Solved

Two 2010 Exchange servers -- error message

Posted on 2015-01-05
14
84 Views
Last Modified: 2015-01-07
Hi,
In my Queue Viewer, I see the following error next to  a queue called "hub version 14":

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

My two servers are
Mail 1 and Mail2

If I am on Mail 1 and I do "Telnet localhost 25" then ehlo, I get a set of SMTP verbs.
If I am on Mail 1 and I do a "Telnet Mail 2 25"  then ehlo, I get a set of SMTP verbs but not all of the ones I got when I tried the localhost telnet.
Please see screen shots for two different lists.
Is this normal or does this show that my firewall is blocking some traffic and causing my initial errror above?
telnetLocalHost.jpg
telnetMail2.jpg
0
Comment
Question by:nachtmsk
  • 6
  • 5
  • 3
14 Comments
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40531561
Have you verified service status on both servers?  Have there been any changes made to receive connectors?  If so was the transport service bounced afterwards?

Have a look here:
http://www.petenetlive.com/KB/Article/0000791.htm
0
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40531562
Actually that link above.. the section on ESMTP Inspection on Cisco ASA's sounds like your issue.
0
 

Author Comment

by:nachtmsk
ID: 40531573
Hi Ben,
No changes made to Connectors.
Yeah, I saw that pentenetlive.com article. I asked Rackspace about it but they said it wasn't the cause.

not sure what you mean by 'verified service status'
Thanks
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531580
This is issue usually happens when authentication has been modified in the receive connectors on your Exchange servers. Check to ensure that authentication is correct. Also what SP version and RU are you on?

You can also reference this technet which outlines some steps you can take to correct your issue.
Email Messages stuck in Queue

Will.
0
 

Author Comment

by:nachtmsk
ID: 40531607
Will,
I'm on SP3. Not sure how to tell what RU it is.
I'll look at the link you sent.
When you say "check that authentication is correct", not sure how to go about that or what you mean exactly.

Thanks
0
 

Author Comment

by:nachtmsk
ID: 40531611
Will,
ok, I looked at that article and it suggested something I have been suspected:

"Note If there is a firewall located between the two servers, the Extended SMTP verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass."

But is it talking about two exchange servers on the same domain or is it talking about two totally different exchange servers (run by different organizations) -- or both?

Thanks,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531618
The RU version is visible in Programs and Features under Updates. Also for authentication/permissions you can find this on the properties of each receive connector (authentication tab and permission groups tab).

Will.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531643
If you look at your second screenshot X-EXPS and GSSAPI is not present which is the issue. They are however present on the first screenshot.

But is it talking about two exchange servers on the same domain or is it talking about two totally different exchange servers (run by different organizations) -- or both

This is to allow internal routing to other Exchange servers.

Will.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531646
Did you recently do an Exchange 2003 migration to 2010?
0
 

Author Comment

by:nachtmsk
ID: 40531696
Will,

I upgraded from Exchange 2003 but that was a few years ago. The servers have been running fine ever since with the occasional issue.
This issue just came up and I had changed nothing on the servers. That's why I've been looking at other possibilities that might be causing the problem.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531712
Have you checked both Exchange servers to ensure that authentication methods are the same? based on the screenshot they are not. Please check this.

In the exchange consle under server configuration:
   select hub transport.
   Right click  the client server and select properties.
   Select the authentication tab

Ensure that both servers are set correctly.

Will.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40531831
The server that your are not showing X-EXPS and GSSAPI make sure that on the Default Receive Connector has Exchange Server Authentication checked off. Then restart the Exchange Services.

Will.
0
 
LVL 14

Expert Comment

by:Ben Hart
ID: 40532120
I do not know if the extended SMTP verbs with the Cisco ASA platforms are solely on inter-domain exchange servers or not.  But we ran into that exact issue here when we migrated to 2010 from 2003.

It's an easy and relevant thing to inquire about.
0
 

Author Comment

by:nachtmsk
ID: 40533910
Ok, I think this is solved.
I created two new Receive connectors, one on each box. I configured them to only listen to each other.
I have a few other receive connectors on each box, but I was afraid to touch them, I didn't want to break anything. Someone told me that Exchange will use the  most restrictive connector first, so I created these two new connects with strong restrictions.
It's a production environment so I don't want to muck around too much, Some of my receive connectors have "Exchange Server Auth" turned on and some of them have it turned off. These two new connectors both have it turned on.
Thanks for all of the help and suggestions.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now