I was testing outgoing mail flow in my new Exchange 2010 setup, which should go from the CAS Servers to the Edge server in the DMZ.
After configuring the Edge subscription I noticed that outgoing mails got stuck in the queue with the following error:
“451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.“
I verified that name resolution back and forth was ok and that I could communicate on port 25, 50389 and 50636.
Then I tried to telnet from a CAS server to the Edge server on port 25 and I noticed that there was some kind of smtp filtering active.
You can recognize it with a telnet connection because server name, version etc are masked with asterix character:
The problem is that esmtp inspection drops packets for TLS encryption (which is used between CAS and Edge).
I checked the Cisco switch and in the config there was an inspect esmtp statement in the global_policy policy-map.
After modifying the configuration the communication went fine:
conf t policy-map global_policy class inspection_default no inspect esmtp
For more details see PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example
Was once an enthusiastic PepperByte employee but is now working elsewhere. His blogs are still valuable to us and we hope to you too.