Solved

Exchange 2k3 - No permissions to send external mail

Posted on 2011-09-27
17
443 Views
Last Modified: 2012-05-12
Experts,

One of our Exchange servers in our organization started behaving badly 2 days ago, and we've done most everything we can think of to get it working fully again.  To my knowledge, nothing in the environment has changed (with the execption of things we've done to troubleshoot this).

We have many Exchange 2k3 servers (About 50) in our org, and all are set to relay all messages through two primary COM Servers.  Thos COM Servers are set to relay the messages out to the web.  Everything works great, with the exception of a single server.

The Exchange server that's having the problem, only did so within the last 2 days, and was previously working fine.




Users behind the Exchange server with the problem attempt to send messages to an external domain, and are given an NDR by the local *broken* Exchange server saying that they don't have permissions to send to that recipient (Exact message pasted below).

Keep in mind that this server worked fine a little over 2 days ago, and to my knowledge - nothing was changed.

I've checked the SMTP Virtual Server settings, and connector of the Exchange server.  It's routing * SMTP up to the COM servers.  The COM servers also have an IP exception for that particular server to allow relay.

Would anybody know an area I can check to see what's happening on this server?
Your message did not reach some or all of the intended recipients.

      Subject:	RE:  ****
      Sent:	9/28/2011 7:08 AM

The following recipient(s) cannot be reached:

      '****' on 9/28/2011 7:08 AM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <SERVERNAME.DOMAINNAME #5.7.1 smtp;550 5.7.1 Unable to relay for ExternalMailAddress@domain.com>

Open in new window

0
Comment
Question by:usslindstrom
  • 9
  • 4
  • 3
  • +1
17 Comments
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714547
*On note, local domain mail routes fine.  - Forgot to mention.
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714580
ok. can you once check eventviewer ..?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714591
Certainly.  Not much out of the ordinary there.

I removed the SMTP connector to recreate it in troubleshooting, and there's a message in there during that time that it seems to be angry with me on not being able to route to any other Exchange server, but once the configuration was recreated, it went back to being pretty quiet.

Everything looks fine in the Event Viewer.
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714595
Have you checked that the Settings for SMTP connector are optimal or not..?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714656
Yes sir.

We have about 50 other Exchange servers that are all configured the exact same way on their connectors.

In part of my troubleshooting, I had multiple Exchange server configurations open and verifying line-by-line that everything was set the same.
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714703
Hii sir..

Are you sending using Outlook.? can you please say which version is it and also are you facing the same issue While sending through OWA ?
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36714704
Did you check for any time mismatch between the Gateway servers and the exchange servers . ?
Also make sure that your dns records are proper and also ensure mail flow via Telnet .
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714873
We ran the SMTPDiag tool, and all tests were successful.

Time on all servers (DCs included) are all synced.

Outlook version is 2007, Exchange is 2003.  The problem is also present through OWA on users that have a mailbox located on that server.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Assisted Solution

by:gaurav05
gaurav05 earned 166 total points
ID: 36714918
Hi,

Run this command.

Get-ReceiveConnector "Replace with your connector name" |Add-AdPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-Bypass-Anti-Spam


Also check for hotfix.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714948
Thanks for the suggestion gaurav05 - please note this is an Exchange 2003 environment though...

Get-ReceiveConnector is in the 2007 toolset w/PowerShell



Here are a set of Telnet SMTP tests.  The first one, is an internal mail sender to internal mail recipient, works fine.  The second test is an internal mail sender to an external mail recipient.


220 SERVERNAME.DOMAINNAME Microsoft ESMTP MAIL Service, Version: 6.0.3790.4
675 ready at  Wed, 28 Sep 2011 15:53:29 +0900
HELO
MAIL FROM:*Internal SMTP E-mail*
RCPT TO:*Internal SMTP E-mail*
DATA

Telnet SMTP Mail Test
.

250 SERVERNAME.DOMAINNAME Hello [IP.IP.IP.IP]
250 2.1.0 *Internal SMTP E-mail*....Sender OK
250 2.1.5 *Internal SMTP E-mail*
354 Start mail input; end with <CRLF>.<CRLF>

250 2.6.0 <SERVERNAME3SOlbpH71y00003cf2@SERVERNAME.DOMAINNAME> Queued mail f
or delivery

HELO
MAIL FROM:*Internal SMTP E-mail*
RCPT TO:*External SMTP Email*
DATA

Telnet SMTP Mail Test
.

250 SERVERNAME.DOMAINNAME Hello [IP.IP.IP.IP]
250 2.1.0 *Internal SMTP E-mail*....Sender OK
550 5.7.1 Unable to relay for *External SMTP Email*
554 5.5.2 No valid recipients
500 5.3.3 Unrecognized command
500 5.3.3 Unrecognized command

Open in new window

0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718278
Are you using smart host to route the emails or DNS ?

if its DNS , please chk the corresponding records , this may also occur if the gateway blocks it !
0
 
LVL 12

Accepted Solution

by:
Deepu Chowdary earned 167 total points
ID: 36718655
Also please check the same by disabling Antivirus, if any..
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36733439
Alright - we've narrowed it down to some very strange symptoms, but I think they're all related.

Ganyboy:  Thanks for the suggestion on checking DNS.  DNS is fine, and I'm not seeing any issues, but it did get me to try to route the E-mail directly using DNS instead of using the "smart hosts" *Our COM servers, on the broken exchange server.
Once I made that change, E-mail can go through without any issues to external domains.  Of course, I can't leave it like this, but it starts pointing to a configuration issue with our outbound COM server.

That being said, I've been testing around the network, and have noticed this inconsistancy when using telnet to test SMTP.  (pasted in the code block below).

When I test from ANY Exchange server, except the one that's having issues, the mail comes to me with the recipient translated from the GAL.  Meaning I put my local domain E-mail, and when it gets to my Mailbox, it's seen as coming from my "Display Name" in AD.
When I run the exact same test from the bad server, it comes to my Mailbox as "email@domain.com" - and not the Display name.

So, I'm leaning to the idea that the Exchange box in question is having issues authenticating people.  It's local DC is a Global Catalog, and replication checks OK with it, so I'm equally stumped if this is the problem, but am willing to try anything to get it working again.


HELO
MAIL FROM:**InternalSMTPAddress**
RCPT TO:**InternalSMTPAddress**
DATA

Telnet SMTP Mail Test
.

Open in new window

0
 
LVL 1

Assisted Solution

by:Ganyboy
Ganyboy earned 167 total points
ID: 36790899
if i could understand better , When you bypass your com server things are working fine ryt ?
so u can check if these emails are routed properly to the com server and check the logs on the com server for any such relative events (as this works fine with all the other server) to put them back on track , Also did u check the certificate on the server  ?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36812695
Yes sir.  Not using our COM server, and letting the bad Exchange server route everything - is fine for external domains.  So, it'd be easy to point the problem to the SMTP connector between the bad server and COM server - But - *The COM server is working though for the 50+ other Exchange servers, and the settings are 100% identical between all of the connectors / routing groups.

But if you don't mind me asking...  Why certificate?  - We're not experiencing an OWA problem, just Exchange-->Exchange.

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36812814
Guys.

We've found the solution.  There was a problem with the DC that the COM servers authenticated against.  Everything looked fine up front, but we decided to restart that particular unit for troubleshooting.

Sure enough, as soon as she came back online - everything started working.

Holy crap, that was a strange problem.  I can't thank you all enough for chipping in and trying to work through this issue with me.  Much appreciated!
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 36812819
Much appreciated on the assistance guys.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now