Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5397
  • Last Modified:

Exchange 2013: Cannot send or receive External mail

I have a new Exchange 2013 installation and am now able to send/receive mail internally but  mail sent to external addresses gets stuck in queues.  Mail from gmail and other external agencies do not come in either.  I believe i checked over the send and receive connectors but am not finding the magic setting.  Any assistance would be greatly appreciated.

Queues give the following error:
451 4.4.0 Error encountered white communicating with the primary target IP address:  "421. 4.2.1 Unable to connect."  Attempted failover to alternate host, but that did not succeed.  Either there are no alternate hosts, or delivery failed to all alternative hosts.
  • 7
  • 5
1 Solution
To be able send an email to external. Check on Send Connector | On Address Space tab  specify * for any non-accepted domain name.

For incoming, on Receive Connector | Default Connector | Check on Anonymous, also please make sure MX records poiting to your correct Exchange or mail gateway IP address
Bruno PACIIT ConsultantCommented:

We miss a lot of informations to help you...

Do you use a smarthost to deliver messages to external recipient or do you deliver directly to the target domain servers ?

Are your Exchange servers able to resolve external DNS names ?

Are your Exchange servers allowed to make SMTP dialogs with external servers ?

Finally, a resume of your send connectors would be appreciated.

Did you make basic test such as:
- using NSLOOKUP to confirm your servers are able to resolve MX records ?
- using telnet to start a SMTP session with external servers ?

Have a good day
MiltonMHarperAuthor Commented:
The send and receive connectors are set as mentioned above and i can see my MX record when i do an NSLookup - set type=mx ....  

The Exchange server can ping and others so resolution is fine.  As far as mail delivery, mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet.  Oddly enough when i set up a monitor on TMG for Destination Port 25 here's what i see:

Mail from external to internal - Absolutely no activity logged
Mail from internal to external - I see "Failed Connection Attempt" and A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed becasue connected  host has failed to respond..

One other note is we have a Hosting agency between us and the outside world.  I am thinking (hopeful) it may be some firewally rules so I have them checking but in the meantime i am scratching around for a fix.
The later was me sending from internal to my gmail account.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Bruno PACIIT ConsultantCommented:
The send and receive connectors are set as mentioned above

Where !??? As far as I can read I see no send connector description from you... Should I suppose that you consider what suriyaehnop said as a sufficient description of  your configuration ??? It is not.

mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet
Well that's a beginning of a describtion...

So I now have to guess all other points :

So you have a TMG server betwenn you and the rest of the world. Has the TMG see outgoing SMTP traffic and as I have to suppose that you're send connector is configured by default (no smarthost, DNS resolution) I then suppose that the TMG server is configured as an IP gateway on the IP settings of the Exchange server.

I also have to imagine that all outgoing traffics are handled by the TMG server and as the PING worked for I suppose the TMG IP routes are correct.

As the TMG can see the outgoing packet but obviously does not see a response, and if all that I had to guess is true, in my opinion the trouble is behing the TMG.

Does the TMG is configured to NAT between internal network and external network ? Or is it configured to route ?
If it's NATed you can make a easy test:
1) Create a temporary access rule that "Allow" "All outgoing protocols" from "Local Host" to "External" for "All Users".
2) Install the TELNET client feature on the TMG server if needed.
3) Using NSLOOKUP as I told you previously obtain the IP address of any MX server on the web.
4) In a CMD prompt on the TMG server use the command:
If it fails (blinking cursor under the command) then obviously there's something wrong behind the TMG, probably at you Hosting agency. It may be a routing problem or a firewall misconfiguration somewhere.
If it connects with no banner (blinking cursor at top left of a black window) there's an application level firewall behind the TMG that is not well configured.
If it connects with a SMTP banner then I am wrong and something is misconfigured in your platform. In this case you'll have to give us a complete description because it's very tiring to have to guess all these things

Have a good day.
MiltonMHarperAuthor Commented:
Sorry about that The Send connector is set up as:
  Proxy through CAS is not checked
  MX record associated with recipient domain is checked
  No smart host
  Type SMTP
  Domain *
  Server is the exchange server

Correct on the assumptions for TMG between us and the rest of the world (except the caveat that our Hosting agency's Firewall is the middle as well), the TMG server being configured as a gateway, TMG handles all outgoing traffic (incoming as well), etc.

Telnet is installed so i ran telnet 25 and it connected showing this:

220 EXCHANGESERVER.DOMAIN.DMN Microsoft ESMTP MAIL Service ready at Tue, 29 Jan
2013 18:58:20 -0500

Since TMG is behind the hosting agency firewall and telnet to 25 works, i am thinking it is something misconfigured on their end.  Yes?

Thank you.
MiltonMHarperAuthor Commented:
The hosting agency put in rules for my ports so now mail comes into my environment but yet i still have issues with mail going out.  I generate an email via OWA and send it to my gmail account but nothing.  When i hit TMG and set up a monitor for "Destination Port 25" i see this:

Client IP:  My Exchange Servers IP
Destination IP: (guessing Gmail)
Failed Connection Attempt
Status:  A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I set up a TMG rule for Allow, All Outgoing Protocols, From Local Host to External for All Users but it still came up with the same error above.

Exchange Toolbox has the capability to perform test like you are sending mail in/out of your environment.  I did the Remote Connectivity Analyzer test for Outbound SMTP and it comes up green but with a yellow triangle.  When you expand everything all is green until you get down to:
Performing Sender ID Validation:
  Sender ID validation was peformed successfully
    Test Steps
      RED X - Attempting to find the SPF record using DNS TEXT record query.
                   ExRCA wasn't able to find the SPF record.
                      Addtional Details
                      No records were found

I dont have (or believe i dont have) any for my other environment and it works fine.  I've used SPF query tools like so any ideas would be greatly appreciated.  Since inbound works, i would tend to thing this is a Send Connector issue....

I have two:
Default Mail Connector
MyDomainName - Internet Connector

Both have the same settings but only because I unchecked "Use the external DNS lookup settings on servers with transport roles" on the Default Mail Connector.  Should that be checked?

Name:  Default Mail Connector
Connector Status:  Enabled
Not checked "Proxy through client access server"
Protocol logging level:  Verbose
Max send message size:  10

Network settings:   MX record associated with recipient domain
Smart Host:  None are entered
Unchecked box for "Use the external DNS lookup settings on servers with transport roles"

SMTP   *   1
Unchecked box for "Scoped Send Connector"
Source Server:
  Server:  My exchange server
  Site:  domain/Configuration/Sites/Default-First-Site-Name
  Role:  Cafe, Mailbox, ClientAccess, UnifiedMessaging, HubTransport, FrontendTransport

Nothing specified
Bruno PACIIT ConsultantCommented:

The TMG rule "allow", "all outgoing protocols", from "Local host" to "external" won't help for 2 obvious reasons :
1) The trace in the log mention a "Failed connection attemtp" and not a "refused connection" meaning the traffic passes through TMG but the target server give no response.
2) As far as I understand your configuration, the traffic comes from the Exchange server, not from the TMS server... so "local host" is not the good source.
Anyway, if the trace you see in the log in linked to SMTP procotol then it's the proof that SMTP traffic pass through TMG.

I'm not sure that is Gmail, because this IP is not in the result of a NSLOOKUP I made...

Can you confirm that the trace in the TMG log is about SMTP protocol !??

Also your problem is not about SPF record, sender id or any other DNS checking because it will not refuse the connection, it will refuse the message. It's very different because to refuse a message there must be a successful connection and a beginning ao a SMTP dialog !

Ok so, you'll please do exactly this test and give use the result :

1) on the TMG server start the log with a filter to take only SMTP protocol.
1) Open a session on your Exchange server.
2) Launch a CMD console
3) Type the command ROUTE PRINT and vérify that the default gateway is configured so that any traffic for external IP ranges are routed to the TMG server (If not, please describe your network precisely).
4) Type the command NSLOOKUP
5) in the nslookup prompt type SET TYPE=MX
6) in the nslookup prompt type GMAIL.COM
7) Note the whole results (copy paste in a text file) and show it to us
8) Start a powershell console
9) in the powershell console type IMPORT-MODULE SERVERMANAGER
11) type TELNET 25
12) Go on your TMG server and look for a SMTP trace. Do you see the traffic for SMTP to ??

Don't touch anything on your connectors for the moment. Just make the tests above and show us precise results.

Also, I wonder about what you call "hosting company"... What this company is supposed to do about your IP traffic with Internet ? Should we understand that you can not reach Internet directly ? In this case what did they do on their network to allow you to send SMTP to internet ?
Did they talk you about any smarthost to you should be using ?

Have a good day.
MiltonMHarperAuthor Commented:
On the Exchange server I ran the ROUTE PRINT and can see my Gateway Address is configured to point to TMG.  I did the NSLOOKUP commands and see these entries:


Non-authoritative answer:       MX preference = 30, mail exchanger =       MX preference = 5, mail exchanger =       MX preference = 20, mail exchanger =       MX preference = 10, mail exchanger =       MX preference = 40, mail exchanger =      internet address = internet address = internet address = internet address = internet address =

I set up a rule on TMG to query/track for the Protocol Equals SMTP and then back on Exchange i ran the telnet 25 command.  It came back with

Connecting To not open connection to the host, on port 2
5: Connect failed

Over on TMG I did see these two failed entries

Failed Connection Attempt MYSERVERNAME 2/5/2013 9:43:27 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow Web Access for All Users
Source: Internal (EXCHANGESERVERIP:30291)
Destination: External (
Protocol: SMTP
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21000ms Original Client IP: EXCHANGESERVERIP
one of the many things that puzzles me is up above beside Source:  i see the Internal, my exchange server name but the port is 30291.  Guessing that doesnt matter because i have two other environments.  Both showed different port numbers.  

As far as a hosting agency, our servers are at a different location and traffic goes in/out through their firewalls as well.  The issues above are on a new environment we are configuring.  We have a separate environment which they also host and everything works fine there.  I passed them info concerning ports and such.  They noted alot of rules misisng, added those so now inbound traffic works but i still cant send outbound.  They say they have checked everything and all should be gtg.  I am trying everything i can think of and everything anyone else can think of before i go back to them a 4th time to say they need to check something.  The tests earlier in this log helped me identify half the equation.  I am still leaning toward there being something on their end but trying to gather as much ammo to say A-Z was tried so there HAS to be something on their firewalls.
MiltonMHarperAuthor Commented:
I worked with our hosting agency to do a 5 min test of an Any><Any rule.  Mail went out successfully so it appears something is needing updated on their firewall.  When i learn what that is, i will post it here for future reference, do the Accept Solution(s) and hopefully all will be resolved.  My brain pan is starting to feel a little pressure release.  :)
Bruno PACIIT ConsultantCommented:

Thanks for these results.

Ok so, this proves that SMTP traffic is correctly sent through TMG as TMG can see it. The problem is that TMG never receives the answer.

The problem is "after" TMG. So if you're OK we will try some new tests and results a step further, from TMG to external...

About the Source Port of your Exchange server, it is absolutely normal. When your Exchange server tries to send a SMTP message, at this time it acts as a SMTP client and the SMTP server is the target server. A SMTP client will alwasy try to reach the well-known SMTP TCP port of the target server, which is TCP port 25. But the SMTP client can choose any local TCP port above 1024 as its local port. So a SMTP connections is a link between a source port with any number to a target port TCP 25 on the server.
That's not a problem, because on firewalls you have to declare target ports, not source ports.

Ok... let's start with new checking and tests if you want.

First of all, on the TMG server console, on the left pane click on "Networking". In the center pane click on "Network Rules". You may see a Network Rule that is named "Internet Access" that should apply to "Internal" as source network and "External" as destination network.
There's a column named "Relation" that tells you is both networks are "Routed" or "NATed".
How is it configured on your side ? "NAT" or "Route".

I will suppose it is NATed as it's the typical architecture, if not you tell me I'll post specific tests.
Ok so I suppose it's NATed.

That means that to receive SMTP mails you have created a SMTP publishing rule that listen on the external NIC on port (SMTP server) and ask the hosting company to forward incoming SMTP traffic to the TMG IP address on its external NIC.
If that works it means they have allowed SMTP traffic from their network to your TMG for TCP 25 Port. It also means that IP routing between TMG and the hosting company is OK.

So now, in the TMG console, in the "Firewall Policy" section you'll create a temporary access rule taht "Allow" "SMTP Protocol" from "Local Host" to "External" for "All Users" and put this rule on the top of the list.

If you did not do that before, on the TMG server open a Powershell and type:
Import-Module ServerManager
Add-WindowsFeature Telnet-Client

Now TELNET tool is installed. Open a CMD prompt on the TMG server and type:

What is the result of the TELNET between these possibilities:
A) the cursor is blinking below the last type command in the CMD prompt for a while before failing to connect.
B) An immediate connect failure occurs.
C) the cursor is blinking on the top left of a black window but nothing appears on the screen
D) A SMTP HELO banner appears at the top line of the CMD prompt.
E) Anything else : please give details.

Depending of these tests we will decide for a new action on the next step.

Have a good day.
Bruno PACIIT ConsultantCommented:
Hi again,

Sorry I missed your last post as I was typing mine (writing in english takes me some times ;) ).

Ok that was a very good idea to make this test as it is a obvious way to locate the problem.
So now it's on their side. Something is wrong on their firewall rules and they have to find what.

Forget my last post as it's no need to test further on your side.

Have a good day.
MiltonMHarperAuthor Commented:
Haha.  funny thing is i was putting in your tests when they starting hitting me up about narrowing the scope.  So far it seems to just narrow down to a port 25 rule between the servers to external.  Will know more in a few.  I hope.
MiltonMHarperAuthor Commented:
Thanks to the tips for troubleshooting, i could narrow down that the hosting agency was blocking port 25 for outgoing.  They were also blocking if for incoming but that was corrected early on.  Not sure why they wouldn't have configured it as allowed both ways especially after I asked them to early on.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now