Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
- From: "Michael Dragone" <no.e-mail=less_spam>
- Date: Tue, 29 Jan 2008 19:48:56 -0500
The PIX/ASA is surely notorious for this. I recall setting up the IOS Firewall for ESMTP inspection to a test Exchange 2003 box about two years ago and it worked fine - things might be different now with newer versions of IOS though.
"MarkC" <MarkC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:E805CCBF-6BB7-43B3-99A6-778984B7AC43@xxxxxxxxxxxxxxxx
We think we have solved this issue.
Having had a chat with our networks guys it would appear that there were
inspection policies setup for SMTP/ESMTP. These have now been removed and the
connector has started working over port 25.
The following links may also help:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455aca.html
http://support.microsoft.com/kb/295725
We have a few more tests to do but things are looking better than they were.
Regards
--
Thanks for helping
"DJ" wrote:
Mark,
Just a quick note/question, do you have OE set to send Authentication on the
sending server? and possibly turning on SSL in the Advance settings if
you're using it?
Just looking at the logs, for the 587 port there is no auth going on there,
just the ehlo and everything is great.
Also the 0x800CCC78 error is typical of the incorrect "sending" email
address, you said these were in a different domain did you try the other
domains fqdn?
However examining the output of the ehlo on 25 versus 587, they show
different responses... below. I've had to turn on anonymous for the many and
various systems that send status emails to and fro.... so that could be the
difference for me. I'll have to do some testing.
Just some thoughts.
Don
PORT 25
220 hub01p.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jan 2008
00:32:01 -0600
ehlo
250-hub01p.local Hello [10.1.1.1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
quit
221 2.0.0 Service closing transmission channel
PORT 587
220 hub01p.pm.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jan 2008
00:32:58 -0600
ehlo
250-hub01p.local Hello [10.1.1.1]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
220 hub01p.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jan 2008
00:32:01 -0600
"MarkC" <MarkC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6062E98D-2CFF-4A92-9021-7E9EFDD4A31E@xxxxxxxxxxxxxxxx
>I am hoping that somebody can help me with this problem which I am >facing.
>
> Firstly a bit of information about the problem.
> I am trying to get Outlook Express v6 or (any email client for that
> matter)
> to send email on port 25 (My Server Requires Authentication option > ticked)
> to
> a Hub Transport server. The error which I get is:
> The message could not be sent because the server rejected the sender's
> e-mail address.
> The sender's e-mail address was 'test@xxxxxxxxxxxxxx'.
> Subject 'Subject information, Account: 'Test Hub', Server: 'x.x.x.x',
> Protocol: SMTP, Server Response: '530 5.7.1 Client was not > authenticated',
> Port: 25, Secure(SSL): No, Server Error: 530, Error Number: 0x800CCC78
>
> Here's a bit of info about the environment and its settings:
> I'm using Exchange 2007 SP1.
> The Hub Transport Server sits in a different domain, but in the same
> forest
> as the user accounts.
> The Hub Transport Server has had the default receive connector modified > so
> that only a specific range of IP addresses can send to it (let's say
> 10.1.1.1
> to 10.1.1.255).
> I have then created another Receive Connector called TestClient which > is
> listening on port 25 for the IP address ranges which are not part of > the
> above range (i.e 0.0.0.0 to 10.0.0.255 and 10.1.2.1 to > 255.255.255.255).
> In the authentications tab I have TLS, Basic, Exchange Server
> Authentication
> and Integrated Windows Authentication all ticked.
> Finally in the Permissions group I have Exchange Users ticked.
>
> Things I have tried.
> This works perfectly on port 587 - using the same receive connector.
> However I have several thousand Outlook Express clients to reconfigure > if
> I
> can't get this working and the users are not technically savvy!
> I have also tried adding the get-receiveconnector TestClient | add
> -adpermission -user AU extendedrights
> ms-Exch-SMTP-Accept-Authoritative-Domain-Sender command to grant
> Authoritative domain senders the rights to send. But this doesn't > work -
> same
> error code.
> I have tried an account which is in the same domain as to which the Hub
> Transport server is in (in case of a domain permissions problem).
> When I tick the Anonymous Users option in the Permissions tab > everything
> works fine! But I'm not going to allow that so that's not an option - I
> would
> rather manually reconfigure all of the clients!
>
> Some Logging Info
> Here is a failed attempt extract from the SMTP Log files on the Hub
> Transport server (all information about the domain/server name etc has
> been
> replaced), no authentication attempt is being made (I also checked the > DCs
> and there is nothing there either) and the EHLO command is replaced > with
> XXXX:
> 2008-01-24T11:44:44.505Z,HUBSERVER\TestClient,08CA2C957CC45A3F,0,SERVERIP:25,CLIENTIP:1921,+,,
> 2008-01-24T11:44:44.505Z,HUBSERVER\TestClient,08CA2C957CC45A3F,1,SERVERIP:25,CLIENTIP:1921,*,None,Set
> Session Permissions
> 2008-01-24T11:44:44.505Z,HUBSERVER\TestClient,08CA2C957CC45A3F,2,SERVERIP:25,CLIENTIP:1921,>,"220
> HUBSERVER.domain.local Microsoft ESMTP MAIL Service ready at Thu, 24 > Jan
> 2008
> 11:44:44 +0000",
> 2008-01-24T11:44:44.520Z,HUBSERVER\TestClient,08CA2C957CC45A3F,3,SERVERIP:25,CLIENTIP:1921,<,XXXX
> clientname,
> 2008-01-24T11:44:49.536Z,HUBSERVER\TestClient,08CA2C957CC45A3F,4,SERVERIP:25,CLIENTIP:1921,>,500
> 5.3.3 Unrecognized command,
> 2008-01-24T11:44:49.552Z,HUBSERVER\TestClient,08CA2C957CC45A3F,5,SERVERIP:25,CLIENTIP:1921,<,HELO
> clientname,
> 2008-01-24T11:44:49.552Z,HUBSERVER\TestClient,08CA2C957CC45A3F,6,SERVERIP:25,CLIENTIP:1921,>,250
> HUBSERVER.domain.local Hello [CLIENTIP],
> 2008-01-24T11:44:49.567Z,HUBSERVER\TestClient,08CA2C957CC45A3F,7,SERVERIP:25,CLIENTIP:1921,<,MAIL
> FROM: <test@xxxxxxxxxxxxxx>,
> 2008-01-24T11:44:54.583Z,HUBSERVER\TestClient,08CA2C957CC45A3F,8,SERVERIP:25,CLIENTIP:1921,>,530
> 5.7.1 Client was not authenticated,
> 2008-01-24T11:44:54.583Z,HUBSERVER\TestClient,08CA2C957CC45A3F,9,SERVERIP:25,CLIENTIP:1921,-,,Local
>
> Here is a successful attempt extract from the SMTP Log files on the Hub
> Transport server though using 587 as the port, you can see that EHLO is
> being
> made and the account being authenticated:
> 2008-01-24T11:58:01.260Z,HUBSERVER\TestClient,08CA2C977295CA87,0,SERVERIP:587,CLIENTIP:1938,+,,
> 2008-01-24T11:58:01.338Z,HUBSERVER\TestClient,08CA2C977295CA87,1,SERVERIP:587,CLIENTIP:1938,*,None,Set
> Session Permissions
> 2008-01-24T11:58:01.338Z,HUBSERVER\TestClient,08CA2C977295CA87,2,SERVERIP:587,CLIENTIP:1938,>,"220
> HUBSERVER.domain.local Microsoft ESMTP MAIL Service ready at Thu, 24 > Jan
> 2008
> 11:58:00 +0000",
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,3,SERVERIP:587,CLIENTIP:1938,<,EHLO
> clientname,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,4,SERVERIP:587,CLIENTIP:1938,>,250-HUBSERVER.domain.local
> Hello [CLIENTIP],
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,5,SERVERIP:587,CLIENTIP:1938,>,250-SIZE
> 10485760,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,6,SERVERIP:587,CLIENTIP:1938,>,250-PIPELINING,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,7,SERVERIP:587,CLIENTIP:1938,>,250-DSN,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,8,SERVERIP:587,CLIENTIP:1938,>,250-ENHANCEDSTATUSCODES,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,9,SERVERIP:587,CLIENTIP:1938,>,250-STARTTLS,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,10,SERVERIP:587,CLIENTIP:1938,>,250-X-ANONYMOUSTLS,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,11,SERVERIP:587,CLIENTIP:1938,>,250-AUTH
> NTLM LOGIN,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,12,SERVERIP:587,CLIENTIP:1938,>,250-X-EXPS
> GSSAPI NTLM,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,13,SERVERIP:587,CLIENTIP:1938,>,250-8BITMIME,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,14,SERVERIP:587,CLIENTIP:1938,>,250-BINARYMIME,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,15,SERVERIP:587,CLIENTIP:1938,>,250-CHUNKING,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,16,SERVERIP:587,CLIENTIP:1938,>,250-XEXCH50,
> 2008-01-24T11:58:01.354Z,HUBSERVER\TestClient,08CA2C977295CA87,17,SERVERIP:587,CLIENTIP:1938,>,250
> XRDST,
> 2008-01-24T11:58:01.370Z,HUBSERVER\TestClient,08CA2C977295CA87,18,SERVERIP:587,CLIENTIP:1938,<,AUTH
> LOGIN,
> 2008-01-24T11:58:01.370Z,HUBSERVER\TestClient,08CA2C977295CA87,19,SERVERIP:587,CLIENTIP:1938,>,334
> <authentication response>,
> 2008-01-24T11:58:01.385Z,HUBSERVER\TestClient,08CA2C977295CA87,20,SERVERIP:587,CLIENTIP:1938,>,334
> <authentication response>,
> 2008-01-24T11:58:01.448Z,HUBSERVER\TestClient,08CA2C977295CA87,21,SERVERIP:587,CLIENTIP:1938,*,SMTPSubmit
> SMTPAcceptAnyRecipient SMTPAcceptAuthoritativeDomainSender > BypassAntiSpam
> AcceptRoutingHeaders,Set Session Permissions
> 2008-01-24T11:58:01.448Z,HUBSERVER\TestClient,08CA2C977295CA87,22,SERVERIP:587,CLIENTIP:1938,*,domain\test,authenticated
> 2008-01-24T11:58:01.448Z,HUBSERVER\TestClient,08CA2C977295CA87,23,SERVERIP:587,CLIENTIP:1938,>,235
> 2.7.0 Authentication successful,
> 2008-01-24T11:58:01.463Z,HUBSERVER\TestClient,08CA2C977295CA87,24,SERVERIP:587,CLIENTIP:1938,<,MAIL
> FROM: <test@xxxxxxxxxxxxxx>,
> 2008-01-24T11:58:01.479Z,HUBSERVER\TestClient,08CA2C977295CA87,25,SERVERIP:587,CLIENTIP:1938,*,08CA2C977295CA87;2008-01-24T11:58:01.260Z;1,receiving
> message
> 2008-01-24T11:58:01.479Z,HUBSERVER\TestClient,08CA2C977295CA87,26,SERVERIP:587,CLIENTIP:1938,>,250
> 2.1.0 Sender OK,
> 2008-01-24T11:58:01.495Z,HUBSERVER\TestClient,08CA2C977295CA87,27,SERVERIP:587,CLIENTIP:1938,<,RCPT
> TO: <test2@xxxxxxxxxxxx>,
> 2008-01-24T11:58:01.495Z,HUBSERVER\TestClient,08CA2C977295CA87,28,SERVERIP:587,CLIENTIP:1938,>,250
> 2.1.5 Recipient OK,
> 2008-01-24T11:58:01.510Z,HUBSERVER\TestClient,08CA2C977295CA87,29,SERVERIP:587,CLIENTIP:1938,<,DATA,
> 2008-01-24T11:58:01.666Z,HUBSERVER\TestClient,08CA2C977295CA87,30,SERVERIP:587,CLIENTIP:1938,>,354
> Start mail input; end with <CRLF>.<CRLF>,
> 2008-01-24T11:58:02.073Z,HUBSERVER\TestClient,08CA2C977295CA87,31,SERVERIP:587,CLIENTIP:1938,>,250
> 2.6.0 <randomnumber@xxxxxxxxx> Queued mail for delivery,
> 2008-01-24T11:58:02.088Z,HUBSERVER\TestClient,08CA2C977295CA87,32,SERVERIP:587,CLIENTIP:1938,<,QUIT,
> 2008-01-24T11:58:02.088Z,HUBSERVER\TestClient,08CA2C977295CA87,33,SERVERIP:587,CLIENTIP:1938,>,221
> 2.0.0 Service closing transmission channel,
> 2008-01-24T11:58:02.088Z,HUBSERVER\TestClient,08CA2C977295CA87,34,SERVERIP:587,CLIENTIP:1938,-,,Local
>
> Is what I trying to do no allowed on a Hub Transport Server for reasons > of
> security Iie supported only on an Edge Server) or is Port 25 not > allowed
> to
> be used by authenticated clients "by design". Or have I got a > permissions
> problem somewhere along the line.
> Thanks for taking the time to read this long post! Any help or
> explanations
> gratefully received.
> Many thanks
> Mark
>
>
> Also posted in exchange.setup
> -- > Thanks for helping
.
- References:
- Prev by Date: Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
- Next by Date: Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
- Previous by thread: Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
- Next by thread: Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
- Index(es):
Relevant Pages
|
