Exchange 2016 migration - TLS issue preventing mail flow from old to new server
Hi Experts,
I'm in the process of migrating from Exchange 2010 on SBS 2011 to standalone Exchange Server 2016 on Windows Server 2016.
I'm having problems with mail flow from the old Exchange 2010 Server to the new Exchange 2016 Server. This is what I've got so far:
Any mail sent from a mailbox on Ex2010 to Ex2016 sits in a queue named "hub version 15" with a status of Active. If you suspend the queue you may see and error message but I can't make it do it now .. it normally just sits on Active.
I've attached the logs from the SMTP Receive connector on Exchange 2016 which report "TLS negotiation failed with error TimedOut" so I can at least see it's something related to SSL, but I'm a little stumped where to go from here.
In an aid to debugging the logfile attached:
Exchange 2010 Server = SBS2000.somedomain.local, 192.168.16.2
Exchange 2016 Server = SRV-MAIL1.somedomain.local
Thanks
Ex2016_FrontEnd_Protocol_Log.txt
I'm in the process of migrating from Exchange 2010 on SBS 2011 to standalone Exchange Server 2016 on Windows Server 2016.
I'm having problems with mail flow from the old Exchange 2010 Server to the new Exchange 2016 Server. This is what I've got so far:
- Exchange 2010 users send and receive to the Internet ok
- Exchange 2010 users send to internal recipients within Exchange 2010 ok
- Exchange 2016 users sends to recipients within Exchange 2010 ok
- Exchange 2016 users send to recipients on the Internet ok
- Exchange 2010 users cannot sent to Exchange 2016 users (mail sits in queue)
- Exchange 2016 users cannot receive from Internet
Any mail sent from a mailbox on Ex2010 to Ex2016 sits in a queue named "hub version 15" with a status of Active. If you suspend the queue you may see and error message but I can't make it do it now .. it normally just sits on Active.
I've attached the logs from the SMTP Receive connector on Exchange 2016 which report "TLS negotiation failed with error TimedOut" so I can at least see it's something related to SSL, but I'm a little stumped where to go from here.
In an aid to debugging the logfile attached:
Exchange 2010 Server = SBS2000.somedomain.local, 192.168.16.2
Exchange 2016 Server = SRV-MAIL1.somedomain.local
Thanks
Ex2016_FrontEnd_Protocol_Log.txt
Amit
Looks like certificate permission issue. Are you using .local domain?
HI Steve,
Which error do you have in the toolbox?
Or when you run the following command get-queue... which error do you have?
Regards
Valentina
Which error do you have in the toolbox?
Or when you run the following command get-queue... which error do you have?
Regards
Valentina
ASKER
@Amit: Yes, it's a .local domain.
@Valentina Perez:
Ah, it's reporting the error now.
@Valentina Perez:
Ah, it's reporting the error now.
451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection dropped due to SocketError." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Hi Steve,
Do you have antispam in both exchange?
Try to disable it a moment to test of it works without antispam?
Regards
Valentina
Do you have antispam in both exchange?
Try to disable it a moment to test of it works without antispam?
Regards
Valentina
ASKER
@Valentina Perez:
Disabled on Exchange 2010, default settings (so I guess Enabled) on Exchange 2016.
Would it make any difference though, since the point of failure seems to be TLS negotiation BEFORE the message is sent, so there isn't any content to filter at that point?
But I'll try turning it off anyway.
Disabled on Exchange 2010, default settings (so I guess Enabled) on Exchange 2016.
Would it make any difference though, since the point of failure seems to be TLS negotiation BEFORE the message is sent, so there isn't any content to filter at that point?
But I'll try turning it off anyway.
HI Steve,
It should not affect...but to be sure normally it is easy to disable and make the test.
When you run: Get-TransportAgent
What result do you have?
Regards
Valentina
It should not affect...but to be sure normally it is easy to disable and make the test.
When you run: Get-TransportAgent
What result do you have?
Regards
Valentina
ASKER
Ex2016 Content Filter disabled = No Effect
Get-TransportAgent:
Get-TransportAgent:
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
DLP Policy Agent True 2
Retention Policy Agent True 3
Supervisory Review Agent True 4
Malware Agent True 5
Text Messaging Routing Agent True 6
Text Messaging Delivery Agent True 7
System Probe Drop Smtp Agent True 8
System Probe Drop Routing Agent True 9
-------- ------- --------
Transport Rule Agent True 1
DLP Policy Agent True 2
Retention Policy Agent True 3
Supervisory Review Agent True 4
Malware Agent True 5
Text Messaging Routing Agent True 6
Text Messaging Delivery Agent True 7
System Probe Drop Smtp Agent True 8
System Probe Drop Routing Agent True 9
HI Steve,
Exchange 2016 users cannot receive from Internet
When users send to an user in Exchange 2016, which NDR they receive?
Regards
Valentina
Exchange 2016 users cannot receive from Internet
When users send to an user in Exchange 2016, which NDR they receive?
Regards
Valentina
ASKER
Delivery has failed to these recipients or groups:
Exchange 2016 (Exchange2016@somedomain.com)
The server has tried to deliver this message, without success, and has stopped trying. Please try sending this message again. If the problem continues, contact your helpdesk.
(eventually, after the message times out in the "hub version 15" delivery queue)
Try this:
Telnet to 2016 server from sbs server, once telnet connects. Send mail using telnet...share the result.
Telnet to 2016 server from sbs server, once telnet connects. Send mail using telnet...share the result.
ASKER
Telnet results:
Message received in Exchange 2016 mailbox ok (checked using OWA) (but this wasn't using TLS of course).
220 SRV-MAIL1.somedomain.localMicrosoft ESMTP MAIL Service ready at Wed, 18
Oct 2017 06:57:56 +0100
EHLO sbs2000.somedomain.local
250-SRV-MAIL1.somedomain.local Hello [192.168.16.2]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250 XRDST
MAIL FROM: <administrator@somedomain.com>
250 2.1.0 Sender OK
RCPT TO: <exchange2016@somedomain.com>
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: test
testing email delivery
.
250 2.6.0 <f6727c50-6a12-44d4-aacc-aebb7ea7261 4@SRV-MAIL 1.somedoma in.local> [
InternalId=2203318222849, Hostname=SRV-MAIL1.somedomain.local] 1787 bytes in
0.479, 3.638 KB/sec Queued mail for delivery
quit
221 2.0.0 Service closing transmission channel
Message received in Exchange 2016 mailbox ok (checked using OWA) (but this wasn't using TLS of course).
how you purchased .local cert?
ASKER
Self-signed .local certificates (created by Exchange installation itself) on both servers. Each server also has a GlobalSign SSL certificate installed for the external domain (the same certificate on each server, since 2016 is replacing 2010).
Aside from our E2010 server running 2008 R2 instead of SBS2011, this is the exact same problem we are seeing.
Have you been able to figure it out?
Have you been able to figure it out?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not suggested by anyone else.