Users migrated from Exchange 2007 datastore to 2010 datastore do not receive external email
We have a single Exchange 2007 server that runs our company email. I have deployed a new Exchange 2010 server, and the plan is to migrate all of the users to the 2010 server. I migrated one user from 2007 to 2010 for testing purposes. This 2010 test user:
- can receive internal email from people on the Exchange 2007 server - OK
- can send email to people on the Exchange 2007 server - OK
- can send email to people outside of our organization - OK
- BUT they do not receive any outside email
Additional info:
We have a Barracuda spam filter that receives all messages first. It blocks some and lets the others through. For this test user, the Barracuda filter IS receiving the messages and stating that they HAVE been delivered. However they never show up in the test user's inbox. I have no idea where they are going.
We also have Choicemail installed on both Exchange servers. The configuration from the 2007 server was duplicated on the 2010 server. Choicemail is configured to filter messages for only one specific user though, which is NOT the test user.
Thank you for your help!
- can receive internal email from people on the Exchange 2007 server - OK
- can send email to people on the Exchange 2007 server - OK
- can send email to people outside of our organization - OK
- BUT they do not receive any outside email
Additional info:
We have a Barracuda spam filter that receives all messages first. It blocks some and lets the others through. For this test user, the Barracuda filter IS receiving the messages and stating that they HAVE been delivered. However they never show up in the test user's inbox. I have no idea where they are going.
We also have Choicemail installed on both Exchange servers. The configuration from the 2007 server was duplicated on the 2010 server. Choicemail is configured to filter messages for only one specific user though, which is NOT the test user.
Thank you for your help!
Usually the Barracuda spam filter sends all email to a specified server address that can be seen in the Barracuda web browser under Basic - IP Configuration. I am not sure how you would setup the barracuda to deliver inbound out of network emails to multiple servers.
the barracuda delivery destination shouldn't matter (yet)
the fact that mail would be delivered to the 2007 server means the 2007 server should automatically pass it on to the 2010 server
before the 2007 server goes away you will need to change that to 2010 but the way it is now it should work
if barracuda says the message was delivered, i would start looking at message tracking logs on the 2007 server - it should be there and show it was passed on to the 2010 server
the fact that mail would be delivered to the 2007 server means the 2007 server should automatically pass it on to the 2010 server
before the 2007 server goes away you will need to change that to 2010 but the way it is now it should work
if barracuda says the message was delivered, i would start looking at message tracking logs on the 2007 server - it should be there and show it was passed on to the 2010 server
ASKER
Right. It is not passing it from the 2007 server to the 2010 server. How do I fix that?
Do you see the messages in the queue viewer on 2007? If so, does it give any error message?
ASKER
The messages to the test user are all sitting in a Queue on the 2007 server named "hub version 14". The error message listed is:
"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
"451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed."
ASKER
Thank you for the link. I had come across that setting earlier though. "Exchange Server Authentication" is already checked on all Receive Connectors on both the 2007 server and the 2010 server.
Can you let me know the IP range of the send/receive connectors on the exchange machines and make sure of no overlap.
ASKER
Receive Connectors on Exchange 2007:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255
Receive Connectors on Exchange 2010:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255
Send Connectors: there is no IP range option
These are all default settings (I have not modified the ranges in any way)
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255
Receive Connectors on Exchange 2010:
Client EX2007: 0.0.0.0-255.255.255.255
Default EX2007: 0.0.0.0-255.255.255.255
Send Connectors: there is no IP range option
These are all default settings (I have not modified the ranges in any way)
You cannot have overlap and as above there is definitely overlap of IP's for the receive connectors.
Exchange 2010 Box
For the receive connector for the local ip addresses to receive email use the exchange 2010 server ip
For the remote servers have the ip address point to the 2007 server ip address
Exchange 2007 Box
For the receive connector for the local ip addresses to receive email use the exchange 2007 server ip
For the remote servers have the ip address use the internal subnet and make sure to exclude the 2010 exchange server ip
Exchange 2010 Box
For the receive connector for the local ip addresses to receive email use the exchange 2010 server ip
For the remote servers have the ip address point to the 2007 server ip address
Exchange 2007 Box
For the receive connector for the local ip addresses to receive email use the exchange 2007 server ip
For the remote servers have the ip address use the internal subnet and make sure to exclude the 2010 exchange server ip
What I normally do is create an Exchange server Receive connector during the migration so I know what I can blast away afterwards (also helps when troubleshooting).
Try running this on Exchange 2010:
Restart the Exchange Transport service and see if it works. You should see email flow through since the "internal" switch will allow Exchange server authentication by default, and only to your Exchange 2007 servers you listed in the RemoteIPRanges attribute.
You can do the reverse for Exchange 2007 to get 2010 > 2007 email working (which you should) if you notice this issue shows there also.
Try running this on Exchange 2010:
New-ReceiveConnector -Name "Exchange 2007 Receive Connector" -Internal -RemoteIPRanges "insert Exchange 2007 IP here" -Usage InternalRestart the Exchange Transport service and see if it works. You should see email flow through since the "internal" switch will allow Exchange server authentication by default, and only to your Exchange 2007 servers you listed in the RemoteIPRanges attribute.
You can do the reverse for Exchange 2007 to get 2010 > 2007 email working (which you should) if you notice this issue shows there also.
ASKER
David can you provide some clarification? Two questions on what you stated:
1) You call the receive connectors "local" or "remote" but in Exchange they are labeled "Client" and "Default". Which one is local and which one is remote? I have a guess but I want to confirm before changing things.
2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
1) You call the receive connectors "local" or "remote" but in Exchange they are labeled "Client" and "Default". Which one is local and which one is remote? I have a guess but I want to confirm before changing things.
2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
On the 2010 machine I would have the receive connector receive email from ip address of the 2007 machine and have enabled exchange server authentication
On the 2007 machine I would have the receive connector receive mail from the local subnet minus the ip address of the 2010 machine and have enabled exchange server authentication in addition to the other authentication
Once changed restart the Exchange Transport service as Adam indicates.
On the 2007 machine I would have the receive connector receive mail from the local subnet minus the ip address of the 2010 machine and have enabled exchange server authentication in addition to the other authentication
Once changed restart the Exchange Transport service as Adam indicates.
The command above that I provided would perform this task. I actually ran into the *same exact issue* about six months ago on a 2007>2013 migration (and the Admin blew away all the default connectors to prevent "an open relay") and the most critical part of this would be the "Internal" permissions. This allows the header firewall to actually allow connections from Exchange but also broadcast the X-Verbs (such as shadow copy) to the connecting machine.
I concur with Adam but make sure you don't have the 2010 server ip address in the 2007 server receive range.
ASKER
I understand what you guys are saying about the IP now, but I still have the same two questions:
1) There are two receive connectors on both 2007 and 2010. They are labeled "Client" and "Default". Which one are you calling "local" and which one is "remote"?
2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
1) There are two receive connectors on both 2007 and 2010. They are labeled "Client" and "Default". Which one are you calling "local" and which one is "remote"?
2) Will I need to change this IP range configuration on the 2010 server again after I move all of the users to 2010 and decommission the 2007 server? If so, can I just go back to the default ranges at that point?
I just have one receive connector on each, if you have more then one it might be due to relay or some other receive connector you had setup.
Once testing is done you just need to change the settings on the barracuda to point to the exchange 2010 box and move the range you have setup on the 2007 box to the 2010 box.
Once testing is done you just need to change the settings on the barracuda to point to the exchange 2010 box and move the range you have setup on the 2007 box to the 2010 box.
ASKER
One of the receive connectors is set up for port 27, and one is for port 587. I don't know why there are two, maybe it is as a result of the Choicemail installation. What port would you normally see here, just 25?
Usually just port 25
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Choicemail was definitely the problem. The way that it takes over port 25 and relays to port 27 seemed to be preventing the two Exchange Servers from communicating properly. After removing Choicemail from both servers and setting them back to port 25, everything started working immediately. You are correct on the IP ranges too, the default settings are just fine.
Awesome!
ASKER