck

@thetime - Drop me an email to alan @ it-eye.co.uk and I'll let you know the details.
Only fair we both know the relevant info.

I am trying to telnet to your 63 IP address on port 25 and failing.  Is your receive connector set for port 25 or 587 or another port?

Okay - port 587 is the port and I cannot send as it insists on being authenticated.
It seems you don't allow Anonymous connections on your Exchange 2010 server!
Please check your receive connector permissions.
What permissions are enabled?

I'm not sure that port 587 is open on the firewall....

here are screenshots of both default and client receive connectors.
Untitled.jpg
Untitled2.jpg

I was able to telnet to port 58 of the 63 IP address and said helo, then tried followed it with a mail from: <me@mydomain.co.uk> and it said I needed to authenticate!
What about the Authentication tabs?  What do they look like?

Telnet Session:
220 nbn1.yourdomain.com Microsoft ESMTP MAIL Service ready at Wed, 8 Sep 2010
08:31:38 -0500
ehlo mydomain.co.uk
250-nbn1.yourdomain.com Hello [87.194.xxx.xxx]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from: <me@mydomain>
530 5.7.1 Client was not authenticated

Connection to host lost.

Here are the attachments.

Attachment removed to protect the 3rd parties identity.

Alan Hardisty
Experts Exchange Zone Advisor

Select allOpen in new window

How about your Authentication Tabs on your Receive Connectors?

sorry i thought i had attached that.  here it is
Document.pdf

I've double-checked with our firewall guy and port 587 is not translated nor open on the firewall.

Can you pleas remove "Offer Basic Authentication only after starting TLS" on your Receive Connectors please, then restart the Exchange Transport service and test.

sorry we're testing this now.

this did not work.  

if this is any help: i've got an admin friend who is running single server environment with exchange 2010 as well as us.  he cannot receive any email from this exchange 2000 server either.

prior to our move to exchange 2010 we were running exchange 2003 and receiving email from them without issue.

I have Exchange 2010 too.  Do you want to ask them to send me an email to alan @ it-eye.co.uk?

Let me know if / when they send a test please.

message has been sent Alan.

Thanks - watching out for it.

Nothing even getting near my server at the moment - are you sure it was sent or is on the way to being sent.

Still nothing.  I am thinking the problem lies on the 2000 server.
Are they using s smarthost to send out mail or sending it directly?

yes it was sent.  i asked that he send it to an alternate e-mail of mine as well.  that's when i made the post to you saying it was sent after i received it to my alternate account.

i will double check but i had asked if they were using a smarhost and was told no.  let me ask again though.  to my knowledge they're sending directly.

Their admin, Jerry, had said they have no issues sending to anyone else.  However at one time they had an issue like this sending to an exchange 2007 server.  he believes the exchange 2007 admin created a special routing connetor to "allow all e-mail from our server to theirs."

I've just received a bounce message that he received:

Sent: Wednesday, September 08, 2010 5:41 PM
To: John Doe
Subject: Delivery Status Notification (Delay)

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.


me@mydomain.co.uk

******************************************************************

i put spaces in your email addy Alan - fyi. he used the correct e-mail address for you.

Checking my logs - I use Greylisting - so it will bounce on the first send attempt.

Also if this is relevant at all, both Exchange 2010 servers are runnign forefront protection for exchange 2010.

the sender's domain has been whitelisted in FPE 2010 as well.

thought I'd add this info.

No connections at all from the Exchange 2000 domain / IP at all, thus it would appear to be a problem at their end, either with DNS or Exchange.

To be honest - you could have rottweilers / doberman's and a seven-headed gorgon sitting on your exchange server protecting it, but I don't think the email is even leaving their server.
Nothing is showing in my Vamsoft ORF logs and it logs everything inbound.  Nothing from their domain or IP at all this evening.
The delay can only be a delay in sending and as nothing has hitmy server to be greylisted (temporarily rejected), then it has not even tried to send it yet.
If it can't get to me - it isn't going to get to your either and although we have Exchange 2010 in common - it is not related if it is not even hitting the server.

I wonder what's goign on then.  it did deliver to my alternate email and it also delivered to my backup smtp server...

Possibly they have hard-coded DNS to know where to send the emails for your domain or something strange like that.
I got diddly squat - so the problem currently is with their server as I have had nothing to reject (yet).
About time they upgraded isn't it?

i did check with their admin and they have no hard-coded DNS entries.  I even wondered whether or not created a DNS record on their side might eliminate this issue.

I'm struggling with this because a second E2010 server, with whom they had never sent e-mail to previously, replicates the problem.

Get them to test using telnet to mail.mydomain.co.uk and to 87.194.xxx.xxx from their end and try sending a test email to me@mydomain.co.uk.
Would be interested to see the results of trying both methods.
Telnet info incase they are not Telnet aware:
http://support.microsoft.com/kb/153119They may need to wrap the email addresses in < > e.g., mail from: them@theirdomain.com> and rcpt to :<me@mydomain.co.uk>
(I will clean up my IP and server / email address later on today).

I'll do that Alan.

Have you got the details?  I will make them disappear!

Alan
The E2000 sender did receive this reply, see below:

Sent: Thursday, September 09, 2010 8:57 AM
To: John Doe
Subject: Automatic reply: Test Message
I am currently out of the office, working on-site or in a meeting.

If you need support, please call the office on xxx-xxxx-xxxx or email support@mydomain.co.uk where your email will be automatically logged in our Help Desk system and either xxxxxxx or xxxxxxx will pick it up and respond to you accordingly.

Best wishes

Alan

Yep - I received an email and replied asking if they used telnet to the IP or to the FQDN.  No reply as yet.
Do you know?

I also finally received an e-mail message via my E2010 server from the E2000 sender when he sent the message via telnet.

Great - they can manually send!  Big question is was the test via IP or FQDN - if via IP and not via FQDN, then they have DNS issues.
If via FQDN and IP (but then I would have two emails presumably), then heaven only knows.

will find out.  hold on.

FQDN is the reply Alan.

Okay - confused.
They have got issues by the looks of things, but heaven knows what.
Seems like they need assistance - not you. Do they use a smarthost to send out emails?

They use GFI for virus and spam.  I've asked several times and the reply is, "We do not use any smarthosts."

I'm not sure however if GFI makes any modifications to the default smtp connector, etc.

Here is a log from the E2000 Server

Attchment removed to protect 3rd parties identity.

Alan Hardisty
Experts Exchange Zone Advisor

Select allOpen in new window

Nothing exciting in there apart from the odd random wording!
What Rollup / Service Pack have you got on your Exchange 2010 server?

Can they try to send me another email via Outlook / their Exchange server - I have created a custom receive connector - just for them.
Thanks

E2010 Standard SP1

I will ask them to do that right now.  thanks Alan.

TA DA!

Alan this absolutely solved the problem.  We're back in business here.  

Outstanding.  Dogged in pursuit of the resolution.  Thank you so much Alan.  

What can I say?  I like a problem / challenge.  Really glad it worked for you and hopefully it will stay that way.
Alan : )