Re: Added dig cert to our E2010 CAS server, all mailflow stopped
we did look at logs and sniff the network. what we saw was that the Edge would connect to the HT, exchange syn, syn-ack, ack, ehlo, blah, quit. prior to now, ET was delivering to HT via a connector that we had created. the same connector that the Ironports had used. Logs confirm this. I surmise that when the E2k10 server came into play, it forced the Edge Subscription to use Exchange Authentication. Which was evident on looking at the edge-internal recv connector. I *know* that that connector previously had no auth. Ironports wouldn't have handled it... so, ... i think that when the 2k10 server talked to the edge, it forced Exchange Auth, which we were not configured for on the more specific, manually created connector. supposition here. would love to have validation. b thoughts? reasonable theory? On Wed, Apr 14, 2010 at 5:48 PM, Michael B. Smith wrote: > Did you look at the connection logs anytime during this process? > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > From: Russ Patterson [mailto:rus...@gmail.com] > Sent: Wednesday, April 14, 2010 5:34 PM > To: MS-Exchange Admin Issues > Subject: Re: Added dig cert to our E2010 CAS server, all mailflow stopped > > > > I misspoke - we didn't telnet back & forth between two servers, we telnetted > from the Edge to the Hub, and then on the hub we telnetted to localhost, and > saw different SMTP verbs after ehlo. That was the clue that we had a > non-Exchange-authentication-friendly connection happening. (We saw the > Exchange autrh verbs on telnet localhost, but not from Edge to hub.) > > > > Sorry for the confusion - it's been one of those days. > > On Wed, Apr 14, 2010 at 2:47 PM, Russ Patterson wrote: > > This was a strange one - called MS support; it turned out to be an old > connector (which had been functioning for over a year.) > > > > At first, it had been to allow traffic from our Ironport appliances into the > org, then we retired the Ironports & added an Edge server. For a while, we > had both the Ironport IPs and the IP of the Edge in the Network tab of a > Receive connector in the "Receive mail from remote servers that have these > IP addresses" box. > > > > We deleted the connector, since those were the only 3 IPs in there, and > restarted Transport all around. TheQueue from the Edge server to all our Hub > servers emptied. The MS tech could see this was needed by doing telnet in > both directions - after issuing an ehlo, a different list of verbs was > listed in the SMTP session going one way as compared to the other. > > > > The thing we really don't have an answer for is - why did it work for weeks > (after we turned off the Ironports) until this morning when I added the > digital cert on the 2010 CAS server? The mail stopped within seconds > of assigning the SMTP service to the new cert. > > > > All's well that ends well, I guess. Thanks everyone for their assistance! > > On Wed, Apr 14, 2010 at 11:41 AM, Russ Patterson wrote: > > John - working on the root cert, Tom - we have rebuild the Edge Subscript. > > > > Thanks much you guys! > > On Wed, Apr 14, 2010 at 11:05 AM, Ellis, John P. > wrote: > > Do you need to apply a root CA cert as well? Just a guess > > digcert or Digicert? > > > > John > > > > > > From: Russ Patterson [mailto:rus...@gmail.com] > Sent: 14 April 2010 16:04 > To: MS-Exchange Admin Issues > Subject: Added dig cert to our E2010 CAS server, all mailflow stopped > > I was following the MS Deployment Checklist, and just added a DigCert to our > new 2010 CAS server. All we have in place (for 2010) is that machine, which > has CAS & HUB roles. > > > > ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? > > > > Thanks! > > ** > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the system manager. > > This footnote also confirms that this email message has been swept by > > MIMEsweeper for the presence of computer viruses. > > www.clearswift.com > > ** > > > > > >
RE: Added dig cert to our E2010 CAS server, all mailflow stopped
Did you look at the connection logs anytime during this process? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Russ Patterson [mailto:rus...@gmail.com] Sent: Wednesday, April 14, 2010 5:34 PM To: MS-Exchange Admin Issues Subject: Re: Added dig cert to our E2010 CAS server, all mailflow stopped I misspoke - we didn't telnet back & forth between two servers, we telnetted from the Edge to the Hub, and then on the hub we telnetted to localhost, and saw different SMTP verbs after ehlo. That was the clue that we had a non-Exchange-authentication-friendly connection happening. (We saw the Exchange autrh verbs on telnet localhost, but not from Edge to hub.) Sorry for the confusion - it's been one of those days. On Wed, Apr 14, 2010 at 2:47 PM, Russ Patterson mailto:rus...@gmail.com>> wrote: This was a strange one - called MS support; it turned out to be an old connector (which had been functioning for over a year.) At first, it had been to allow traffic from our Ironport appliances into the org, then we retired the Ironports & added an Edge server. For a while, we had both the Ironport IPs and the IP of the Edge in the Network tab of a Receive connector in the "Receive mail from remote servers that have these IP addresses" box. We deleted the connector, since those were the only 3 IPs in there, and restarted Transport all around. TheQueue from the Edge server to all our Hub servers emptied. The MS tech could see this was needed by doing telnet in both directions - after issuing an ehlo, a different list of verbs was listed in the SMTP session going one way as compared to the other. The thing we really don't have an answer for is - why did it work for weeks (after we turned off the Ironports) until this morning when I added the digital cert on the 2010 CAS server? The mail stopped within seconds of assigning the SMTP service to the new cert. All's well that ends well, I guess. Thanks everyone for their assistance! On Wed, Apr 14, 2010 at 11:41 AM, Russ Patterson mailto:rus...@gmail.com>> wrote: John - working on the root cert, Tom - we have rebuild the Edge Subscript. Thanks much you guys! On Wed, Apr 14, 2010 at 11:05 AM, Ellis, John P. mailto:johnel...@wirral.gov.uk>> wrote: Do you need to apply a root CA cert as well? Just a guess digcert or Digicert? John From: Russ Patterson [mailto:rus...@gmail.com<mailto:rus...@gmail.com>] Sent: 14 April 2010 16:04 To: MS-Exchange Admin Issues Subject: Added dig cert to our E2010 CAS server, all mailflow stopped I was following the MS Deployment Checklist, and just added a DigCert to our new 2010 CAS server. All we have in place (for 2010) is that machine, which has CAS & HUB roles. ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? Thanks! ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com<http://www.clearswift.com/> **
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
I misspoke - we didn't telnet back & forth between two servers, we telnetted from the Edge to the Hub, and then on the hub we telnetted to localhost, and saw different SMTP verbs after ehlo. That was the clue that we had a non-Exchange-authentication-friendly connection happening. (We saw the Exchange autrh verbs on telnet localhost, but not from Edge to hub.) Sorry for the confusion - it's been one of those days. On Wed, Apr 14, 2010 at 2:47 PM, Russ Patterson wrote: > This was a strange one - called MS support; it turned out to be an old > connector (which had been functioning for over a year.) > > At first, it had been to allow traffic from our Ironport appliances into > the org, then we retired the Ironports & added an Edge server. For a while, > we had both the Ironport IPs and the IP of the Edge in the Network tab of a > Receive connector in the "Receive mail from remote servers that have these > IP addresses" box. > > We deleted the connector, since those were the only 3 IPs in there, and > restarted Transport all around. TheQueue from the Edge server to all our Hub > servers emptied. The MS tech could see this was needed by doing telnet in > both directions - after issuing an ehlo, a different list of verbs was > listed in the SMTP session going one way as compared to the other. > > The thing we really don't have an answer for is - why did it work for > weeks (after we turned off the Ironports) until this morning when I added > the digital cert on the 2010 CAS server? The mail stopped within seconds > of assigning the SMTP service to the new cert. > > All's well that ends well, I guess. Thanks everyone for their assistance! > > On Wed, Apr 14, 2010 at 11:41 AM, Russ Patterson wrote: > >> John - working on the root cert, Tom - we have rebuild the Edge >> Subscript. >> >> Thanks much you guys! >> >> On Wed, Apr 14, 2010 at 11:05 AM, Ellis, John P. < >> johnel...@wirral.gov.uk> wrote: >> >>> Do you need to apply a root CA cert as well? Just a guess >>> digcert or Digicert? >>> >>> John >>> >>> -- >>> *From:* Russ Patterson [mailto:rus...@gmail.com] >>> *Sent:* 14 April 2010 16:04 >>> *To:* MS-Exchange Admin Issues >>> *Subject:* Added dig cert to our E2010 CAS server, all mailflow stopped >>> >>> I was following the MS Deployment Checklist, and just added a DigCert >>> to our new 2010 CAS server. All we have in place (for 2010) is that machine, >>> which has CAS & HUB roles. >>> >>> ALL inbound mail is now queueing on our 2007 Edge server. Any >>> suggestions? >>> >>> Thanks! >>> >>> ** >>> >>> This email and any files transmitted with it are confidential and >>> >>> intended solely for the use of the individual or entity to whom they >>> >>> are addressed. If you have received this email in error please notify >>> >>> the system manager. >>> >>> This footnote also confirms that this email message has been swept by >>> >>> MIMEsweeper for the presence of computer viruses. >>> >>> www.clearswift.com >>> >>> ** >>> >>> >> >
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
This was a strange one - called MS support; it turned out to be an old connector (which had been functioning for over a year.) At first, it had been to allow traffic from our Ironport appliances into the org, then we retired the Ironports & added an Edge server. For a while, we had both the Ironport IPs and the IP of the Edge in the Network tab of a Receive connector in the "Receive mail from remote servers that have these IP addresses" box. We deleted the connector, since those were the only 3 IPs in there, and restarted Transport all around. TheQueue from the Edge server to all our Hub servers emptied. The MS tech could see this was needed by doing telnet in both directions - after issuing an ehlo, a different list of verbs was listed in the SMTP session going one way as compared to the other. The thing we really don't have an answer for is - why did it work for weeks (after we turned off the Ironports) until this morning when I added the digital cert on the 2010 CAS server? The mail stopped within seconds of assigning the SMTP service to the new cert. All's well that ends well, I guess. Thanks everyone for their assistance! On Wed, Apr 14, 2010 at 11:41 AM, Russ Patterson wrote: > John - working on the root cert, Tom - we have rebuild the Edge > Subscript. > > Thanks much you guys! > > On Wed, Apr 14, 2010 at 11:05 AM, Ellis, John P. > wrote: > >> Do you need to apply a root CA cert as well? Just a guess >> digcert or Digicert? >> >> John >> >> -- >> *From:* Russ Patterson [mailto:rus...@gmail.com] >> *Sent:* 14 April 2010 16:04 >> *To:* MS-Exchange Admin Issues >> *Subject:* Added dig cert to our E2010 CAS server, all mailflow stopped >> >> I was following the MS Deployment Checklist, and just added a DigCert to >> our new 2010 CAS server. All we have in place (for 2010) is that machine, >> which has CAS & HUB roles. >> >> ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? >> >> Thanks! >> >> ** >> >> This email and any files transmitted with it are confidential and >> >> intended solely for the use of the individual or entity to whom they >> >> are addressed. If you have received this email in error please notify >> >> the system manager. >> >> This footnote also confirms that this email message has been swept by >> >> MIMEsweeper for the presence of computer viruses. >> >> www.clearswift.com >> >> ** >> >> >
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
John - working on the root cert, Tom - we have rebuild the Edge Subscript. Thanks much you guys! On Wed, Apr 14, 2010 at 11:05 AM, Ellis, John P. wrote: > Do you need to apply a root CA cert as well? Just a guess > digcert or Digicert? > > John > > -- > *From:* Russ Patterson [mailto:rus...@gmail.com] > *Sent:* 14 April 2010 16:04 > *To:* MS-Exchange Admin Issues > *Subject:* Added dig cert to our E2010 CAS server, all mailflow stopped > > I was following the MS Deployment Checklist, and just added a DigCert to > our new 2010 CAS server. All we have in place (for 2010) is that machine, > which has CAS & HUB roles. > > ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? > > Thanks! > > ** > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the system manager. > > This footnote also confirms that this email message has been swept by > > MIMEsweeper for the presence of computer viruses. > > www.clearswift.com > > ** > >
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
You shouldn't have to do this if you just upgrade the HT cert but you may need to redo your edge subscription. In Ex2k7 sp1 you only needed to do that if you updated the cert on the edge but it may not be the same for e14. I'd have to test in my lab but it may be quicker for you to just redo the sub. Thanks On Wed, Apr 14, 2010 at 11:27 AM, Russ Patterson wrote: > Yes - -that's when mailflow stopped - when I added SMTP as a service. > > Also - seeing this error on the queue : > > 451 4.4.0 Primary target IP address responded with "451 5.7.3 Cannot > achieve Exchange Server authentication." Attempted failover to alternate > host, but that did not succeed. Either there are no alternate hosts or > delivery failed to all alternate hosts. > > On Wed, Apr 14, 2010 at 11:22 AM, Tom Kern wrote: > >> Is smtp enabled as a service on the cert? >> >> >> >> On Wed, Apr 14, 2010 at 11:03 AM, Russ Patterson wrote: >> >>> I was following the MS Deployment Checklist, and just added a DigCert to >>> our new 2010 CAS server. All we have in place (for 2010) is that machine, >>> which has CAS & HUB roles. >>> >>> ALL inbound mail is now queueing on our 2007 Edge server. Any >>> suggestions? >>> >>> Thanks! >>> >> >> >
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
Yes - -that's when mailflow stopped - when I added SMTP as a service. Also - seeing this error on the queue : 451 4.4.0 Primary target IP address responded with "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts or delivery failed to all alternate hosts. On Wed, Apr 14, 2010 at 11:22 AM, Tom Kern wrote: > Is smtp enabled as a service on the cert? > > > > On Wed, Apr 14, 2010 at 11:03 AM, Russ Patterson wrote: > >> I was following the MS Deployment Checklist, and just added a DigCert to >> our new 2010 CAS server. All we have in place (for 2010) is that machine, >> which has CAS & HUB roles. >> >> ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? >> >> Thanks! >> > >
Re: Added dig cert to our E2010 CAS server, all mailflow stopped
Is smtp enabled as a service on the cert? On Wed, Apr 14, 2010 at 11:03 AM, Russ Patterson wrote: > I was following the MS Deployment Checklist, and just added a DigCert to > our new 2010 CAS server. All we have in place (for 2010) is that machine, > which has CAS & HUB roles. > > ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? > > Thanks! >
RE: Added dig cert to our E2010 CAS server, all mailflow stopped
Do you need to apply a root CA cert as well? Just a guess digcert or Digicert? John From: Russ Patterson [mailto:rus...@gmail.com] Sent: 14 April 2010 16:04 To: MS-Exchange Admin Issues Subject: Added dig cert to our E2010 CAS server, all mailflow stopped I was following the MS Deployment Checklist, and just added a DigCert to our new 2010 CAS server. All we have in place (for 2010) is that machine, which has CAS & HUB roles. ALL inbound mail is now queueing on our 2007 Edge server. Any suggestions? Thanks! ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com **
