Solved

Exchange 2013:  Cannot send or receive External mail

Posted on 2013-01-28
13
4,982 Views
Last Modified: 2013-02-05
I have a new Exchange 2013 installation and am now able to send/receive mail internally but  mail sent to external addresses gets stuck in queues.  Mail from gmail and other external agencies do not come in either.  I believe i checked over the send and receive connectors but am not finding the magic setting.  Any assistance would be greatly appreciated.

Queues give the following error:
451 4.4.0 Error encountered white communicating with the primary target IP address:  "421. 4.2.1 Unable to connect."  Attempted failover to alternate host, but that did not succeed.  Either there are no alternate hosts, or delivery failed to all alternative hosts.
0
Comment
Question by:MiltonMHarper
  • 7
  • 5
13 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
Comment Utility
To be able send an email to external. Check on Send Connector | On Address Space tab  specify * for any non-accepted domain name.

For incoming, on Receive Connector | Default Connector | Check on Anonymous, also please make sure MX records poiting to your correct Exchange or mail gateway IP address
0
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi,

We miss a lot of informations to help you...

Do you use a smarthost to deliver messages to external recipient or do you deliver directly to the target domain servers ?

Are your Exchange servers able to resolve external DNS names ?

Are your Exchange servers allowed to make SMTP dialogs with external servers ?

Finally, a resume of your send connectors would be appreciated.


Did you make basic test such as:
- using NSLOOKUP to confirm your servers are able to resolve MX records ?
- using telnet to start a SMTP session with external servers ?


Have a good day
0
 

Author Comment

by:MiltonMHarper
Comment Utility
The send and receive connectors are set as mentioned above and i can see my MX record when i do an NSLookup - set type=mx ....  

The Exchange server can ping www.google.com and others so resolution is fine.  As far as mail delivery, mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet.  Oddly enough when i set up a monitor on TMG for Destination Port 25 here's what i see:

Mail from external to internal - Absolutely no activity logged
Mail from internal to external - I see "Failed Connection Attempt" and A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed becasue connected  host has failed to respond..

One other note is we have a Hosting agency between us and the outside world.  I am thinking (hopeful) it may be some firewally rules so I have them checking but in the meantime i am scratching around for a fix.
The later was me sending from internal to my gmail account.
0
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
The send and receive connectors are set as mentioned above

Where !??? As far as I can read I see no send connector description from you... Should I suppose that you consider what suriyaehnop said as a sufficient description of  your configuration ??? It is not.

mail should go straight from the Exchange server, to the TMG (Threat Management Gateway) server and then out to the internet
Well that's a beginning of a describtion...

So I now have to guess all other points :

So you have a TMG server betwenn you and the rest of the world. Has the TMG see outgoing SMTP traffic and as I have to suppose that you're send connector is configured by default (no smarthost, DNS resolution) I then suppose that the TMG server is configured as an IP gateway on the IP settings of the Exchange server.

I also have to imagine that all outgoing traffics are handled by the TMG server and as the PING worked for www.google.com I suppose the TMG IP routes are correct.

As the TMG can see the outgoing packet but obviously does not see a response, and if all that I had to guess is true, in my opinion the trouble is behing the TMG.

Does the TMG is configured to NAT between internal network and external network ? Or is it configured to route ?
If it's NATed you can make a easy test:
1) Create a temporary access rule that "Allow" "All outgoing protocols" from "Local Host" to "External" for "All Users".
2) Install the TELNET client feature on the TMG server if needed.
3) Using NSLOOKUP as I told you previously obtain the IP address of any MX server on the web.
4) In a CMD prompt on the TMG server use the command:
TELNET xxx.xxx.xxx.xxx 25
If it fails (blinking cursor under the command) then obviously there's something wrong behind the TMG, probably at you Hosting agency. It may be a routing problem or a firewall misconfiguration somewhere.
If it connects with no banner (blinking cursor at top left of a black window) there's an application level firewall behind the TMG that is not well configured.
If it connects with a SMTP banner then I am wrong and something is misconfigured in your platform. In this case you'll have to give us a complete description because it's very tiring to have to guess all these things

Have a good day.
0
 

Author Comment

by:MiltonMHarper
Comment Utility
Sorry about that The Send connector is set up as:
  Proxy through CAS is not checked
  MX record associated with recipient domain is checked
  No smart host
  Type SMTP
  Domain *
  Server is the exchange server

Correct on the assumptions for TMG between us and the rest of the world (except the caveat that our Hosting agency's Firewall is the middle as well), the TMG server being configured as a gateway, TMG handles all outgoing traffic (incoming as well), etc.

Telnet is installed so i ran telnet xxx.xxx.xxx.xxx 25 and it connected showing this:

220 EXCHANGESERVER.DOMAIN.DMN Microsoft ESMTP MAIL Service ready at Tue, 29 Jan
2013 18:58:20 -0500

Since TMG is behind the hosting agency firewall and telnet to 25 works, i am thinking it is something misconfigured on their end.  Yes?

Thank you.
0
 

Author Comment

by:MiltonMHarper
Comment Utility
The hosting agency put in rules for my ports so now mail comes into my environment but yet i still have issues with mail going out.  I generate an email via OWA and send it to my gmail account but nothing.  When i hit TMG and set up a monitor for "Destination Port 25" i see this:

Client IP:  My Exchange Servers IP
Destination IP:  98.175.5.133 (guessing Gmail)
Failed Connection Attempt
Status:  A connection attempt failed because the connection party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I set up a TMG rule for Allow, All Outgoing Protocols, From Local Host to External for All Users but it still came up with the same error above.

Exchange Toolbox has the capability to perform test like you are sending mail in/out of your environment.  I did the Remote Connectivity Analyzer test for Outbound SMTP and it comes up green but with a yellow triangle.  When you expand everything all is green until you get down to:
Performing Sender ID Validation:
  Sender ID validation was peformed successfully
    Test Steps
      RED X - Attempting to find the SPF record using DNS TEXT record query.
                   ExRCA wasn't able to find the SPF record.
                      Addtional Details
                      No records were found


I dont have (or believe i dont have) any for my other environment and it works fine.  I've used SPF query tools like http://www.kitterman.com/spf/validate.html so any ideas would be greatly appreciated.  Since inbound works, i would tend to thing this is a Send Connector issue....

I have two:
Default Mail Connector
MyDomainName - Internet Connector

Both have the same settings but only because I unchecked "Use the external DNS lookup settings on servers with transport roles" on the Default Mail Connector.  Should that be checked?

General:
Name:  Default Mail Connector
Connector Status:  Enabled
Not checked "Proxy through client access server"
Protocol logging level:  Verbose
Max send message size:  10

Delivery:
Network settings:   MX record associated with recipient domain
Smart Host:  None are entered
Unchecked box for "Use the external DNS lookup settings on servers with transport roles"

Scoping:
SMTP   *   1
Unchecked box for "Scoped Send Connector"
Source Server:
  Server:  My exchange server
  Site:  domain/Configuration/Sites/Default-First-Site-Name
  Role:  Cafe, Mailbox, ClientAccess, UnifiedMessaging, HubTransport, FrontendTransport

FQDN:
Nothing specified
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi,

The TMG rule "allow", "all outgoing protocols", from "Local host" to "external" won't help for 2 obvious reasons :
1) The trace in the log mention a "Failed connection attemtp" and not a "refused connection" meaning the traffic passes through TMG but the target server give no response.
2) As far as I understand your configuration, the traffic comes from the Exchange server, not from the TMS server... so "local host" is not the good source.
Anyway, if the trace you see in the log in linked to SMTP procotol then it's the proof that SMTP traffic pass through TMG.

I'm not sure that 98.175.5.133 is Gmail, because this IP is not in the result of a NSLOOKUP I made...

Can you confirm that the trace in the TMG log is about SMTP protocol !??

Also your problem is not about SPF record, sender id or any other DNS checking because it will not refuse the connection, it will refuse the message. It's very different because to refuse a message there must be a successful connection and a beginning ao a SMTP dialog !


Ok so, you'll please do exactly this test and give use the result :

1) on the TMG server start the log with a filter to take only SMTP protocol.
1) Open a session on your Exchange server.
2) Launch a CMD console
3) Type the command ROUTE PRINT and vérify that the default gateway is configured so that any traffic for external IP ranges are routed to the TMG server (If not, please describe your network precisely).
4) Type the command NSLOOKUP
5) in the nslookup prompt type SET TYPE=MX
6) in the nslookup prompt type GMAIL.COM
7) Note the whole results (copy paste in a text file) and show it to us
8) Start a powershell console
9) in the powershell console type IMPORT-MODULE SERVERMANAGER
10) in the PS console type ADD-WINDOWSFEATURE TELNET-CLIENT
11) type TELNET 195.245.230.131 25
12) Go on your TMG server and look for a SMTP trace. Do you see the traffic for SMTP to 195.245.230.131 ??


Don't touch anything on your connectors for the moment. Just make the tests above and show us precise results.

Also, I wonder about what you call "hosting company"... What this company is supposed to do about your IP traffic with Internet ? Should we understand that you can not reach Internet directly ? In this case what did they do on their network to allow you to send SMTP to internet ?
Did they talk you about any smarthost to you should be using ?


Have a good day.
0
 

Author Comment

by:MiltonMHarper
Comment Utility
On the Exchange server I ran the ROUTE PRINT and can see my Gateway Address is configured to point to TMG.  I did the NSLOOKUP commands and see these entries:

Server:  spxtravsdc1ky.spxtra.net
Address:  172.16.72.164

Non-authoritative answer:
gmail.com       MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com       MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com

gmail-smtp-in.l.google.com      internet address = 74.125.131.27
alt3.gmail-smtp-in.l.google.com internet address = 173.194.69.26

alt2.gmail-smtp-in.l.google.com internet address = 173.194.70.26
alt4.gmail-smtp-in.l.google.com internet address = 173.194.71.26
alt1.gmail-smtp-in.l.google.com internet address = 173.194.65.26

I set up a rule on TMG to query/track for the Protocol Equals SMTP and then back on Exchange i ran the telnet 195.245.230.131 25 command.  It came back with

Connecting To 195.245.230.131...Could not open connection to the host, on port 2
5: Connect failed

Over on TMG I did see these two failed entries

Failed Connection Attempt MYSERVERNAME 2/5/2013 9:43:27 AM
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: Allow Web Access for All Users
Source: Internal (EXCHANGESERVERIP:30291)
Destination: External (195.245.230.131:25)
Protocol: SMTP
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21000ms Original Client IP: EXCHANGESERVERIP
 
one of the many things that puzzles me is up above beside Source:  i see the Internal, my exchange server name but the port is 30291.  Guessing that doesnt matter because i have two other environments.  Both showed different port numbers.  

As far as a hosting agency, our servers are at a different location and traffic goes in/out through their firewalls as well.  The issues above are on a new environment we are configuring.  We have a separate environment which they also host and everything works fine there.  I passed them info concerning ports and such.  They noted alot of rules misisng, added those so now inbound traffic works but i still cant send outbound.  They say they have checked everything and all should be gtg.  I am trying everything i can think of and everything anyone else can think of before i go back to them a 4th time to say they need to check something.  The tests earlier in this log helped me identify half the equation.  I am still leaning toward there being something on their end but trying to gather as much ammo to say A-Z was tried so there HAS to be something on their firewalls.
0
 

Author Comment

by:MiltonMHarper
Comment Utility
I worked with our hosting agency to do a 5 min test of an Any><Any rule.  Mail went out successfully so it appears something is needing updated on their firewall.  When i learn what that is, i will post it here for future reference, do the Accept Solution(s) and hopefully all will be resolved.  My brain pan is starting to feel a little pressure release.  :)
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
Comment Utility
Hi,

Thanks for these results.

Ok so, this proves that SMTP traffic is correctly sent through TMG as TMG can see it. The problem is that TMG never receives the answer.

The problem is "after" TMG. So if you're OK we will try some new tests and results a step further, from TMG to external...

About the Source Port of your Exchange server, it is absolutely normal. When your Exchange server tries to send a SMTP message, at this time it acts as a SMTP client and the SMTP server is the target server. A SMTP client will alwasy try to reach the well-known SMTP TCP port of the target server, which is TCP port 25. But the SMTP client can choose any local TCP port above 1024 as its local port. So a SMTP connections is a link between a source port with any number to a target port TCP 25 on the server.
That's not a problem, because on firewalls you have to declare target ports, not source ports.



Ok... let's start with new checking and tests if you want.

First of all, on the TMG server console, on the left pane click on "Networking". In the center pane click on "Network Rules". You may see a Network Rule that is named "Internet Access" that should apply to "Internal" as source network and "External" as destination network.
There's a column named "Relation" that tells you is both networks are "Routed" or "NATed".
How is it configured on your side ? "NAT" or "Route".


I will suppose it is NATed as it's the typical architecture, if not you tell me I'll post specific tests.
Ok so I suppose it's NATed.

That means that to receive SMTP mails you have created a SMTP publishing rule that listen on the external NIC on port (SMTP server) and ask the hosting company to forward incoming SMTP traffic to the TMG IP address on its external NIC.
If that works it means they have allowed SMTP traffic from their network to your TMG for TCP 25 Port. It also means that IP routing between TMG and the hosting company is OK.

So now, in the TMG console, in the "Firewall Policy" section you'll create a temporary access rule taht "Allow" "SMTP Protocol" from "Local Host" to "External" for "All Users" and put this rule on the top of the list.

If you did not do that before, on the TMG server open a Powershell and type:
Import-Module ServerManager
Add-WindowsFeature Telnet-Client

Now TELNET tool is installed. Open a CMD prompt on the TMG server and type:
TELNET 74.125.131.27 25

What is the result of the TELNET between these possibilities:
A) the cursor is blinking below the last type command in the CMD prompt for a while before failing to connect.
B) An immediate connect failure occurs.
C) the cursor is blinking on the top left of a black window but nothing appears on the screen
D) A SMTP HELO banner appears at the top line of the CMD prompt.
E) Anything else : please give details.


Depending of these tests we will decide for a new action on the next step.

Have a good day.
0
 
LVL 16

Expert Comment

by:PaciB
Comment Utility
Hi again,

Sorry I missed your last post as I was typing mine (writing in english takes me some times ;) ).

Ok that was a very good idea to make this test as it is a obvious way to locate the problem.
So now it's on their side. Something is wrong on their firewall rules and they have to find what.

Forget my last post as it's no need to test further on your side.

Have a good day.
0
 

Author Comment

by:MiltonMHarper
Comment Utility
Haha.  funny thing is i was putting in your tests when they starting hitting me up about narrowing the scope.  So far it seems to just narrow down to a port 25 rule between the servers to external.  Will know more in a few.  I hope.
0
 

Author Closing Comment

by:MiltonMHarper
Comment Utility
Thanks to the tips for troubleshooting, i could narrow down that the hosting agency was blocking port 25 for outgoing.  They were also blocking if for incoming but that was corrected early on.  Not sure why they wouldn't have configured it as allowed both ways especially after I asked them to early on.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
exchange 2013 2 31
exchange, mailbox 4 18
exchange 6 29
Exchange 2013 - Restore deleted mailbox from DPM 5 15
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now