We've been running Exch2007 for our organization from a single server. I'm now trying to add a second CAS/Hub/Mailbox server in our other AD Site. I'm currently to the point where I'm getting a "451 5.7.3 Cannot achieve Exchange Server authentication" error when trying to send mail to a mailbox on the new server and vice versa. I've been able to find all kinds of posts with this error, but I've already allowed Exchange Server Authentication on all of the send/receive connectors on both servers. I've really been completely unable to find any documentation about the proper steps to add this kind of server to an existing organization. I'm able to telnet on port 25 in both directions, but I'm really at a loss. I don't know if it's a certificate issue, or something completely unrelated and I'm grasping at straws at this point. We're using the default self-signed cert on the new server and a 3rd party wildcard cert on the existing server. I've read a ton of articles on technet about theory and concepts of this kind of setup, but nothing about how to actually implement it. I'd appreciate any help or pointers to proper documentation. Thank you

Quote: “I'm able to telnet on port 25 in both directions” Will the “Cannot achieve Exchange Server authentication” occur if you try to send the test message via telnet? Do you get the right banner when telnet the server Have the “Integrated windows authentication” been enabled on the default receive connectors? If not, enable it and then restart the transport service Please temporarily disable the firewall and the third party anti-virus software on the servers, see if the issue still appears Please check the protocol log on the receive connector after reproduce the issue Resources: How to Modify the Default SMTP Banner James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Well, I thought I could telnet properly in both directions before, but now I'm just getting a 220 ****... response when I connect and everything is returning Unrecognized command. No AV or Firewall getting in the way. Edit: Yes, all the receive connectors have Integrated Auth enabled. Protocol log from functional server<cropped for readabililty>: *,SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions >,"220 zogg.stratag.com Microsoft ESMTP MAIL Service ready at Tue, 18 May 2010 09:26:05 -0500", <,EHLO ENOLA.stratag.com, >,250-zogg.stratag.com Hello [192.168.1.204], >,250-SIZE 10485760, >,250-PIPELINING, >,250-DSN, >,250-ENHANCEDSTATUSCODES, >,250-STARTTLS, >,250-X-ANONYMOUSTLS, >,250-AUTH NTLM, >,250-X-EXPS GSSAPI NTLM, >,250-8BITMIME, >,250-BINARYMIME, >,250-CHUNKING, >,250-XEXCH50, >,250 XRDST, <,QUIT, >,221 2.0.0 Service closing transmission channel, -,,Local

Hello, Can you check the Permissions for Default Receive connector in both the Exchange servers.Try to send an email locally and check the message tracking. Thanks Mhussain

All email at the original site is working fine. If I send email from the new site to a mailbox on the new site, it too, works fine. If I telnet from the new site to the server on the new site, it works fine, so it appears my issue is with the connection across the IPSEC tunnel. If this is moving outside the purview of this forum, just say so. These two sites are connected with a site-to-site VPN between a Sonicwall firewall and a Cisco ASA 5510. From what I've seen of this "220 *********" response to a telnet session, it's a PIX issue with inspecting smtp traffic. Our ASA is currently not inspecting smtp traffic, but is inspecting esmtp traffic. I will be checking the Sonicwall now.

Well, it turns out the ASA 5510 really does still use fixup, as well as inspect eventhough the CLI will tell you to use inspect. Running 'no fixup protocol smtp 25' on the ASA solved the problem and mail is now routing properly. Thanks to everyone who helped.