We have an existing Exchange 2007 server in Site A (exch07). I've installed an Exchange 2010 server in Site B (exch10). Both servers have the CAS, Mailbox and Hub roles.
Messages sent via SMTP on exch10 which are destined for mailboxes on exch07 are queued with the "Last Error" reported in Queue Viewer as '451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.'
I've found that some people have resolved this by creating new Receive Connectors which are scoped specifically to apply to connections from the remote hub/s, but I have had no luck doing this. Specifically I created new receive connectors on both servers with the following settings:
- Remote IP = IP/s of remote server
- Authentication = "Transport Layer Security (TLS)" and "Exchange Server authentication"
- Permission Groups = "Exchange servers" and "Legacy Exchange Servers"
This made no difference, I see the same error message.
What am I missing?
Update: We noticed that the Application log had this error message from MSExchangeTransportService: Microsoft Exchange could not find a certificate that contains the domain name exch07.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector exch10 with a FQDN parameter of exch07.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
It turns out that the default self-signed certificate was no longer enabled for the SMTP service for some reason. After enabling the self-signed certificate for SMTP, we no longer get the error in the event logs, but delivery is still failing with the same error message.
Update 2: I put a mailbox on exch10 and attempted to deliver a message via SMTP on exch07 and I get the same error.
Finally tracked down the cause. Our Cisco ASA firewall was to blame.
From http://jamesosw.wordpress.com/2009/12/30/exchange-hub-transport-unable-to-communicate-at-different-active-directory-sites/:
As soon as we did this on the ASA, mail started flowing without hassles.
you need to include
conf t
before theno fixup protocol smtp 25
command; asfixup
is a configuration command.