Search This Blog

Monday 24 June 2013

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Must issue a STARTTLS commnd first" Office 365 Hybrid


If you have an Office 365 hybrid configuration you may experience issues sending emails between on premise and cloud users (in either direction).

The Exchange 2013 (or 2010) on premises queue viewer may show:

'451 4.4.0 Primary target IP address responded with: "451 5.7.3 STARTTLS is required to send mail." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was xxx.xxx.xxx.xxx'

The Office 365 Message Trace Console shows the delivery status of 'None'
 

Office 365 Message Trace
 





The errors suggest the TLS connection cannot be made but a TLS certificate IS present and during the Hybrid Connection Wizard the required connectors are automatically created so should not require an additional configuration.

When an email is sent between on premise & cloud (Office 365) users of your SSO domain it is sent across one of the automatically created send connectors. These connectors are secured using TLS.

So, assuming you have ruled out all the normal stuff its now time to get baffled. We know the on premise server can send and receive external email. We also know that the Office 365 service can send and receive email. It is just the email between the two services that does not work.

I was banging my head against a wall for ages until I used Telnet to connect from my on premise Exchange server to Microsoft cloud gateway.

What I got is shown below:





This is not correct. As you can see the server has not recognised the "ehlo" statement and the banner does not "look right"...

A bit of digging around the firewall I noticed that packets were being dropped when TLS was attempted.

The firewall is a Cisco PIX 515. I disabled ESMTP inspection but that made no difference so I discounted this as the cause.

After a lot more digging around and raging I remembered that the PIX was behind another Cisco firewall - this time an ASA 5510. So I accessed this device and sure enough this edge firewall was also inspecting and dropping TLS over SMTP.

Once both firewall were configured not to inspect ESMTP the default configuration that was set by the Hybrid Configuration Wizard started working straight away.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp
pix(config-pmap-c)#exit
pix(config-pmap)#exit

Or you can do this via the ASDM GUI as shown.














Now telnet the cloud server and you should see a correct banner:



3 comments:

  1. Thanks for your help with this article. I had the same issue and I was about to call MS and then I read this and find out that our ISP did some nasty changes without notifying us beforehand.

    ReplyDelete
  2. Thank you for the informative post. This saved me. Thanks again!

    ReplyDelete