Solved

Cannot receive e-mail from Exchange 2000 server on Exchange 2010 server

Posted on 2010-09-07
58
488 Views
Last Modified: 2012-05-10
we have a single server environment, windows 2008 r2 with exchange 2010 standard.  we have one customer from which we cannot receive their mail.  they use exchange 2000.  their administrator is saying that they are receiving a "temporary authentication failure" when they attempt to send mail to us.  

we ran the exchange best practices analyzer.  it came up with errors regarding our certificates.  IE: The subject alternative name (SAN) of SSL certificate for https://mail.xyz.com/ews/exchange.asmx does not appear to match the host address. Host address: mail.xys.com. Current SAN: DNS Name=nbn1, DNS Name=nbn1.xyz.com.

could this be the reason their e-mail is failing to reach us?  we have a backup smtp server using linux off-site.  our primary mx 10 points to our exchange 2010 server our backup using our secondary mx 50.  the backup smtp server receives their e-mail without a problem after attempting to deliver to our primary.

any help is greatly appreciated.  
0
Comment
Question by:reinadmin
  • 27
  • 26
  • 2
  • +1
58 Comments
 
LVL 4

Expert Comment

by:rickybsb
ID: 33623537
Cheers reinadmin,

I see that your linux environment is working great, so let me clarify:
Is your exchange 2010 standard not receiving any mails from any domain, or it does not receive particular email from this costumer E2000 server that is showing the "temporary auth failure"?


0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33624506
Can you please post their domain name and IP address together with your domain name and IP address so that I / we can run tests for you and hopefully narrow down the problem quickly for you.

I appreciate you may not want to post the details, but I can obscure them / delete them once you have posted them and protect your identity.

It really would help speed up a solution for you, otherwise we will have to rely on guesswork!
0
 
LVL 3

Expert Comment

by:thetime
ID: 33625311
Run the message tracker within exchange 2010

Ask the someone on the exchange 2000 side to send you a mail to your email address with a specific subject that you pick.

Once they receive the error have them forward it to you.

Filter in exchange 2010 with your email address, the subject they used in the mail. This should show you whether the mail reached you or not. if the message tracker finds anything then it will have the information you need to fix the problem in that which you find and the error that the other side received.

Post both of those here for us so we can have a look at them, make sure you change all the sensitive information like your domain/IP's and the senders information to generic ones
 (eg. IP's -  xxx.xxx.xxx.xxx - domain names and servers  - 2010server.domain.com/2000server.domain.com)

Once you post it bqack here then we can get the error codes and figure out where the problem comes from.
0
 

Author Comment

by:reinadmin
ID: 33626314
So as to keep the momentum up I'm answering as many questions as I can now.  

E2010 receives messages from the rest of the world without issue.  Only this particular E2K mail server can not deliver mail to us - that I am aware of.  If anyone is running E2K and wishes to test with me I would love to do so to see if this can be replicated.  

It appears as though E2K sends an e-mail to our primary MX (E2010) they receive a 4.7.0 Temporary Authentication Failure and then it moves on to the next preferred MX (Linux) and it delivers the e-mail there.  I do know that the E2K server is running GFI.  I can ask the administrator there to either chime in here in this thread or I can relay answers to any questions you may have for him.  His name is Jerry.

I will ask for another test message and try the E2010 filter (I haven't used this before though).

alanhardisty I'm not sure how you can obscure this information.  What you're asking for seems "public" enough though but still curious.  I absolutely need this resolved however so I am willing to.

I've just asked the admin from the E2K side to provide his temp auth failure log as well as any bounce messages, etc. that are relevant.

thank you everyone for your attention with this.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626373
I am a Zone Advisor, so have the ability to hide / delete / modify any comments in a question.  If you post the details, I can quickly make them disappear !!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626419
Which IP are you sending mail from?  The 63.xxxxxx or the 209.xxxx or a completely different one?
0
 

Author Comment

by:reinadmin
ID: 33626471
aprod cannot deliver to 63
instead it delivers it to 209

we can send to aprod successfully.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33626479
I'll step out of this one then since I can't see the posted information.

Good Luck
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626500
@thetime - Drop me an email to alan @ it-eye.co.uk and I'll let you know the details.
Only fair we both know the relevant info.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626622
I am trying to telnet to your 63 IP address on port 25 and failing.  Is your receive connector set for port 25 or 587 or another port?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626643
Okay - port 587 is the port and I cannot send as it insists on being authenticated.
It seems you don't allow Anonymous connections on your Exchange 2010 server!
Please check your receive connector permissions.
What permissions are enabled?
0
 

Author Comment

by:reinadmin
ID: 33626806
I'm not sure that port 587 is open on the firewall....

here are screenshots of both default and client receive connectors.
Untitled.jpg
Untitled2.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626823
I was able to telnet to port 58 of the 63 IP address and said helo, then tried followed it with a mail from: <me@mydomain.co.uk> and it said I needed to authenticate!
What about the Authentication tabs?  What do they look like?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33626842
Telnet Session:
220 nbn1.yourdomain.com Microsoft ESMTP MAIL Service ready at Wed, 8 Sep 2010
08:31:38 -0500
ehlo mydomain.co.uk
250-nbn1.yourdomain.com Hello [87.194.xxx.xxx]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from: <me@mydomain>
530 5.7.1 Client was not authenticated

Connection to host lost.
0
 

Author Comment

by:reinadmin
ID: 33629426
Here are the attachments.
Attachment removed to protect the 3rd parties identity.



Alan Hardisty

Experts Exchange Zone Advisor

Open in new window

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33629459
How about your Authentication Tabs on your Receive Connectors?
0
 

Author Comment

by:reinadmin
ID: 33629674
sorry i thought i had attached that.  here it is
Document.pdf
0
 

Author Comment

by:reinadmin
ID: 33629890
I've double-checked with our firewall guy and port 587 is not translated nor open on the firewall.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33629965
Can you pleas remove "Offer Basic Authentication only after starting TLS" on your Receive Connectors please, then restart the Exchange Transport service and test.
0
 

Author Comment

by:reinadmin
ID: 33630915
sorry we're testing this now.
0
 

Author Comment

by:reinadmin
ID: 33630956
this did not work.  
0
 

Author Comment

by:reinadmin
ID: 33631108
if this is any help: i've got an admin friend who is running single server environment with exchange 2010 as well as us.  he cannot receive any email from this exchange 2000 server either.

prior to our move to exchange 2010 we were running exchange 2003 and receiving email from them without issue.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33631204
I have Exchange 2010 too.  Do you want to ask them to send me an email to alan @ it-eye.co.uk?

Let me know if / when they send a test please.
0
 

Author Comment

by:reinadmin
ID: 33631264
message has been sent Alan.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33631339
Thanks - watching out for it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33631370
Nothing even getting near my server at the moment - are you sure it was sent or is on the way to being sent.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33631485
Still nothing.  I am thinking the problem lies on the 2000 server.
Are they using s smarthost to send out mail or sending it directly?
0
 

Author Comment

by:reinadmin
ID: 33632543
yes it was sent.  i asked that he send it to an alternate e-mail of mine as well.  that's when i made the post to you saying it was sent after i received it to my alternate account.

i will double check but i had asked if they were using a smarhost and was told no.  let me ask again though.  to my knowledge they're sending directly.

Their admin, Jerry, had said they have no issues sending to anyone else.  However at one time they had an issue like this sending to an exchange 2007 server.  he believes the exchange 2007 admin created a special routing connetor to "allow all e-mail from our server to theirs."

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:reinadmin
ID: 33632546
I've just received a bounce message that he received:

Sent: Wednesday, September 08, 2010 5:41 PM
To: John Doe
Subject: Delivery Status Notification (Delay)

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.


me@mydomain.co.uk

******************************************************************
0
 

Author Comment

by:reinadmin
ID: 33632550
i put spaces in your email addy Alan - fyi. he used the correct e-mail address for you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33632553
Checking my logs - I use Greylisting - so it will bounce on the first send attempt.
0
 

Author Comment

by:reinadmin
ID: 33632565
Also if this is relevant at all, both Exchange 2010 servers are runnign forefront protection for exchange 2010.

the sender's domain has been whitelisted in FPE 2010 as well.

thought I'd add this info.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33632607
No connections at all from the Exchange 2000 domain / IP at all, thus it would appear to be a problem at their end, either with DNS or Exchange.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33632630
To be honest - you could have rottweilers / doberman's and a seven-headed gorgon sitting on your exchange server protecting it, but I don't think the email is even leaving their server.
Nothing is showing in my Vamsoft ORF logs and it logs everything inbound.  Nothing from their domain or IP at all this evening.
The delay can only be a delay in sending and as nothing has hitmy server to be greylisted (temporarily rejected), then it has not even tried to send it yet.
If it can't get to me - it isn't going to get to your either and although we have Exchange 2010 in common - it is not related if it is not even hitting the server.
0
 

Author Comment

by:reinadmin
ID: 33632666
I wonder what's goign on then.  it did deliver to my alternate email and it also delivered to my backup smtp server...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33632683
Possibly they have hard-coded DNS to know where to send the emails for your domain or something strange like that.
I got diddly squat - so the problem currently is with their server as I have had nothing to reject (yet).
About time they upgraded isn't it?
0
 

Author Comment

by:reinadmin
ID: 33632967
i did check with their admin and they have no hard-coded DNS entries.  I even wondered whether or not created a DNS record on their side might eliminate this issue.

I'm struggling with this because a second E2010 server, with whom they had never sent e-mail to previously, replicates the problem.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33634104
Get them to test using telnet to mail.mydomain.co.uk and to 87.194.xxx.xxx from their end and try sending a test email to me@mydomain.co.uk.
Would be interested to see the results of trying both methods.
Telnet info incase they are not Telnet aware:
http://support.microsoft.com/kb/153119They may need to wrap the email addresses in < > e.g., mail from: them@theirdomain.com> and rcpt to :<me@mydomain.co.uk>
(I will clean up my IP and server / email address later on today).





0
 

Author Comment

by:reinadmin
ID: 33635031
I'll do that Alan.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33635081
Have you got the details?  I will make them disappear!
0
 

Author Comment

by:reinadmin
ID: 33637373
Alan
The E2000 sender did receive this reply, see below:

Sent: Thursday, September 09, 2010 8:57 AM
To: John Doe
Subject: Automatic reply: Test Message
I am currently out of the office, working on-site or in a meeting.

If you need support, please call the office on xxx-xxxx-xxxx or email support@mydomain.co.uk where your email will be automatically logged in our Help Desk system and either xxxxxxx or xxxxxxx will pick it up and respond to you accordingly.

Best wishes

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33637407
Yep - I received an email and replied asking if they used telnet to the IP or to the FQDN.  No reply as yet.
Do you know?
0
 

Author Comment

by:reinadmin
ID: 33637472
I also finally received an e-mail message via my E2010 server from the E2000 sender when he sent the message via telnet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33637694
Great - they can manually send!  Big question is was the test via IP or FQDN - if via IP and not via FQDN, then they have DNS issues.
If via FQDN and IP (but then I would have two emails presumably), then heaven only knows.
0
 

Author Comment

by:reinadmin
ID: 33638471
will find out.  hold on.
0
 

Author Comment

by:reinadmin
ID: 33638813
FQDN is the reply Alan.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33638846
Okay - confused.
They have got issues by the looks of things, but heaven knows what.
Seems like they need assistance - not you. Do they use a smarthost to send out emails?
0
 

Author Comment

by:reinadmin
ID: 33638980
They use GFI for virus and spam.  I've asked several times and the reply is, "We do not use any smarthosts."

I'm not sure however if GFI makes any modifications to the default smtp connector, etc.
0
 

Author Comment

by:reinadmin
ID: 33639027
Here is a log from the E2000 Server
Attchment removed to protect 3rd parties identity.



Alan Hardisty

Experts Exchange Zone Advisor

Open in new window

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33639167
Nothing exciting in there apart from the odd random wording!
What Rollup / Service Pack have you got on your Exchange 2010 server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33639256
Can they try to send me another email via Outlook / their Exchange server - I have created a custom receive connector - just for them.
Thanks
0
 

Author Comment

by:reinadmin
ID: 33639734
E2010 Standard SP1

I will ask them to do that right now.  thanks Alan.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33640406
Okay - telnet test came from .98 IP address - Outlook email (just received) came from .99 IP Address and sailed through.
I created a new custom Receive connector, specified their remote IP Addresses (216.xxx.xxx.98 - 216.xxx.xxx.99) and set authentication to Basic Only with Anonymous in the Permission Group and the email sailed in.
Please do the same and then as them to send you a new message - hopefully you will start to receive their emails normally.
This points to the authentication on the Receive connectors being an issue an possibly Exchange 2000 cannot handle TLS (too old).

0
 

Author Comment

by:reinadmin
ID: 33641611
TA DA!

Alan this absolutely solved the problem.  We're back in business here.  
0
 

Author Closing Comment

by:reinadmin
ID: 33641617
Outstanding.  Dogged in pursuit of the resolution.  Thank you so much Alan.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33641884
What can I say?  I like a problem / challenge.  Really glad it worked for you and hopefully it will stay that way.
Alan : )
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now