Exchange Mailflow

Hi,

I have a mailflow-issue that is giving me trouble.
We have an SBS2008 which we are trying to migrate to Exchange 2010 running on Windows 2008 R2.  The new machine is set up, I migrated one test-user over.

Mail flows from 2010 to 2007, but not the other way.

I've had this often with 2003 <-> 2010, but never in this constellation.

All receive connectors have Exchange Server authentication active.  Additional send connectors have been removed.  All looks well.

Mail is stuck in the queue of 2007 with the error message "451 4.4.0 DNS query failed.  The error was: SMTPSEND.DNS.NonExistentDomain; nonexistent domain"
Both receiving and sending user are in the same mail domain.  Their addresses are correct.  It works the other way.

The "next hop domain" in queue sais "hub version 14" - something I have never seen.

What is wrong?

Thanks,
Ralph
LVL 2
Ralph ScharpingDigital TherapistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frank McCourryV.P. Holland Computers, Inc.Commented:
Check the DNS Settings on the 2010 server.  Make sure it can ping the 2007 server by name.  The check your forward lookup zone and verify that there is an entry for both servers.
0
Ralph ScharpingDigital TherapistAuthor Commented:
Thanks for your answer.  I verified that.  Ping, telnet on port 25 and DNS resolving works both ways.
0
Mohd_ShaikhCommented:
Hi,

First of all you need to verify from both the end.

As you said port 25 is opened and DNS is working well fine.

Make sure that port 25 should be open on both the server which is Exchange 2007 to 2010.
Please check it out whether you can able to send email by using telnet from Exchange 2007 to 2010.

Thank You!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Ralph ScharpingDigital TherapistAuthor Commented:
Thanks for your suggestion.  I just verified:  The behaviour is identical when using Telnet.  Both hosts can reach each other.  Mail is accepted in all cases.  It is correctly delivered locally, and it is also relayed correctly from the new Server (2010) to the old server (2007).
Mail that is to be relayed from 2007 to 2010 ends up in the queue.

Any other ideas?  This looks like it is something really stupid, but DNS looks ultra-clean.
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
Is your 2007 Server trying to do reverse lookups?  If so is there a proper PTR record for the domain?
0
Ralph ScharpingDigital TherapistAuthor Commented:
It should not need to do reverse lookups.  But the hostname of the new 2010-server resolves fine forward and backwards.

But I am just seeing something new:  A Transport certificate seems to be expired.  There are five certificates active in Exchange 2007.  None of them are "real" as in bought.  They are alle self-made.  Can that be the issue?
I am seeing Event-ID 12015
0
Ralph ScharpingDigital TherapistAuthor Commented:
Certificate does not seem to be the issue.  Made a new one - same thing.

What were you saying about a PTR for the domain?  There are of course PTRs for both mail servers.  But do I need one for the domain?
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
I mention this because you can set email to be rejected if reverse DNS test does not pass.  

Now that I think of it, if you messages are sitting in the inbound queue, then it is not a DNS problem at all, rather a problem with your connector on the 2007 Server.  Can the 2007 server send email to itself? Can it receive from sources other than your 2010 server?  

I don't believe certificates would be the issue, because these are exchanged and validated between the servers before any mail is passed. The fact that the email makes it to the incoming Queue is evidence that certificates are not the problem.

Your problem lies on the 2007 Server getting messages from the inbound queue to the mailbox.  It is not a transport problem between servers.  Again, evidenced by the fact that messages are in the inbound queue.
0
Ralph ScharpingDigital TherapistAuthor Commented:
My messages are stuck in the OUTbound queue.
The Server 2007 can mail to itself, it can mail out and it receives mail from outside.  It is in full operation serving about 110 mailboxes.

The new 2010 Server is housing only one test-mailbox.  This testbox can send out just fine.  It can send to all useres of the old Server.  My ONLY issue is that I cannot send from 2007 to 2010.  It gets stuck in the outbound queue of the old server.
0
Ralph ScharpingDigital TherapistAuthor Commented:
One more thing:
Turned the send connectors log level to verbose.
Mail to the other server does not appear in the log at all.  Also no DNS lookup errors, no attempt.  Is that by design?  Does the send connector only log mail that goes out to the smarthost?  Or is that my issue?
0
Ralph ScharpingDigital TherapistAuthor Commented:
I now created an additional internal send connector for "myexternalmaildomain.com" with Exchange Server Authentication active and a smarthost pointing to the new 2010 Server.

Still:  all mail within the users of the old server is fine, mail to the new server ends up in the same queue, the send connector is not logging anything.
This must be something BEFORE the mail even hits the send connector.
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
Try this on your 201o receive connector.

Set-ReceiveConnector -Identity "Default <ServerName>" -PermissionGroups AnonymousUsers"
0
Frank McCourryV.P. Holland Computers, Inc.Commented:
Sorry about the confusion,  I had assumed that the problem was reverse, as this is usually the case.
0
Ralph ScharpingDigital TherapistAuthor Commented:
Anonymous already is permitted on the 2010 receive connector.

I really do begin to believe it has something to do with AD or DNS.  AD does not have an MX record.  I double checked with other clients, and they do not either.  Could this be an issue here?  nslookup -q=mx internaldomain.local only submits this:

Server:  oldserver.localdomain.local
Address:  192.168.242.11

localdomain.local
        primary name server = oldserver.localdomain.local
        responsible mail addr = hostmaster.localdomain.local
        serial  = 763
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
0
Ralph ScharpingDigital TherapistAuthor Commented:
Okay - this is awkward to explain, but I think I might be one step further.
The customer is using - badly advised - the name mail.externalmaildomain.com for his OWA and his external MX.  SMTP terminates on a UTM firewall device and is scanned and forwarded to the inside.
In order to be able to sync their smartphones, they are using mail.externalmaildomain.com in a two-faced DNS-configuration to point to the old mailserver.  There is a DNS zone in AD, that is called mail.externalmaildomain.com and contains only a blank A-Record pointing to the internal LAN-Adress of the 2007 server.

If you ask DNS for an MX, you get the answer from the external provider that hosts the domain.  He has MX pointing to mail.externalmaildomain.com.  This is internally resolved to be the 2007 Exchange server.

This is my question:
If I send mail to a user within my own Exchange organisation but outside my own mailbox server, does that trigger a DNS-lookup for the MX of the recipient's mail domain (which is identical to my own)?  If that was the case, this could cause trouble...

The other way it works of course - the entry would truly point to the destination.

Thanks,
Ralph
0
Ralph ScharpingDigital TherapistAuthor Commented:
Does not seem to be the issue.  If I turn the configuration around, it still works for one and still does not work for the other.
0
Ralph ScharpingDigital TherapistAuthor Commented:
If I do a

test-mailflow -targetmailboxserver newmailserver

in Exchange Power Shell on the Exchange Server 2007, I get

Test-Mailflow : There were no mailbox databases found on NEWMAILSERVER to proceed with the test. Verify that the user has sufficient privileges to read Exchange configuration infromation from Active Direcotry.
Line:1 Character:14
+ Test-Mailflow <<<<  -targetmailboxserver newmailserver
    + CategoryInfo          : PermissionDenied: (:) [Test-Mailflow], NoMdbForO
   perationException
    + FullyQualifiedErrorId : F5E41355,Microsoft.Exchange.Monitoring.TestMailF
   low

That can't be good news...

If I do it the other way around (from 2010 to 2007), it goes:

[PS] C:\Windows\system32>test-mailflow -targetmailboxserver oldmailserver

RunspaceId         : 5578b1e1-7801-43dc-a818-03525286bb3d
TestMailflowResult : *ERROR*
MessageLatencyTime : 00:00:00
IsRemoteTest       : True
Identity           :
IsValid            : True


That goes to show... what exactly?
0
Ralph ScharpingDigital TherapistAuthor Commented:
Ended up exporting all mailboxes and starting from scratch.  Thanks for the help, though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ralph ScharpingDigital TherapistAuthor Commented:
No solution found.  Abandoned the task.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.