Jude's Blog

Posts Tagged ‘Exchange Server

Field Report: Cisco and Exchange woes. 451 5.7.3 Cannot achieve Exchange Server authentication. Telnet fails with 200*****

leave a comment »

So this was a strange case that i came across with. Here’s my setup.

env

 

In this scenario, strangely it was noticed that the mail is getting queued in our Exchange 2013 environment which is bound to Exchange 2010 mailboxes. Upon the error notification, we identified the below error.

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Additionally, upon doing a telnet from the Server B range to Server A range, we noticed that we are not getting the expected banner while telnet’ing port 25 as below.

Also, EHLO command fails with 500 5.3.3 Unrecognized command

2

If i try to telnet the relevant server from the same subnet, I get the correct HELO banner and the EHLO reply as below.

3

If you are getting the above error, it could be due to two reasons.

  1. The sending Exchange Server do not have authentication permission on the receiving Exchange Server(s).
    If this is the case, that means the Exchange server which we cannot send email to doesn’t have it’s Exchange Server Authentication enabled. Because of this, when the Sending Exchange server is trying to authenticate against the receiving servers, it fails. To resolve this we need to set Exchange Server Authentication enabled, on the recipient servers receive connector.

    1. Login to your Exchange Hub Transport Server where you cant send the mail to.
    2. In the Exchange Management Console, expand Server Configuration in the console tree, and select Hub Transport.
    3. In the work pane, select the Receive Connectors tab.
    4. Double-click the Default Receive connector.
    5. Ensure that the Exchange Server authentication option is selected.
      4
    6. Click OK to save.
    7. Restart the Microsoft Exchange Transport Service.
  2. There could be a Cisco firewall sitting between the Exchange Servers.
    This could be a trike situation. If you have placed a firewall between servers due to whatever reason and if your firewall is a Cisco FWSM,  Cisco PIX or Cisco ASA then the Mailguard feature might be the cause. (In my case, this was the culprit)
    If this is your issue. you need to disable ESMTP inspection. Microsoft has a KB article written which you can check out so the network team can set it up accordingly.

    https://support.microsoft.com/en-us/kb/320027

Did it work? Anything else you want to add? let us know..