question

ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 asked ExchangeAdmin-1818 edited

Exchange Issue with Autodiscover and external mail communication RRS feed

Hello,

I've got a problem with the initial configuration of an Exchange Server 2016. Sending/receiving internal emails works but not to/from the oudside. I tested the inbound SMTP mail flow with testconnectivity.microsoft.com which presents the following error message:

"Testing TCP port 25 on host mx0.DOMAIN.TLD to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response."

According to "netstat -a", a service is listening on port 25 on the mail server. However, this is not the case for the firewall server. Since all the network communication is routed through the firewall server, I guess no SMTP communication is possible between the mail server and outside. Can you confirm the analysis so far? How can I tell a service to listen on port 25 on the firewall, too? The respective firewall port is already opened.

Can this be caused by an Autodiscover issue? When I test the Exchange ActiveSync with testconnectivity.microsoft.com it returns the following four error messages that I am also not able to solve:

"The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://DOMAIN.TLD:443/Autodiscover/Autodiscover.xml for user MAIL@DOMAIN.TLD
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
A Web exception occurred because an HTTP 404 - 404 response was received from Unknown.
[...]"

Furthermore, it returns again similar port problems as described before:

"Testing TCP port 443 on host autodiscover.DOMAIN:TLD to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Additional DetailsA network error occurred while communicating with the remote host."

and

"Testing TCP port 80 on host autodiscover.DOMAIN.TLD to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Additional Details
A network error occurred while communicating with the remote host."

Besides that, it presents a certificate warning:

Analyzing the certificate chains for compatibility problems with versions of Windows.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update.
Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Thanks a lot for any hint to solve the problem!

office-exchange-server-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT avatar image
1 Vote"
KaelYao-MSFT answered

Hi,
Have you configured port forwarding to Exchange server on your firewall server?
To receive external mails and have the autodiscover and OWA to work, you need to forward incoming traffic to port 25, 80 and 443 on your firewall server to your Exchange server.
For more information,please refer to:
Network ports for clients and mail flow in Exchange
The document lists the inbound and outbound ports needed.

To send mails to external recipients,you need to setup a send connector to send to the internet.
Here is also a Microsoft document on this topic:
Create a Send connector in Exchange Server to send mail to the internet


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered KaelYao-MSFT commented

Thanks for your answer.

The port forwarding is now configured for the respective ports (from the firewall server to the Exchange server). Now, I can see that services are listening on these ports on the firewall server and not only on the Exchange server as before.

When testing the Exchange ActiveSync two errors still occur:
- 1. error message: "Attempting to send an Autodiscover POST request to potential Autodiscover URLs. Autodiscover settings weren't obtained when the Autodiscover POST request was sent. Test Steps: The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://DOMAIN.TLD:443/Autodiscover/Autodiscover.xml for user MAIL@DOMAIN.TLD The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response. Additional Details: A Web exception occurred because an HTTP 404 - 404 response was received from Unknown.“
- 2. error message: „Testing TCP port 443 on host autodiscover.DOMAIN.TLD to ensure it's listening and open. The specified port is either blocked, not listening, or not producing the expected response.“

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Have you configured the external DNS records?
You may need the following records in public DNS:
50278-35.png

The ip address should be the internet-facing server.
In your case it should be the firewall server.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
35.png (9.2 KiB)

I have configured all the DNS entries in the admin web interface of our domain hosting provider so that it refers to the firewall server (which routes the packets to the mail server using port forwarding). I guess this is what you meant, isn’t it? So it seems like that's not the problem.

Could it be a problem that the FQDN we use in our internal DNS has a different TLD than our email domain?

0 Votes 0 ·

Could it be a problem that the FQDN we use in our internal DNS has a different TLD than our email domain?

It may be the cause of the problem.
Please also add the DNS records in your internal DNS server.
You may need to configure a A record of mail.Emaildomain.com and a CNAME record of autodiscover.Emaildomain.com to point to the internal ip address of your Exchange server.

In addition,have you installed the certificate on your Exchange server? At least it should contain mail.Emaildomain.com and autodiscover.Emaildomain.com.
You can change the Url of the virtual directories from ADdomain.com to Emaildomain.com so that you don't need to have another certificate which contains ADdomain.com on your server.

For your reference,please refer to Byron Wright's reply in this thread: https://social.technet.microsoft.com/Forums/Lync/en-US/f092a0c8-5a9e-4ab9-9d49-bcbfc6559e94/new-exchange-2016-on-a-local-domain-which-ssl-certificate-should-i-buy?forum=Exch2016SD
0 Votes 0 ·
Show more comments
ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered KaelYao-MSFT edited

Thank you for proactively coming back to me! Unfortunately, the problem is not solved yet. Let me structure the status quo by the potential issues that might be responsible for the problem:

DNS entries:
I already had added similar entries to the forward lookup zone of the internal DNS as you suggested:

  • A CNAME record for autodiscover.DOMAIN.TLD referring to mailserver.DOMAIN.TLD;

  • But the A record for mailserver.DOMAIN.TLD does refer to the mail server’s IP address and not to the IP address of the firewall server (as the internet-facing server). How could the mail server be contacted by using a domain name otherwise? Maybe, I got the idea wrong.

Would an SRV record for autodiscover.DOMAIN.TLD referring to mailserver.DOMAIN.TLD also makes sense?

Exchange certificate:
A certificate is installed on the Exchange server containing entries for autodiscover.DOMAIN.TLD and mailserver.DOMAIN.TLD. Please note that TLD refers to the internal domain name (the same in the previous section) – the TLD of the mail domain is different. As described before, the DNS entries for the mail domain is in a public DNS (configured in the admin web interface of our domain-hosting provider).

Mismatch between internal FQDN and the TLD of the mail domain:
In the meanwhile, I also found sources saying that it is not necessarily a problem to have two mismatching domains. However, I’m still not entirely sure yet if special configurations are needed in this case.

Issue with ports:
Besides that, I could still imagine that the root cause lies at the port level since even open ports are shown as blocked from the outside. I already performed a port scan on the firewall server. The result is that all ports are presented as closed although 1) the respective e-mail ports are explicitly opened in the firewall and 2) services are listening on these ports (due to the port forwarding to the email server). Although all ports are shown as closed to the outside, I can connect to the firewall server via VPN and then connect to all servers via Remote Desktop. I also tried to temporarily deactivate the firewall - without success.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

But the A record for mailserver.DOMAIN.TLD does refer to the mail server’s IP address and not to the IP address of the firewall server (as the internet-facing server).
Yes.I agree with that it should be pointed to the internal ip address of Exchange server instead of the firewall server.

Would an SRV record for autodiscover.DOMAIN.TLD referring to mailserver.DOMAIN.TLD also makes sense?
An SRV record should not be necessary since there is already a CNAME record.

0 Votes 0 ·

In the meanwhile, I also found sources saying that it is not necessarily a problem to have two mismatching domains. However, I’m still not entirely sure yet if special configurations are needed in this case.

In your case I think you may need to setup split-dns (add records to the external DNS and your internal DNS server) to deal with the domain names mismatching.
Please refer to Jon Alfred Smith's replies in this link: split dns , how do i configure exchange and dns for the internal users


0 Votes 0 ·

Thank you for the link! I followed his advise and also had a look at [1] but I still get the same error messages.

  • I created a new forward lookup zone named mail.DOMAIN.TLD (which is the external address) with an A record pointing to the internal IP of the Exchange server.

  • Then I changed all the internal server addresses in the Exchange Admin Centre (under server > virtual directories). For example, the internal and external address of OWA are now: mail.DOMAIN.TLD/owa.
    For Autodiscover and the Exchange webservice I used the ClientAccessServives respectively the WebServicesVirtualDirectories as described.

  • I also double-checked the Exchange certificate. It contains "DOMAIN.TLD" (external address) in the Subject Alternative Name section but not explicitly the relevant subdomains mail.DOMAIN.TLD or autodiscover.DOMAIN.TLD - but this should not be the problem

[1] https://www.petenetlive.com/KB/Article/0000830




0 Votes 0 ·

Hi,
Thanks for your update.

Sorry I forget to mention,have you added DOMAIN.TLD (mail domain) as an accepted domain on your Exchange server?
And you may also need to configure an email address policy for your mail domain.
Here is the Microsoft document on this topic : Configure Exchange to accept mail for multiple authoritative domains
And also a thread for your reference: Changing Public Domain Name


0 Votes 0 ·

I already performed a port scan on the firewall server.The result is that all ports are presented as closed
Sorry I am not very familiar with firewall servers but to my knowledge it is normal behavior.

0 Votes 0 ·

Hi,
I am writing here to confirm with you how thing going now?

0 Votes 0 ·
ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered ExchangeAdmin-1818 commented

Thanks for your feedback. However, I already had added DOMAIN.TLD as an accepted domain, and I already had configured the email address policy.

But I noted another issue that might be of interest. The tool testconnectivity.microsoft.com tested two different URLs with regard to Autodiscover. Do I really have to provide both of them (which seems not to be the case at the moment)?
• http://DOMAIN.TLD/Autodiscover/Autodiscover.xml
• http://Autodiscover.DOMAIN.TLD/Autodiscover/Autodiscover.xml


Besides that, coming back to the port issue: for testing purposes, I have set up a thunderbird mail client on the server with an external email account. The result: I could send/receive emails using SMTP. Therefore, port 25 is not blocked as indicated by the error message I have shown you in the beginning:

"Testing TCP port 25 on host mx0.DOMAIN.TLD to ensure it's listening and open. The specified port is either blocked, not listening, or not producing the expected response."

I also double-checked again that a service is listening on port 25 (and on the other e-mail ports) on the firewall server.

From my perspective, this looks like a DNS issue (and not like a firewall conflict with the Global/Local Group Policy Manage, the Network Policy Manager, or with another internal Windows component. Do you agree?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,thanks for the update.
Do I really have to provide both of them (which seems not to be the case at the moment)?
You don't need to.
Outlook will check http://DOMAIN.TLD/Autodiscover/Autodiscover.xml first.
If it fails,then it will check http://Autodiscover.DOMAIN.TLD/Autodiscover/Autodiscover.xml.

Besides that, coming back to the port issue: for testing purposes, I have set up a thunderbird mail client on the server with an external email account.
While,I think you are testing from client side, but port 25 should be opened on the server side(in your case,it should be opened on the mail server which serves your external email account)

Since your internal mail flow works fine, the exchange server should be listening on port 25.
Just to confirm, please telnet port 25 on your exchange server from internally network.
I suppose that the problem should be with port forwarding or the firewall server.

0 Votes 0 ·

Thank you for your suggestions! I successfully "telneted" port 25 of the Exchange server from the firewall server. However, it does not work when I try it from outside the network - as expected. (I am still wondering why it worked with an external mail client and the external e-mail address.)

"port forwarding" is a very good keyword. I also thought about it before. Currently, the following seven port forwardings are configured on the firewall server. "A" represents the external IP address of the firewall server, whereas "B" represents the internal IP address (there is no external one) of the Exchange server. "C" is another test system that I initially used for testing the port forwarding.

A:25 --> B:25
A:80 --> B:80
A:443 --> B:443
A:143 --> B:143
A:993 --> B:993
A:587 --> B:587
A:2222 --> C:22

Are they correct? Are any important forwardings missing?

0 Votes 0 ·

Hi,
Are they correct? Are any important forwardings missing?
Yes.These are the necessary ports.
I think you may also need port 110 and 995 if you have enabled POP3 for clients.

Sorry I may have missed the point here: That's many ISPs will block port 25 by default in case of spam.
It may also be the cause of your problem.
Please have a contact with them and confirm it.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
Show more comments
ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered KaelYao-MSFT commented

I have also tested with https://mxtoolbox.com whether the issue is related to the configuration of the DNS records. The result: the domain name correctly refers to the firewall server, the domain is not blacklisted, but the tool “failed to connect to SMTP host”. This seems to be strongly related to the problem that I cannot receive (but send emails). Could this be caused by a configuration issue of Autodiscover or which service/function/component would you suggest having a closer look at?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

While as far as i am concerned, the problem should still be with network traffic to the firewall server or between the firewall server and the exchange server.

In your former replies, telnet port 25 on exchange server from internal works fine.
But according to the test result, you are not able to connect to port 25 on firewall server from external network.
If you telnet port 25 on your firewall server from external, would it fail with "Connection refused"?

Since sending emails is working fine,would it be possible that the isp only opened outbound port 25 for you,while they didn't open inbound port 25?

0 Votes 0 ·
ExchangeAdmin-1818 avatar image
0 Votes"
ExchangeAdmin-1818 answered ExchangeAdmin-1818 edited

For testing purposes, I have replaced the internet connection of the Firewall server with the one of a mobile internet device (using a SIM card) which has also an internal firewall that is disabled (not to be mixed up with the firewall server). However, the problem still remains: sending emails works but receiving emails doesn’t.

As you correctly said, I can telnet the Exchange server on port 25 from the firewall server but not from outside. However, I’m not sure if this necessarily implies that all Exchange configurations are correctly configured (like the receive connectors or the Autodiscover). At which configurations would it make the most sense to a have closer look again?

It looks to me like external requests (wrt to email services) do not reach the Exchange server because they stuck on the firewall server. Could this be caused by wrong Autodiscover configurations? Apart from that, the only information saying that the Exchange server is responsible for emails are our port forwardings (from the firewall server to the Exchange server) which is probably not sufficient.

Also, testconnectivity.microsoft.com returns the following error message:

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://DOMAIN.TLD:443/Autodiscover/Autodiscover.xml for user USERNAME@DOMAIN.TLD
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.