Mails to certain domains does not work – Additional information

Its a known issue that mail flow certain domains does not work if your exchange server 2007 satisfies the following condition

* Os : windows 2008
* Exchange : Exchnage 2007

I tried the following steps and end up finding few things

1. Mail flow will work to all the domains except few
2. When you smart host to that particular domain, the mail will go through
3. When you do a telnet and drop a mail to the remote domain, mail will go through

This can be resolved by running the hot fix
Mail flow to certain domains does not work when you run Exchange Server 2007 on a Windows Server 2008-based computer

When a mail is generated to a remote domain (problamatic domain), the server will query for the AAAA record.

Which is odd.

You can test this by running a netmon trace.

So it is obvious that mail will not go through because the remote server will not responsd to the AAAA record query

At times running the hot fix won’t fix the problem.  So, Just create a new send connector and add the remote server ip as a smart host for time being

Additional information:
This also happened to me for Exchange server 2010 as well.

Unable to send TLS mails to external domains – E2k7

Topology: Exchange 2007 > Watch Guard firewall > Microsoft ForeFront > Internet

Send connector is smart-hosted to Microsoft ForeFront

Exchange 2007 exhibits a feature known as ‘Opportunistic TLS’ > if the remote domain accepts TLS mails Exchange would send in TLS, else Exchange will send in non-TLS format

Inspite of this, his Exchange server is sending non-TLS mails to remote domains which accept TLS


–          From the Exchange server, ran a telnet to ForeFront ( on port 25, and there was no STARTTLS verb/blob advertised

–          So ideally, Exchange would send mail only in non-TLS format

–          However, when we do a telnet to ForeFront (elnet 25), we see STARTTLS verb

–          Thus, though ForeFront advertises STARTTLS verb, it’s not seen when running a telnet from the Exchange server

Suspected Watch Guard to be running ESMTP Proxy, which is stripping off the verbs from being displayed

Though Cx confirmed that the firewall did not proxy any SMTP, logged in to the console and found ESMTP outbound settings

ESMTP was enabled, and there was a check mark for 8-BITMIME (this was the only verb displayed when Cx ran a telnet to ForeFront)

We checked BINARYMIME (from that list), saved the firewall config, and then ran a telnet to ForeFront > now we could see BINARYMIME verb also displayed (along with 8-BITMIME)

Thus it was confirmed that it was indeed the firewall which was stripping off the verbs, the following link which discusses about issues with TLS and Encryption caused by Watchguard Firebox Firewall:

Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.

Mail flow between server is not working – E2K7


Recently i’ve encountered a problem that i was not able to send and receive emails between two sites where E2K7 is installed
  • You would get the following error
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Inbound authentication failed with error LogonDenied for Receive  connector Default XXXXXXXXX. The authentication mechanism is  Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is
  • Enable the verbose logging for the receive connector on the receiving site and send a test email from the other site.
If the SMTP-Receive log shows “235 Authenication failed”
  • The Time difference between the DC and Exchange server
  • Authenticated users is not listed in the local security group on the Exchange server
  • Synchronize the time between the DC and the exchange server
  • Add the authenticated users to the “Access this computer from the network” under local security policy

What you find in piple-line tracing for trouble shooting – E2K7

1. There would be 11 copies of each message
2. Message Header
Message header will be useful when the emails that are not in the proper format when sent and received from the server.  Since you have 11 copies of the message, you can compare the message header with other copy to see is there any change in the message header
3. Which Transport Agent fired at each stage
This will be very useful if the message message is not reaching the mail box.  If the message is not reaching the mailbox, it is obvious one of the Transport Agent would have rejected the mail.  This information will help us to find out which agent rejected the email
4. You can enable the piple line tracing for one user or all the users.  And it cannot be enabled on per domain basis