Link to home
Start Free TrialLog in
Avatar of MiltonMHarper
MiltonMHarper

asked on

Exchange 2013: Cannot send or receive External mail

I have a new Exchange 2013 installation and am now able to send/receive mail internally but  mail sent to external addresses gets stuck in queues.  Mail from gmail and other external agencies do not come in either.  I believe i checked over the send and receive connectors but am not finding the magic setting.  Any assistance would be greatly appreciated.

Queues give the following error:
451 4.4.0 Error encountered white communicating with the primary target IP address:  "421. 4.2.1 Unable to connect."  Attempted failover to alternate host, but that did not succeed.  Either there are no alternate hosts, or delivery failed to all alternative hosts.
Avatar of suriyaehnop
suriyaehnop
Flag of Malaysia image

To be able send an email to external. Check on Send Connector | On Address Space tab  specify * for any non-accepted domain name.

For incoming, on Receive Connector | Default Connector | Check on Anonymous, also please make sure MX records poiting to your correct Exchange or mail gateway IP address
Avatar of Bruno PACI
Hi,

We miss a lot of informations to help you...

Do you use a smarthost to deliver messages to external recipient or do you deliver directly to the target domain servers ?

Are your Exchange servers able to resolve external DNS names ?

Are your Exchange servers allowed to make SMTP dialogs with external servers ?

Finally, a resume of your send connectors would be appreciated.


Did you make basic test such as:
- using NSLOOKUP to confirm your servers are able to resolve MX records ?
- using telnet to start a SMTP session with external servers ?


Have a good day
Avatar of MiltonMHarper
MiltonMHarper

ASKER

The send and receive connectors are set as mentioned above and i can see my MX record when i do an NSLookup - set type=mx ....  

The Exchange server can ping www.google.com and others so resolution is fine.  As far as mail delivery, mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet.  Oddly enough when i set up a monitor on TMG for Destination Port 25 here's what i see:

Mail from external to internal - Absolutely no activity logged
Mail from internal to external - I see "Failed Connection Attempt" and A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed becasue connected  host has failed to respond..

One other note is we have a Hosting agency between us and the outside world.  I am thinking (hopeful) it may be some firewally rules so I have them checking but in the meantime i am scratching around for a fix.
The later was me sending from internal to my gmail account.
The send and receive connectors are set as mentioned above

Where !??? As far as I can read I see no send connector description from you... Should I suppose that you consider what suriyaehnop said as a sufficient description of  your configuration ??? It is not.

mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet
Well that's a beginning of a describtion...

So I now have to guess all other points :

So you have a TMG server betwenn you and the rest of the world. Has the TMG see outgoing SMTP traffic and as I have to suppose that you're send connector is configured by default (no smarthost, DNS resolution) I then suppose that the TMG server is configured as an IP gateway on the IP settings of the Exchange server.

I also have to imagine that all outgoing traffics are handled by the TMG server and as the PING worked for www.google.com I suppose the TMG IP routes are correct.

As the TMG can see the outgoing packet but obviously does not see a response, and if all that I had to guess is true, in my opinion the trouble is behing the TMG.

Does the TMG is configured to NAT between internal network and external network ? Or is it configured to route ?
If it's NATed you can make a easy test:
1) Create a temporary access rule that "Allow" "All outgoing protocols" from "Local Host" to "External" for "All Users".
2) Install the TELNET client feature on the TMG server if needed.
3) Using NSLOOKUP as I told you previously obtain the IP address of any MX server on the web.
4) In a CMD prompt on the TMG server use the command:
TELNET xxx.xxx.xxx.xxx 25
If it fails (blinking cursor under the command) then obviously there's something wrong behind the TMG, probably at you Hosting agency. It may be a routing problem or a firewall misconfiguration somewhere.
If it connects with no banner (blinking cursor at top left of a black window) there's an application level firewall behind the TMG that is not well configured.
If it connects with a SMTP banner then I am wrong and something is misconfigured in your platform. In this case you'll have to give us a complete description because it's very tiring to have to guess all these things

Have a good day.
Sorry about that The Send connector is set up as:
  Proxy through CAS is not checked
  MX record associated with recipient domain is checked
  No smart host
  Type SMTP
  Domain *
  Server is the exchange server

Correct on the assumptions for TMG between us and the rest of the world (except the caveat that our Hosting agency's Firewall is the middle as well), the TMG server being configured as a gateway, TMG handles all outgoing traffic (incoming as well), etc.

Telnet is installed so i ran telnet xxx.xxx.xxx.xxx 25 and it connected showing this:

220 EXCHANGESERVER.DOMAIN.DMN Microsoft ESMTP MAIL Service ready at Tue, 29 Jan
2013 18:58:20 -0500

Since TMG is behind the hosting agency firewall and telnet to 25 works, i am thinking it is something misconfigured on their end.  Yes?

Thank you.
The hosting agency put in rules for my ports so now mail comes into my environment but yet i still have issues with mail going out.  I generate an email via OWA and send it to my gmail account but nothing.  When i hit TMG and set up a monitor for "Destination Port 25" i see this:

Client IP:  My Exchange Servers IP
Destination IP:  98.175.5.133 (guessing Gmail)
Failed Connection Attempt
Status:  A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I set up a TMG rule for Allow, All Outgoing Protocols, From Local Host to External for All Users but it still came up with the same error above.

Exchange Toolbox has the capability to perform test like you are sending mail in/out of your environment.  I did the Remote Connectivity Analyzer test for Outbound SMTP and it comes up green but with a yellow triangle.  When you expand everything all is green until you get down to:
Performing Sender ID Validation:
  Sender ID validation was peformed successfully
    Test Steps
      RED X - Attempting to find the SPF record using DNS TEXT record query.
                   ExRCA wasn't able to find the SPF record.
                      Addtional Details
                      No records were found


I dont have (or believe i dont have) any for my other environment and it works fine.  I've used SPF query tools like http://www.kitterman.com/spf/validate.html so any ideas would be greatly appreciated.  Since inbound works, i would tend to thing this is a Send Connector issue....

I have two:
Default Mail Connector
MyDomainName - Internet Connector

Both have the same settings but only because I unchecked "Use the external DNS lookup settings on servers with transport roles" on the Default Mail Connector.  Should that be checked?

General:
Name:  Default Mail Connector
Connector Status:  Enabled
Not checked "Proxy through client access server"
Protocol logging level:  Verbose
Max send message size:  10

Delivery:
Network settings:   MX record associated with recipient domain
Smart Host:  None are entered
Unchecked box for "Use the external DNS lookup settings on servers with transport roles"

Scoping:
SMTP   *   1
Unchecked box for "Scoped Send Connector"
Source Server:
  Server:  My exchange server
  Site:  domain/Configuration/Sites/Default-First-Site-Name
  Role:  Cafe, Mailbox, ClientAccess, UnifiedMessaging, HubTransport, FrontendTransport

FQDN:
Nothing specified
Hi,

The TMG rule "allow", "all outgoing protocols", from "Local host" to "external" won't help for 2 obvious reasons :
1) The trace in the log mention a "Failed connection attemtp" and not a "refused connection" meaning the traffic passes through TMG but the target server give no response.
2) As far as I understand your configuration, the traffic comes from the Exchange server, not from the TMS server... so "local host" is not the good source.
Anyway, if the trace you see in the log in linked to SMTP procotol then it's the proof that SMTP traffic pass through TMG.

I'm not sure that 98.175.5.133 is Gmail, because this IP is not in the result of a NSLOOKUP I made...

Can you confirm that the trace in the TMG log is about SMTP protocol !??

Also your problem is not about SPF record, sender id or any other DNS checking because it will not refuse the connection, it will refuse the message. It's very different because to refuse a message there must be a successful connection and a beginning ao a SMTP dialog !


Ok so, you'll please do exactly this test and give use the result :

1) on the TMG server start the log with a filter to take only SMTP protocol.
1) Open a session on your Exchange server.
2) Launch a CMD console
3) Type the command ROUTE PRINT and vérify that the default gateway is configured so that any traffic for external IP ranges are routed to the TMG server (If not, please describe your network precisely).
4) Type the command NSLOOKUP
5) in the nslookup prompt type SET TYPE=MX
6) in the nslookup prompt type GMAIL.COM
7) Note the whole results (copy paste in a text file) and show it to us
8) Start a powershell console
9) in the powershell console type IMPORT-MODULE SERVERMANAGER
10) in the PS console type ADD-WINDOWSFEATURE TELNET-CLIENT
11) type TELNET 195.245.230.131 25
12) Go on your TMG server and look for a SMTP trace. Do you see the traffic for SMTP to 195.245.230.131 ??


Don't touch anything on your connectors for the moment. Just make the tests above and show us precise results.

Also, I wonder about what you call "hosting company"... What this company is supposed to do about your IP traffic with Internet ? Should we understand that you can not reach Internet directly ? In this case what did they do on their network to allow you to send SMTP to internet ?
Did they talk you about any smarthost to you should be using ?


Have a good day.
On the Exchange server I ran the ROUTE PRINT and can see my Gateway Address is configured to point to TMG.  I did the NSLOOKUP commands and see these entries:

Server:  spxtravsdc1ky.spxtra.net
Address:  172.16.72.164

Non-authoritative answer:
gmail.com       MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com       MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com

gmail-smtp-in.l.google.com      internet address = 74.125.131.27
alt3.gmail-smtp-in.l.google.com internet address = 173.194.69.26

alt2.gmail-smtp-in.l.google.com internet address = 173.194.70.26
alt4.gmail-smtp-in.l.google.com internet address = 173.194.71.26
alt1.gmail-smtp-in.l.google.com internet address = 173.194.65.26

I set up a rule on TMG to query/track for the Protocol Equals SMTP and then back on Exchange i ran the telnet 195.245.230.131 25 command.  It came back with

Connecting To 195.245.230.131...Could not open connection to the host, on port 2
5: Connect failed

Over on TMG I did see these two failed entries

Failed Connection Attempt MYSERVERNAME 2/5/2013 9:43:27 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow Web Access for All Users
Source: Internal (EXCHANGESERVERIP:30291)
Destination: External (195.245.230.131:25)
Protocol: SMTP
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21000ms Original Client IP: EXCHANGESERVERIP
 
one of the many things that puzzles me is up above beside Source:  i see the Internal, my exchange server name but the port is 30291.  Guessing that doesnt matter because i have two other environments.  Both showed different port numbers.  

As far as a hosting agency, our servers are at a different location and traffic goes in/out through their firewalls as well.  The issues above are on a new environment we are configuring.  We have a separate environment which they also host and everything works fine there.  I passed them info concerning ports and such.  They noted alot of rules misisng, added those so now inbound traffic works but i still cant send outbound.  They say they have checked everything and all should be gtg.  I am trying everything i can think of and everything anyone else can think of before i go back to them a 4th time to say they need to check something.  The tests earlier in this log helped me identify half the equation.  I am still leaning toward there being something on their end but trying to gather as much ammo to say A-Z was tried so there HAS to be something on their firewalls.
I worked with our hosting agency to do a 5 min test of an Any><Any rule.  Mail went out successfully so it appears something is needing updated on their firewall.  When i learn what that is, i will post it here for future reference, do the Accept Solution(s) and hopefully all will be resolved.  My brain pan is starting to feel a little pressure release.  :)
ASKER CERTIFIED SOLUTION
Avatar of Bruno PACI
Bruno PACI
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi again,

Sorry I missed your last post as I was typing mine (writing in english takes me some times ;) ).

Ok that was a very good idea to make this test as it is a obvious way to locate the problem.
So now it's on their side. Something is wrong on their firewall rules and they have to find what.

Forget my last post as it's no need to test further on your side.

Have a good day.
Haha.  funny thing is i was putting in your tests when they starting hitting me up about narrowing the scope.  So far it seems to just narrow down to a port 25 rule between the servers to external.  Will know more in a few.  I hope.
Thanks to the tips for troubleshooting, i could narrow down that the hosting agency was blocking port 25 for outgoing.  They were also blocking if for incoming but that was corrected early on.  Not sure why they wouldn't have configured it as allowed both ways especially after I asked them to early on.