Hello all, I have a 2 Server Exchange 2007 implementation, An Edge server sitting in my DMZ and my main server in my local network. I have successfully gotten the EdgeSync to work, and has been verified. that part was easy ! Mail can be sent out from my domain to the internet, but outside mail is not making it passed my edge server. all messages just sit in the queue with the Last Error of: "451 4.4.0 DNS query failed". However, i am able to telnet into the main machine from the edge server, and the same in reverse. I can also telnet by name and ip both, so im not really sure where to continue troubleshooting this issue. If anyone could give me some advice i would REALLY appreciate it !! Thank you in advance for any input !

Have you got 53 TCP AND UDP open from the DMZ to your AD DNS server?

Thank you for the reply ... I think i am one step closer now ! i only had port 53 TCP allowed passed the DMZ. I just changed it to allow for TCP/UDP, and the messages now arent sitting in the same place in the queue. Instead, they now sit in the Submission folder in the queue, and when looking at the messages in that folder, they have a last error of: "a local loop was detected". How about that one ? thanks again for your help !

Hmmm...when you set up edge sync did you define your internal IP's of your HT servers? Also, maybe try the mailflow troubleshooter in the toolbox.

hmmm indeed! after the messages sat in the submission folder for a while it moved them to a new folder with a new Last Error entry. now it says: "451 4.4.0 primary target IP address responded with "421.4.4.1 unable to connect."attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts." and when running the mail flow troubleshooter the only error i get is one that says: "Mail submission failed: error message: server does not support secure connections." that seems like it would go together with the 4.4.1 error that im seeing in the queue viewer.

Did you follow all the details here: http://technet.microsoft.com/en-us/library/bb123883.aspx

Yes, i have followed those instructions ... and the majority of those connectors are created by default, and cannot be changed on the edge server. After reading through that article, and checking my configs, they all seem to match up perfectly.

Can you see in the firewall logs if the Edge server is getting through to the hub transport server? Also anything in either application log? Remember, if you are running edgesync any changes you made on the edge server prior to edgesync are lost and all changes should be made from the hub transport server.

hmmm, this is the first time ive looked at the firewall logs ... and it seems, for some reason, that my edge server is hitting my DNS server and my AD server on port 25 ... and not once have i seen it try to hit the HT server on port 25 ? what settings do i have messed up to make the edge server try and hit those two servers, instead of the HT ?

ok ... after getting the "Mail submission failed: error message: server does not support secure connections." i thought maybe this was an auth. issue ... so just for testing i removed ALL Authentication settings from the HT server. Now when mail comes into the Edge Server it goes directly into the submission folder, sits there for about 3 minutes, then disapears. The mail is not delivered to the mailbox, and there is no NDR sent to the sender? where are these messages disapearing to ?

what does message tracking say?

i tested this sending a message from an outside sender just now ... this time it sat in the submission folder again and then DID send out an NDR to the sender. this is what the messages said: edge-serv-01.domain.com #554 5.4.6 Hop count exceeded - possible mail loop ## Original message headers:Received: from edge-serv-01.domain.com (192.168.10.1) by edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Dec 2007 15:13:58 -0700 Received: from edge-serv-01.domain.com (192.168.10.1) by edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Dec 2007 15:08:56 -0700 Received: from edge-serv-01.domain.com (192.168.10.1) by edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Dec 2007 15:08:55 -0700 and i get no results for the message tracking on my HT server. Obviously something is VERY wrong here ! what is this looping all about ?

Does your edge server have 2 NICs/IP's on the same subnet? THat would be a problem;Also problematicif the subnets are different and you've got multiple default gateways.

Actually, and maybe this is where the issue stems from ... i only have one nic on this machine. it is configured with the IP address and gateway of the DMZ interface of my router (GW - 192.168.10.1, IP - 192.168.10.200) And then i have DMZ Pinholes setup to allow access into the local network (192.168.0.0) on the ports that i need for mail flow.

Yup; something is wrong with your firewall/network config as the default gateway should never be showing up with the hostname in a message header/routing as in your previous post.

So, any ideas where i may have gone wrong ? or ideas on where i may look to check configs ? it seemed really simple to me, i have one nic that has a default gateway of the routers DMZ interface, and allows access from the DMZ to the internal network on ports 50636, 50389, 53, and 25. In the properties of the Edge Server the external DNS is using the NIC (my ISPs DNS servers) and the internal i have specified my internal DNS server address. i dont know why the headers in the bounced message would be showing the default GW.

anyone have any other advice to give me about where to start troubleshooting this routing issue ? i have exhausted every other option i can think of.