Solved

Users migrated from Exchange 2007 datastore to 2010 datastore do not receive external email

Posted on 2014-11-06
23
80 Views
Last Modified: 2014-11-10
We have a single Exchange 2007 server that runs our company email. I have deployed a new Exchange 2010 server, and the plan is to migrate all of the users to the 2010 server. I migrated one user from 2007 to 2010 for testing purposes. This 2010 test user:
- can receive internal email from people on the Exchange 2007 server - OK
- can send email to people on the Exchange 2007 server - OK
- can send email to people outside of our organization - OK
- BUT they do not receive any outside email

Additional info:
We have a Barracuda spam filter that receives all messages first. It blocks some and lets the others through. For this test user, the Barracuda filter IS receiving the messages and stating that they HAVE been delivered. However they never show up in the test user's inbox. I have no idea where they are going.

We also have Choicemail installed on both Exchange servers. The configuration from the 2007 server was duplicated on the 2010 server. Choicemail is configured to filter messages for only one specific user though, which is NOT the test user.

Thank you for your help!
0
Comment
Question by:aaronshaffer
  • 9
  • 9
  • 2
  • +2
23 Comments
 

Author Comment

by:aaronshaffer
Comment Utility
Additional info: I can see in the Exchange 2007 Message Tracking tool that the message to the test user was received by the Exchange 2007 server. But then what? Where is it going and how do I fix it? The message is not found on the Exchange 2010 server Message Tracking tool.
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
Usually the Barracuda spam filter sends all email to a specified server address that can be seen in the Barracuda web browser under Basic - IP Configuration.  I am not sure how you would setup the barracuda to deliver inbound out of network emails to multiple servers.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
the barracuda delivery destination shouldn't matter (yet)
the fact that mail would be delivered to the 2007 server means the 2007 server should automatically pass it on to the 2010 server
before the 2007 server goes away you will need to change that to 2010 but the way it is now it should work
if barracuda says the message was delivered, i would start looking at message tracking logs on the 2007 server - it should be there and show it was passed on to the 2010 server
0
 

Author Comment

by:aaronshaffer
Comment Utility
Right. It is not passing it from the 2007 server to the 2010 server. How do I fix that?
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
Do you see the messages in the queue viewer on 2007? If so, does it give any error message?
0
 

Author Comment

by:aaronshaffer
Comment Utility
The messages to the test user are all sitting in a Queue on the 2007 server named "hub version 14". The error message listed is:

"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
0
 

Author Comment

by:aaronshaffer
Comment Utility
Thank you for the link. I had come across that setting earlier though. "Exchange Server Authentication" is already checked on all Receive Connectors on both the 2007 server and the 2010 server.
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
Can you let me know the IP range of the send/receive connectors on the exchange machines and make sure of no overlap.
0
 

Author Comment

by:aaronshaffer
Comment Utility
Receive Connectors on Exchange 2007:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255

Receive Connectors on Exchange 2010:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255

Send Connectors: there is no IP range option

These are all default settings (I have not modified the ranges in any way)
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
You cannot have overlap and as above there is definitely overlap of IP's for the receive connectors.

Exchange 2010 Box
For the receive connector for the local ip addresses to receive email use the exchange 2010 server ip
For the remote servers have the ip address point to the 2007 server ip address

Exchange 2007 Box
For the receive connector for the local ip addresses to receive email use the exchange 2007 server ip
For the remote servers have the ip address use the internal subnet and make sure to exclude the 2010 exchange server ip
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
What I normally do is create an Exchange server Receive connector during the migration so I know what I can blast away afterwards (also helps when troubleshooting).

Try running this on Exchange 2010:

New-ReceiveConnector -Name "Exchange 2007 Receive Connector" -Internal -RemoteIPRanges "insert Exchange 2007 IP here" -Usage Internal

Open in new window


Restart the Exchange Transport service and see if it works. You should see email flow through since the "internal" switch will allow Exchange server authentication by default, and only to your Exchange 2007 servers you listed in the RemoteIPRanges attribute.

You can do the reverse for Exchange 2007 to get 2010 > 2007 email working (which you should) if you notice this issue shows there also.
0
 

Author Comment

by:aaronshaffer
Comment Utility
David can you provide some clarification? Two questions on what you stated:

1) You call the receive connectors "local" or "remote" but in Exchange they are labeled "Client" and "Default". Which one is local and which one is remote? I have a guess but I want to confirm before changing things.

2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
On the 2010 machine I would have the receive connector receive email from ip address of the 2007 machine and have enabled exchange server authentication

On the 2007 machine I would have the receive connector receive mail from the local subnet minus the ip address of the 2010 machine and have enabled exchange server authentication in addition to the other authentication

Once changed restart the Exchange Transport service as Adam indicates.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
The command above that I provided would perform this task. I actually ran into the *same exact issue* about six months ago on a 2007>2013 migration (and the Admin blew away all the default connectors to prevent "an open relay") and the most critical part of this would be the "Internal" permissions. This allows the header firewall to actually allow connections from Exchange but also broadcast the X-Verbs (such as shadow copy) to the connecting machine.
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
I concur with Adam but make sure you don't have the 2010 server ip address in the 2007 server receive range.
0
 

Author Comment

by:aaronshaffer
Comment Utility
I understand what you guys are saying about the IP now, but I still have the same two questions:

1) There are two receive connectors on both 2007 and 2010. They are labeled "Client" and "Default". Which one are you calling "local" and which one is "remote"?

2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
I just have one receive connector on each, if you have more then one it might be due to relay or some other receive connector you had setup.  

Once testing is done you just need to change the settings on the barracuda to point to the exchange 2010 box and move the range you have setup on the 2007 box to the 2010 box.
0
 

Author Comment

by:aaronshaffer
Comment Utility
One of the receive connectors is set up for port 27, and one is for port 587. I don't know why there are two, maybe it is as a result of the Choicemail installation. What port would you normally see here, just 25?
0
 
LVL 1

Expert Comment

by:David_Blumberg
Comment Utility
Usually just port 25
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
Comment Utility
Whoa. Hold the horses here.

Let's do a quick review.

First off. The scope in those receive connectors is perfectly fine. "Client" and "Default" are the default out-of-the-box Receive Connectors Exchange creates. You do not have to worry about any overlap from these because they operate on different TCP ports.

So what you have defined here.

 Client EX2007: 0.0.0.0-255.255.255.255
 Default EX2007: 0.0.0.0-255.255.255.255

 Client EX2010: 0.0.0.0-255.255.255.255
 Default EX2010: 0.0.0.0-255.255.255.255

Is perfectly fine.

When overlap becomes an issue is when you have created additional receive connectors for specialty relay that use a common TCP port (e.g. 25). For example, you want a network copier to perform scan-to-email.

I am assuming you not gotten that far yet? And the only two Receive Connectors you have are still "Client" and "Default"? Please confirm.

I am a little concerned that this Choicemail has taken over port 25. That could be a problem. I am sure the software is designed to work that way. But for testing purposes can you remove Choicemail from Exchange 2010? And possibly even Exchange 2007.

I assume the future plan is for mail to flow directly to 2010. If that is the case make sure you check the "Anonymous" checkbox under the "Default" Receive Connector on Permissions.

Also, how are the Send Connectors configured on Exchange 2007? Any smart hosts in play?

You mentioned this message. Does it state what host it tried? Is it the IP of the 2010 box?
"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
0
 

Author Closing Comment

by:aaronshaffer
Comment Utility
Choicemail was definitely the problem. The way that it takes over port 25 and relays to port 27 seemed to be preventing the two Exchange Servers from communicating properly. After removing Choicemail from both servers and setting them back to port 25, everything started working immediately. You are correct on the IP ranges too, the default settings are just fine.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Awesome!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now