Solved

Exchange 2k3 - No permissions to send external mail

Posted on 2011-09-27
17
447 Views
Last Modified: 2012-05-12
Experts,

One of our Exchange servers in our organization started behaving badly 2 days ago, and we've done most everything we can think of to get it working fully again.  To my knowledge, nothing in the environment has changed (with the execption of things we've done to troubleshoot this).

We have many Exchange 2k3 servers (About 50) in our org, and all are set to relay all messages through two primary COM Servers.  Thos COM Servers are set to relay the messages out to the web.  Everything works great, with the exception of a single server.

The Exchange server that's having the problem, only did so within the last 2 days, and was previously working fine.




Users behind the Exchange server with the problem attempt to send messages to an external domain, and are given an NDR by the local *broken* Exchange server saying that they don't have permissions to send to that recipient (Exact message pasted below).

Keep in mind that this server worked fine a little over 2 days ago, and to my knowledge - nothing was changed.

I've checked the SMTP Virtual Server settings, and connector of the Exchange server.  It's routing * SMTP up to the COM servers.  The COM servers also have an IP exception for that particular server to allow relay.

Would anybody know an area I can check to see what's happening on this server?
Your message did not reach some or all of the intended recipients.

      Subject:	RE:  ****
      Sent:	9/28/2011 7:08 AM

The following recipient(s) cannot be reached:

      '****' on 9/28/2011 7:08 AM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <SERVERNAME.DOMAINNAME #5.7.1 smtp;550 5.7.1 Unable to relay for ExternalMailAddress@domain.com>

Open in new window

0
Comment
Question by:usslindstrom
  • 9
  • 4
  • 3
  • +1
17 Comments
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714547
*On note, local domain mail routes fine.  - Forgot to mention.
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714580
ok. can you once check eventviewer ..?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714591
Certainly.  Not much out of the ordinary there.

I removed the SMTP connector to recreate it in troubleshooting, and there's a message in there during that time that it seems to be angry with me on not being able to route to any other Exchange server, but once the configuration was recreated, it went back to being pretty quiet.

Everything looks fine in the Event Viewer.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714595
Have you checked that the Settings for SMTP connector are optimal or not..?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714656
Yes sir.

We have about 50 other Exchange servers that are all configured the exact same way on their connectors.

In part of my troubleshooting, I had multiple Exchange server configurations open and verifying line-by-line that everything was set the same.
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 36714703
Hii sir..

Are you sending using Outlook.? can you please say which version is it and also are you facing the same issue While sending through OWA ?
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36714704
Did you check for any time mismatch between the Gateway servers and the exchange servers . ?
Also make sure that your dns records are proper and also ensure mail flow via Telnet .
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714873
We ran the SMTPDiag tool, and all tests were successful.

Time on all servers (DCs included) are all synced.

Outlook version is 2007, Exchange is 2003.  The problem is also present through OWA on users that have a mailbox located on that server.
0
 
LVL 10

Assisted Solution

by:gaurav05
gaurav05 earned 166 total points
ID: 36714918
Hi,

Run this command.

Get-ReceiveConnector "Replace with your connector name" |Add-AdPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-Bypass-Anti-Spam


Also check for hotfix.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714948
Thanks for the suggestion gaurav05 - please note this is an Exchange 2003 environment though...

Get-ReceiveConnector is in the 2007 toolset w/PowerShell



Here are a set of Telnet SMTP tests.  The first one, is an internal mail sender to internal mail recipient, works fine.  The second test is an internal mail sender to an external mail recipient.


220 SERVERNAME.DOMAINNAME Microsoft ESMTP MAIL Service, Version: 6.0.3790.4
675 ready at  Wed, 28 Sep 2011 15:53:29 +0900
HELO
MAIL FROM:*Internal SMTP E-mail*
RCPT TO:*Internal SMTP E-mail*
DATA

Telnet SMTP Mail Test
.

250 SERVERNAME.DOMAINNAME Hello [IP.IP.IP.IP]
250 2.1.0 *Internal SMTP E-mail*....Sender OK
250 2.1.5 *Internal SMTP E-mail*
354 Start mail input; end with <CRLF>.<CRLF>

250 2.6.0 <SERVERNAME3SOlbpH71y00003cf2@SERVERNAME.DOMAINNAME> Queued mail f
or delivery

HELO
MAIL FROM:*Internal SMTP E-mail*
RCPT TO:*External SMTP Email*
DATA

Telnet SMTP Mail Test
.

250 SERVERNAME.DOMAINNAME Hello [IP.IP.IP.IP]
250 2.1.0 *Internal SMTP E-mail*....Sender OK
550 5.7.1 Unable to relay for *External SMTP Email*
554 5.5.2 No valid recipients
500 5.3.3 Unrecognized command
500 5.3.3 Unrecognized command

Open in new window

0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718278
Are you using smart host to route the emails or DNS ?

if its DNS , please chk the corresponding records , this may also occur if the gateway blocks it !
0
 
LVL 12

Accepted Solution

by:
Deepu Chowdary earned 167 total points
ID: 36718655
Also please check the same by disabling Antivirus, if any..
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36733439
Alright - we've narrowed it down to some very strange symptoms, but I think they're all related.

Ganyboy:  Thanks for the suggestion on checking DNS.  DNS is fine, and I'm not seeing any issues, but it did get me to try to route the E-mail directly using DNS instead of using the "smart hosts" *Our COM servers, on the broken exchange server.
Once I made that change, E-mail can go through without any issues to external domains.  Of course, I can't leave it like this, but it starts pointing to a configuration issue with our outbound COM server.

That being said, I've been testing around the network, and have noticed this inconsistancy when using telnet to test SMTP.  (pasted in the code block below).

When I test from ANY Exchange server, except the one that's having issues, the mail comes to me with the recipient translated from the GAL.  Meaning I put my local domain E-mail, and when it gets to my Mailbox, it's seen as coming from my "Display Name" in AD.
When I run the exact same test from the bad server, it comes to my Mailbox as "email@domain.com" - and not the Display name.

So, I'm leaning to the idea that the Exchange box in question is having issues authenticating people.  It's local DC is a Global Catalog, and replication checks OK with it, so I'm equally stumped if this is the problem, but am willing to try anything to get it working again.


HELO
MAIL FROM:**InternalSMTPAddress**
RCPT TO:**InternalSMTPAddress**
DATA

Telnet SMTP Mail Test
.

Open in new window

0
 
LVL 1

Assisted Solution

by:Ganyboy
Ganyboy earned 167 total points
ID: 36790899
if i could understand better , When you bypass your com server things are working fine ryt ?
so u can check if these emails are routed properly to the com server and check the logs on the com server for any such relative events (as this works fine with all the other server) to put them back on track , Also did u check the certificate on the server  ?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36812695
Yes sir.  Not using our COM server, and letting the bad Exchange server route everything - is fine for external domains.  So, it'd be easy to point the problem to the SMTP connector between the bad server and COM server - But - *The COM server is working though for the 50+ other Exchange servers, and the settings are 100% identical between all of the connectors / routing groups.

But if you don't mind me asking...  Why certificate?  - We're not experiencing an OWA problem, just Exchange-->Exchange.

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36812814
Guys.

We've found the solution.  There was a problem with the DC that the COM servers authenticated against.  Everything looked fine up front, but we decided to restart that particular unit for troubleshooting.

Sure enough, as soon as she came back online - everything started working.

Holy crap, that was a strange problem.  I can't thank you all enough for chipping in and trying to work through this issue with me.  Much appreciated!
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 36812819
Much appreciated on the assistance guys.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question