Link to home
Start Free TrialLog in
Avatar of Ralph Scharping
Ralph ScharpingFlag for Germany

asked on

Exchange Mailflow

Hi,

I have a mailflow-issue that is giving me trouble.
We have an SBS2008 which we are trying to migrate to Exchange 2010 running on Windows 2008 R2.  The new machine is set up, I migrated one test-user over.

Mail flows from 2010 to 2007, but not the other way.

I've had this often with 2003 <-> 2010, but never in this constellation.

All receive connectors have Exchange Server authentication active.  Additional send connectors have been removed.  All looks well.

Mail is stuck in the queue of 2007 with the error message "451 4.4.0 DNS query failed.  The error was: SMTPSEND.DNS.NonExistentDomain; nonexistent domain"
Both receiving and sending user are in the same mail domain.  Their addresses are correct.  It works the other way.

The "next hop domain" in queue sais "hub version 14" - something I have never seen.

What is wrong?

Thanks,
Ralph
Avatar of Frank McCourry
Frank McCourry
Flag of United States of America image

Check the DNS Settings on the 2010 server.  Make sure it can ping the 2007 server by name.  The check your forward lookup zone and verify that there is an entry for both servers.
Avatar of Ralph Scharping

ASKER

Thanks for your answer.  I verified that.  Ping, telnet on port 25 and DNS resolving works both ways.
Avatar of Mohd_Shaikh
Mohd_Shaikh

Hi,

First of all you need to verify from both the end.

As you said port 25 is opened and DNS is working well fine.

Make sure that port 25 should be open on both the server which is Exchange 2007 to 2010.
Please check it out whether you can able to send email by using telnet from Exchange 2007 to 2010.

Thank You!
Thanks for your suggestion.  I just verified:  The behaviour is identical when using Telnet.  Both hosts can reach each other.  Mail is accepted in all cases.  It is correctly delivered locally, and it is also relayed correctly from the new Server (2010) to the old server (2007).
Mail that is to be relayed from 2007 to 2010 ends up in the queue.

Any other ideas?  This looks like it is something really stupid, but DNS looks ultra-clean.
Is your 2007 Server trying to do reverse lookups?  If so is there a proper PTR record for the domain?
It should not need to do reverse lookups.  But the hostname of the new 2010-server resolves fine forward and backwards.

But I am just seeing something new:  A Transport certificate seems to be expired.  There are five certificates active in Exchange 2007.  None of them are "real" as in bought.  They are alle self-made.  Can that be the issue?
I am seeing Event-ID 12015
Certificate does not seem to be the issue.  Made a new one - same thing.

What were you saying about a PTR for the domain?  There are of course PTRs for both mail servers.  But do I need one for the domain?
I mention this because you can set email to be rejected if reverse DNS test does not pass.  

Now that I think of it, if you messages are sitting in the inbound queue, then it is not a DNS problem at all, rather a problem with your connector on the 2007 Server.  Can the 2007 server send email to itself? Can it receive from sources other than your 2010 server?  

I don't believe certificates would be the issue, because these are exchanged and validated between the servers before any mail is passed. The fact that the email makes it to the incoming Queue is evidence that certificates are not the problem.

Your problem lies on the 2007 Server getting messages from the inbound queue to the mailbox.  It is not a transport problem between servers.  Again, evidenced by the fact that messages are in the inbound queue.
My messages are stuck in the OUTbound queue.
The Server 2007 can mail to itself, it can mail out and it receives mail from outside.  It is in full operation serving about 110 mailboxes.

The new 2010 Server is housing only one test-mailbox.  This testbox can send out just fine.  It can send to all useres of the old Server.  My ONLY issue is that I cannot send from 2007 to 2010.  It gets stuck in the outbound queue of the old server.
One more thing:
Turned the send connectors log level to verbose.
Mail to the other server does not appear in the log at all.  Also no DNS lookup errors, no attempt.  Is that by design?  Does the send connector only log mail that goes out to the smarthost?  Or is that my issue?
I now created an additional internal send connector for "myexternalmaildomain.com" with Exchange Server Authentication active and a smarthost pointing to the new 2010 Server.

Still:  all mail within the users of the old server is fine, mail to the new server ends up in the same queue, the send connector is not logging anything.
This must be something BEFORE the mail even hits the send connector.
Try this on your 201o receive connector.

Set-ReceiveConnector -Identity "Default <ServerName>" -PermissionGroups AnonymousUsers"
Sorry about the confusion,  I had assumed that the problem was reverse, as this is usually the case.
Anonymous already is permitted on the 2010 receive connector.

I really do begin to believe it has something to do with AD or DNS.  AD does not have an MX record.  I double checked with other clients, and they do not either.  Could this be an issue here?  nslookup -q=mx internaldomain.local only submits this:

Server:  oldserver.localdomain.local
Address:  192.168.242.11

localdomain.local
        primary name server = oldserver.localdomain.local
        responsible mail addr = hostmaster.localdomain.local
        serial  = 763
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
Okay - this is awkward to explain, but I think I might be one step further.
The customer is using - badly advised - the name mail.externalmaildomain.com for his OWA and his external MX.  SMTP terminates on a UTM firewall device and is scanned and forwarded to the inside.
In order to be able to sync their smartphones, they are using mail.externalmaildomain.com in a two-faced DNS-configuration to point to the old mailserver.  There is a DNS zone in AD, that is called mail.externalmaildomain.com and contains only a blank A-Record pointing to the internal LAN-Adress of the 2007 server.

If you ask DNS for an MX, you get the answer from the external provider that hosts the domain.  He has MX pointing to mail.externalmaildomain.com.  This is internally resolved to be the 2007 Exchange server.

This is my question:
If I send mail to a user within my own Exchange organisation but outside my own mailbox server, does that trigger a DNS-lookup for the MX of the recipient's mail domain (which is identical to my own)?  If that was the case, this could cause trouble...

The other way it works of course - the entry would truly point to the destination.

Thanks,
Ralph
Does not seem to be the issue.  If I turn the configuration around, it still works for one and still does not work for the other.
If I do a

test-mailflow -targetmailboxserver newmailserver

in Exchange Power Shell on the Exchange Server 2007, I get

Test-Mailflow : There were no mailbox databases found on NEWMAILSERVER to proceed with the test. Verify that the user has sufficient privileges to read Exchange configuration infromation from Active Direcotry.
Line:1 Character:14
+ Test-Mailflow <<<<  -targetmailboxserver newmailserver
    + CategoryInfo          : PermissionDenied: (:) [Test-Mailflow], NoMdbForO
   perationException
    + FullyQualifiedErrorId : F5E41355,Microsoft.Exchange.Monitoring.TestMailF
   low

That can't be good news...

If I do it the other way around (from 2010 to 2007), it goes:

[PS] C:\Windows\system32>test-mailflow -targetmailboxserver oldmailserver

RunspaceId         : 5578b1e1-7801-43dc-a818-03525286bb3d
TestMailflowResult : *ERROR*
MessageLatencyTime : 00:00:00
IsRemoteTest       : True
Identity           :
IsValid            : True


That goes to show... what exactly?
ASKER CERTIFIED SOLUTION
Avatar of Ralph Scharping
Ralph Scharping
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No solution found.  Abandoned the task.