Guest

Cisco Email Security Appliance

ESA SMTP Authorization Errors after Exchange Migration

Document ID: 117836

Updated: Jul 01, 2014

Contributed by Enrico Werner, Cisco TAC Engineer.

   Print

Introduction

This document describes a problem that is encountered on the Cisco Email Security Appliance (ESA) after a migration from the Microsoft Exchange Server Version 2003 to the Microsoft Exchange Server Version 2010 (SP3) where the Simple Mail Transfer Protocol (SMTP) authentication from AsyncOS Version 7.5.1-102 towards the Exchange Server fails.

Problem

Note: This document assumes that the ESA is properly configured with an SMTP Authentication Forwarding profile and a Simple Authentication and Security Layer (SASL) login mechanism.

If a remote user connects to the ESA and uses SMTP Authentication, the ESA uses the credentials and forwards them to the internal SMTP server. In this case, the SMTP server does not accept the SMTP authentication credentials and SMTP Authentication errors occur in the mail log file:

Mon Feb 24 12:42:10 2014 Info: New SMTP ICID 20207685 interface Data 1A
(172.17.1.56) address 30.98.71.119 reverse dns host unknown verified no
Mon Feb 24 12:42:10 2014 Info: ICID 20207685 ACCEPT SG AUTHENTICATED match
10.98.0.0/16 SBRS 5.1
Mon Feb 24 12:42:10 2014 Info: SMTP Auth: (ICID 20207685) could not reach
forwarding server 172.17.1.248
Mon Feb 24 12:42:10 2014 Warning: SMTP Auth: could not reach forwarding server
172.17.1.248 with reason: No ESMTP AUTH keyword was presented
.
Mon Feb 24 12:42:10 2014 Info: ICID 20207685 lost
Mon Feb 24 12:42:10 2014 Info: ICID 20207685 close

Solution

This problem is caused by the receive connector configurations on the Exchange Server. In order to solve this problem, ensure that the authentication and the receive connectors on the Exchange Server are configured as anonymous.

Tip: Refer to the Allow Anonymous Relay on a Receive Connector Microsoft Exchange article for more information.

Updated: Jul 01, 2014
Document ID: 117836