Incoming Messages to Edge Server Fail with 550 5.7.1 NDR
Applies to: Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-09-11
This topic explains how to resolve issues related to inbound messages not being delivered from external domains to a server that is running Microsoft Exchange Server 2007 with the Edge Transport server role installed. Inbound e-mail messages are rejected with a non-delivery report (NDR) similar to the following being returned to the sender:
ftr-van-exfe.domain.com #550 5.7.1 External client does not have permissions to submit to this server ##
This issue commonly occurs when the Edge Transport server role is deployed in a perimeter network configuration and the Internet Protocol (IP) address of the internal firewall is blocked by the Edge Transport server. This issue can also occur in a non-perimeter network scenario if one or more Hub Transport server IP addresses are blocked by the Edge Transport server.
You can confirm that this situation is occurring by running the Get-IPBlockListEntry cmdlet on the Edge Transport server and then examining the output for the IP address of the internal SMTP server or the internal firewall's IP address. Then, you can resolve this issue by modifying the internal SMTP servers list and then removing the blocked IP from the IP block entry list.
To perform this procedure, the account you use must be delegated the following:
Membership in the local Administrators group
Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
Start the Exchange Management Shell.
Run the Get-IPBlockListEntry cmdlet and then locate the IP address of the internal SMTP server or internal firewall's IP address that is being blocked. Note the line number of the blocked IP.
Run the Set-TransportConfig cmdlet as follows:
set-TransportConfig -InternalSMTPServers <IP address of Hub Transport server to be added>
Run the Start-EdgeSynchronization cmdlet to force replication.
Confirm that the Hub Transport server IP address you added has been replicated by running the Get-TransportConfig cmdlet.
Inspect the Get-TransportConfig output and confirm that the IP address you added in step 3 is shown.
Run the Remove-IPBlockListEntry cmdlet as follows:
Remove-IPblockListEntry -Identity <line #>
Note: Replace <line #> with the line number that you noted in step 2 identifying the blocked IP address when Get-IPBlockListEntry was run.
Send a test message to confirm that message traffic is flowing correctly.