I was testing outgoing mail flow in my new Exchange 2010 setup, which should go from the CAS Servers to the Edge server in the DMZ.
After configuring the Edge subscription I noticed that outgoing mails got stuck in the queue with the following error:
“451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.“
I verified that name resolution back and forth was ok and that I could communicate on port 25, 50389 and 50636.
Then I tried to telnet from a CAS server to the Edge server on port 25 and I noticed that there was some kind of smtp filtering active.
You can recognize it with a telnet connection because server name, version etc are masked with asterix character:
The problem is that esmtp inspection drops packets for TLS encryption (which is used between CAS and Edge).
I checked the Cisco switch and in the config there was an inspect esmtp statement in the global_policy policy-map.
After modifying the configuration the communication went fine:
conf t policy-map global_policy class inspection_default no inspect esmtp
For more details see PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example