Tuesday, June 18, 2013

Exchange Authentication Error

I'm just performing a migration from Exchange 2007 to Exchange 2013. After installing Exchange 2013 and configuring the certificates, my next step was to verify mail flow between the two systems. Mail flow from Exchange 2007 to Exchange 2013 was fine. However, mail flow from Exchange 2013 to Exchange 2007 was failing.

In the Queue Viewer on the Exchange 2013 server I could see the following message:
451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
This message indicates that Exchange Server authentication is failing before the message is sent. This can happen because of the following reasons:
  1. A firewall between the servers strips out extended SMTP verbs that are required for Exchange Server authentication. Specifically the following SMTP verbs must be allowed: X-ANONYMOUSTLS, X-EXPS, and GSSAPI. In most cases, this is not an issue on internal networks.
  2. Exchange Authentication is not enabled on the receive connector being used. This is most likely.
In my case, the receiving server had two receive connectors listening on port 25:
  • Default ServerName
  • Anonymous Relay for internal devices
When I reviewed the configuration of these connectors, the Default connector had Exchange Server authentication enabled. The Anonymous Relay connector did not have Exchange Server authentication enabled.

This made me suspect that the Anonymous Relay connector was being used instead of the Default connector. To confirm this I looked in the SMTP Receive protocol log in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive. Searching the most recent log for the IP address of the Exchange 2013 server showed that the Anonymous Relay connector was being used.

I then looked in the configuration of the Anonymous Relay connector on the Network tab. There were a large number of remote IP addresses listed as allowed to use the Anonymous Relay connector (probably more than there should be, but that's an issue for another day). The entire subnet that the Exchange 2013 was located on was listed.

Exchange Server chooses a receive connector to use based on how specific the remote IP addresses listed in the connector are. The subnet listed in the Anonymous Relay connector was more specific that the listed in the Default connector. Therefore the Anonymous Relay connector was being used.

To fix this problem, I added the individual IP addresses of the Exchange 2013 servers to the Default connector on the Exchange 2007 server. This was then more specific than the subnet in the Anonymous Relay connector. After this was complete, the Default connector was used.

No comments:

Post a Comment