Exchange Logo

I was testing outgoing mail flow in my new Exchange 2010 setup, which should go from the CAS Servers to the Edge server in the DMZ.

After configuring the Edge subscription I noticed that outgoing mails got stuck in the queue with the following error:

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

I verified that name resolution back and forth was ok and that I could communicate on port 25, 50389 and 50636.

Then I tried to telnet from a CAS server to the Edge server on port 25 and I noticed that there was some kind of smtp filtering active.

Cisco LogoThe most common kind is from Cisco, where it’s called either smtp fixup, (e)smtp inspection or CSC inspection.

You can recognize it with a telnet connection because server name, version etc are masked with asterix character:

cisco esmtp inspection

The problem is that esmtp inspection drops packets for TLS encryption (which is used between CAS and Edge).

I checked the Cisco switch and in the config there was an inspect esmtp statement in the global_policy policy-map.

After modifying the configuration the communication went fine:

For more details see PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example