Cannot achieve Exchange Server authentication

Exchange Logo

I was testing outgoing mail flow in my new Exchange 2010 setup, which should go from the CAS Servers to the Edge server in the DMZ.

After configuring the Edge subscription I noticed that outgoing mails got stuck in the queue with the following error:

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

I verified that name resolution back and forth was ok and that I could communicate on port 25, 50389 and 50636.

Then I tried to telnet from a CAS server to the Edge server on port 25 and I noticed that there was some kind of smtp filtering active.

Cisco LogoThe most common kind is from Cisco, where it’s called either smtp fixup, (e)smtp inspection or CSC inspection.

You can recognize it with a telnet connection because server name, version etc are masked with asterix character:

cisco esmtp inspection

The problem is that esmtp inspection drops packets for TLS encryption (which is used between CAS and Edge).

I checked the Cisco switch and in the config there was an inspect esmtp statement in the global_policy policy-map.

After modifying the configuration the communication went fine:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp

For more details see PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Was once an enthusiastic PepperByte employee but is now working elsewhere. His blogs are still valuable to us and we hope to you too.