Users in remote Exchange 2010 site get 550 5.7.1 Unable to relay

Some of our users in our remote branches are getting a 550 5.7.1 Unable to relay. We have two Exchange sites. Site A hosts HQ’s mailboxes. Site B is the site that hosts the branches. Site B mostly services clients that are configured as SMTP and POP3.  There are 4 servers in each site, 2 HUB/CAS servers and 2 mailbox servers.
Some users running in site B get 550 5.7.1 Unable to relay errors from time to time. So the only way I can get the mail to flow again is to configure one receive connector to “Exchange Server authentication” in site A and one in site B. The other remaining connector must then be configured to “Externally Secured”(See Pic 1). Only then does the mail flow externally . But this configuration does not work for long. After a while the errors are back. I have tried a few config’s. If I put all 4 servers receive connector to “Externally Secured I get the following error: Cannot achieve Exchange server authentication. “ Attempted failover to alternative host, but that did not succeed.” Either there are no alternate hosts, or delivery failed to all alternate hosts. The permissions group on all receive connectors (Client and Default) are all selected except Partners.
It seems like only users that have an SMTP and POP3 configuration are impacted. Web App users and Exchange online mode are not affected.

AblSysadminSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

this might be a stupid question, but outlook is configured to use authentication on the outgoing server?
also, can you deliver mail using telnet on the server that does not want to relay?
AblSysadminSenior Systems EngineerAuthor Commented:
hi, will check the setting again if i find a user that has this issue. will report back asap. What are the default settings on the receive connectors?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

default would be :
under authentication:
TLS/Basic/Integrated windows/Exchange server

Permission groups:

exchange users
exchange servers
legacy exchange

It sounds like you have more than one receive connector bound to the same IP, thus you are seeing different results at different times.  Verify your receive connectors are bound to distinct IP addresses.
AblSysadminSenior Systems EngineerAuthor Commented:
@setasoujiro: Thanks for the reply. Should these settings be set on site A or site B?
@ctc1900:. Also...thanks for the reply. all bound to the same IP...
AblSysadminSenior Systems EngineerAuthor Commented:
@setasoujiro: your setting are not solving the issue.

i got it working as per screen shot on one CAS server in each site. This setting was set on both client and default receive connectors. Screen Shot
you need the other ones as well in order to have normal outlook clients+outlook anywhere clients connect. That's why i said the default would be like that :)
AblSysadminSenior Systems EngineerAuthor Commented:
No outlook anywhere clients just yet. .....ok so just to make sure here. should i have all 4 CAS/HUB servers set as the screnshot above?
no only the CAS servers at the sites where people need to send mail that way...
unless it's in all sites ofcourse
AblSysadminSenior Systems EngineerAuthor Commented:
ok, now they can send mail but not receiving anything
that's because you need to set the "basic authentication" i think
AblSysadminSenior Systems EngineerAuthor Commented:
ok, let me try
AblSysadminSenior Systems EngineerAuthor Commented:
ok wait. should this be set on the remote CAS servers because it can't be set on the servers with the external secure setting
on the ones where outlook tries to do pop3 to...
to be honest i'm not following entirely with your several machines anymore :)
so i'll try my best
AblSysadminSenior Systems EngineerAuthor Commented:
not working. I am running out of idea's i have now set it back to the original settings. seems like everythinig is working again but the question is for how long. its getting late so i will have to call it a night now. I will update again when i get the issue. one thing is that i can even log a call with MS because we run these servers on vmware
so it's not a problem when running on vmware afaik...
vmware is a supported platform...
But i will too call it a night and read everything again tomorrow fresh and revived :)
AblSysadminSenior Systems EngineerAuthor Commented:
thanks for the assistance. speak soon
Malli BoppeCommented:
I don't why you creating receive connectors the default conenctors should be sufficient to receive emails.

Can you tell me at each site what exchange servers do you have ?
Do you have send connectors at each site  for sending external email.

"Some users running in site B get 550 5.7.1 Unable to relay errors from time to time " when do you get this message. Is it when using any application to raly emails or when using outlook.
AblSysadminSenior Systems EngineerAuthor Commented:
hi, i am not creating receive connectors. These are the default ones created when you install. The users get this error if the receive connectors are all configured as Exchange Server Authentication

The users getting this error when sending use outlook config'ed as smtp/pop3
AblSysadminSenior Systems EngineerAuthor Commented:
When the same users log on to webapp and try to send mail every mail gets sent
i don't get it, this is the same thing that i said a couiple posts earlier...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AblSysadminSenior Systems EngineerAuthor Commented:
ooh crap...sorry dude. was late last night nad i did not update the setting on the client side. but tx for the help.
no problem , glad to help :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.