Exchange 2010 Hub cannot deliver to Exchange 2007 Hub – “451 5.7.3 Cannot achieve Exchange Server authentication”

exchange-2007exchange-2010

We have an existing Exchange 2007 server in Site A (exch07). I've installed an Exchange 2010 server in Site B (exch10). Both servers have the CAS, Mailbox and Hub roles.

Messages sent via SMTP on exch10 which are destined for mailboxes on exch07 are queued with the "Last Error" reported in Queue Viewer as '451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.'

I've found that some people have resolved this by creating new Receive Connectors which are scoped specifically to apply to connections from the remote hub/s, but I have had no luck doing this. Specifically I created new receive connectors on both servers with the following settings:

  • Remote IP = IP/s of remote server
  • Authentication = "Transport Layer Security (TLS)" and "Exchange Server authentication"
  • Permission Groups = "Exchange servers" and "Legacy Exchange Servers"

This made no difference, I see the same error message.

What am I missing?

Update: We noticed that the Application log had this error message from MSExchangeTransportService: Microsoft Exchange could not find a certificate that contains the domain name exch07.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector exch10 with a FQDN parameter of exch07.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It turns out that the default self-signed certificate was no longer enabled for the SMTP service for some reason. After enabling the self-signed certificate for SMTP, we no longer get the error in the event logs, but delivery is still failing with the same error message.

Update 2: I put a mailbox on exch10 and attempted to deliver a message via SMTP on exch07 and I get the same error.

Best Answer

Finally tracked down the cause. Our Cisco ASA firewall was to blame.

From http://jamesosw.wordpress.com/2009/12/30/exchange-hub-transport-unable-to-communicate-at-different-active-directory-sites/:

If you happen to be deploying Exchange 2007/Exchange 2010 Server in a multiple sites environment and using a Cisco ASA Firewall as your VPN tunnel, you’ll likely encounter issues below:

  1. Users are only able to send emails within the same Active Directory site

  2. When users attempt to send an email over to the next hop/Active Directory Site, under the Exchange Queue, you’ll see a Retry status: 451 4.4.0 Primary target IP address responded with “451 5.7.3 Cannot achieve Exchange Server authentication” SMTPRelay to remote AD Site

  3. When you attempt to telnet from the Exchange Servers from both site, you’ll get such response from the telnet command: 220*************

The only way to fix this is to use the Commandline Interface (CLI) and type in this command:

telnet YourCiscoManagementIP

device password (default is usually cisco)

en

password (Management password)

no fixup protocol smtp 25

write mem

Remember to run these command all firewalls at each site. Once is done, telnet to the Exchange server with port 25 and you should get a normal response:

 220 ExchangeServerHostName.Domain.com Microsoft ESMTP MAIL Service ready at Day, Date Month Year, Hour:Minute:Seconds +TimeZone

As soon as we did this on the ASA, mail started flowing without hassles.

Related Topic