Solved

Users migrated from Exchange 2007 datastore to 2010 datastore do not receive external email

Posted on 2014-11-06
23
83 Views
Last Modified: 2014-11-10
We have a single Exchange 2007 server that runs our company email. I have deployed a new Exchange 2010 server, and the plan is to migrate all of the users to the 2010 server. I migrated one user from 2007 to 2010 for testing purposes. This 2010 test user:
- can receive internal email from people on the Exchange 2007 server - OK
- can send email to people on the Exchange 2007 server - OK
- can send email to people outside of our organization - OK
- BUT they do not receive any outside email

Additional info:
We have a Barracuda spam filter that receives all messages first. It blocks some and lets the others through. For this test user, the Barracuda filter IS receiving the messages and stating that they HAVE been delivered. However they never show up in the test user's inbox. I have no idea where they are going.

We also have Choicemail installed on both Exchange servers. The configuration from the 2007 server was duplicated on the 2010 server. Choicemail is configured to filter messages for only one specific user though, which is NOT the test user.

Thank you for your help!
0
Comment
Question by:aaronshaffer
  • 9
  • 9
  • 2
  • +2
23 Comments
 

Author Comment

by:aaronshaffer
ID: 40427133
Additional info: I can see in the Exchange 2007 Message Tracking tool that the message to the test user was received by the Exchange 2007 server. But then what? Where is it going and how do I fix it? The message is not found on the Exchange 2010 server Message Tracking tool.
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40427150
Usually the Barracuda spam filter sends all email to a specified server address that can be seen in the Barracuda web browser under Basic - IP Configuration.  I am not sure how you would setup the barracuda to deliver inbound out of network emails to multiple servers.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40427170
the barracuda delivery destination shouldn't matter (yet)
the fact that mail would be delivered to the 2007 server means the 2007 server should automatically pass it on to the 2010 server
before the 2007 server goes away you will need to change that to 2010 but the way it is now it should work
if barracuda says the message was delivered, i would start looking at message tracking logs on the 2007 server - it should be there and show it was passed on to the 2010 server
0
 

Author Comment

by:aaronshaffer
ID: 40427171
Right. It is not passing it from the 2007 server to the 2010 server. How do I fix that?
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40427237
Do you see the messages in the queue viewer on 2007? If so, does it give any error message?
0
 

Author Comment

by:aaronshaffer
ID: 40427258
The messages to the test user are all sitting in a Queue on the 2007 server named "hub version 14". The error message listed is:

"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40427262
0
 

Author Comment

by:aaronshaffer
ID: 40427274
Thank you for the link. I had come across that setting earlier though. "Exchange Server Authentication" is already checked on all Receive Connectors on both the 2007 server and the 2010 server.
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40427305
Can you let me know the IP range of the send/receive connectors on the exchange machines and make sure of no overlap.
0
 

Author Comment

by:aaronshaffer
ID: 40427312
Receive Connectors on Exchange 2007:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255

Receive Connectors on Exchange 2010:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255

Send Connectors: there is no IP range option

These are all default settings (I have not modified the ranges in any way)
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40427333
You cannot have overlap and as above there is definitely overlap of IP's for the receive connectors.

Exchange 2010 Box
For the receive connector for the local ip addresses to receive email use the exchange 2010 server ip
For the remote servers have the ip address point to the 2007 server ip address

Exchange 2007 Box
For the receive connector for the local ip addresses to receive email use the exchange 2007 server ip
For the remote servers have the ip address use the internal subnet and make sure to exclude the 2010 exchange server ip
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 19

Expert Comment

by:Adam Farage
ID: 40427651
What I normally do is create an Exchange server Receive connector during the migration so I know what I can blast away afterwards (also helps when troubleshooting).

Try running this on Exchange 2010:

New-ReceiveConnector -Name "Exchange 2007 Receive Connector" -Internal -RemoteIPRanges "insert Exchange 2007 IP here" -Usage Internal

Open in new window


Restart the Exchange Transport service and see if it works. You should see email flow through since the "internal" switch will allow Exchange server authentication by default, and only to your Exchange 2007 servers you listed in the RemoteIPRanges attribute.

You can do the reverse for Exchange 2007 to get 2010 > 2007 email working (which you should) if you notice this issue shows there also.
0
 

Author Comment

by:aaronshaffer
ID: 40428307
David can you provide some clarification? Two questions on what you stated:

1) You call the receive connectors "local" or "remote" but in Exchange they are labeled "Client" and "Default". Which one is local and which one is remote? I have a guess but I want to confirm before changing things.

2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40428955
On the 2010 machine I would have the receive connector receive email from ip address of the 2007 machine and have enabled exchange server authentication

On the 2007 machine I would have the receive connector receive mail from the local subnet minus the ip address of the 2010 machine and have enabled exchange server authentication in addition to the other authentication

Once changed restart the Exchange Transport service as Adam indicates.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40428961
The command above that I provided would perform this task. I actually ran into the *same exact issue* about six months ago on a 2007>2013 migration (and the Admin blew away all the default connectors to prevent "an open relay") and the most critical part of this would be the "Internal" permissions. This allows the header firewall to actually allow connections from Exchange but also broadcast the X-Verbs (such as shadow copy) to the connecting machine.
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40428968
I concur with Adam but make sure you don't have the 2010 server ip address in the 2007 server receive range.
0
 

Author Comment

by:aaronshaffer
ID: 40429202
I understand what you guys are saying about the IP now, but I still have the same two questions:

1) There are two receive connectors on both 2007 and 2010. They are labeled "Client" and "Default". Which one are you calling "local" and which one is "remote"?

2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40429300
I just have one receive connector on each, if you have more then one it might be due to relay or some other receive connector you had setup.  

Once testing is done you just need to change the settings on the barracuda to point to the exchange 2010 box and move the range you have setup on the 2007 box to the 2010 box.
0
 

Author Comment

by:aaronshaffer
ID: 40429313
One of the receive connectors is set up for port 27, and one is for port 587. I don't know why there are two, maybe it is as a result of the Choicemail installation. What port would you normally see here, just 25?
0
 
LVL 1

Expert Comment

by:David_Blumberg
ID: 40429329
Usually just port 25
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40430901
Whoa. Hold the horses here.

Let's do a quick review.

First off. The scope in those receive connectors is perfectly fine. "Client" and "Default" are the default out-of-the-box Receive Connectors Exchange creates. You do not have to worry about any overlap from these because they operate on different TCP ports.

So what you have defined here.

 Client EX2007: 0.0.0.0-255.255.255.255
 Default EX2007: 0.0.0.0-255.255.255.255

 Client EX2010: 0.0.0.0-255.255.255.255
 Default EX2010: 0.0.0.0-255.255.255.255

Is perfectly fine.

When overlap becomes an issue is when you have created additional receive connectors for specialty relay that use a common TCP port (e.g. 25). For example, you want a network copier to perform scan-to-email.

I am assuming you not gotten that far yet? And the only two Receive Connectors you have are still "Client" and "Default"? Please confirm.

I am a little concerned that this Choicemail has taken over port 25. That could be a problem. I am sure the software is designed to work that way. But for testing purposes can you remove Choicemail from Exchange 2010? And possibly even Exchange 2007.

I assume the future plan is for mail to flow directly to 2010. If that is the case make sure you check the "Anonymous" checkbox under the "Default" Receive Connector on Permissions.

Also, how are the Send Connectors configured on Exchange 2007? Any smart hosts in play?

You mentioned this message. Does it state what host it tried? Is it the IP of the 2010 box?
"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
0
 

Author Closing Comment

by:aaronshaffer
ID: 40432976
Choicemail was definitely the problem. The way that it takes over port 25 and relays to port 27 seemed to be preventing the two Exchange Servers from communicating properly. After removing Choicemail from both servers and setting them back to port 25, everything started working immediately. You are correct on the IP ranges too, the default settings are just fine.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40434065
Awesome!
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now