I’ve seen this problem a few times on the Exchange forums where the error below is reported as the last error on the Exchange queue for outbound email to the internet or a specified domain:
451 4.4.0 Primary target IP address responded with: “421 4.2.1 Unable to connect
If you get presented with this error when sending email out from your Exchange server, go through the steps below to find the issue.
1) Identify the next hop and port
The first step in troubleshooting requires working out the next hop associated with the queue. This is the next server that is involved in the delivery of the message.
If you have a single hub transport server, use the below command:
Get-Queue | FL Identity,LastError,MessageCount,NextHopDomain
If you have other hub transport servers, use the -Server parameter to specify each server in turn:
Get-Queue -Server Svr02 | FL Identity,LastError,MessageCount,NextHopDomain
The NextHopDomain is the hostname of the next hop in the message delivery. In our case it is smtp.123-reg.co.uk.
You then need to work out if this is a smart host and if so, whether it is using the default port. To do this, run the below command:
Get-SendConnector | FL Identity,SmartHosts,Port
In our case, smtp.123-reg.co.uk is a smart host and configured for port 25. It’s worth checking that this is the correct configuration at this point – especially checking that the port number is right.
2) Attempt to connect to the next hop
The second step is to confirm that you cannot connect to the next hop. To do this, use either telnet or Send-MailMessage. The telnet command we need to use is:
telnet smtp.123-reg.co.uk 25
Here we can see that we are unable to telnet onto port 25.
To test with PowerShell, we need to use the below:
$anonUser = “anonymous”
$anonPass = ConvertTo-SecureString “anonymous” -AsPlainText -Force
$anonCred = New-Object System.Management.Automation.PSCredential($anonUser, $anonPass)
$sendmessage = Send-MailMessage -From mark@gossa.co.uk -To test@test.com -SmtpServer smtp.123-reg.co.uk -Subject “Test email” -Credential $anonCred
Here we can see that we are unable to connect on port 25 using PowerShell.
3) Check your firewalls
The firewall can be blocking outbound SMTP traffic from your Exchange server. This can be either the network firewall or the Windows firewall on the Exchange server. For the network firewall, check your documentation and troubleshoot it. For the Windows firewall, open up the firewall from the control panel and check which profile is active. In our case, the domain profile is active (as a side note, if the domain profile is not active then that means Exchange cannot contact a domain controller in the domain and this will need troubleshooting):
Click on Advanced Settings on the left to open up the Windows Firewall with Advanced Security. On the right hand side, click filter by profile and select the domain profile. Also, filter the state to select enabled to provide just a list of enabled rules. Once done, sort by port and hopefully you’ll find something like below.
Above, you can see the rule I’ve added to demonstrate this issue. Disable or delete any rules that block port 25.
4) Check your ISP
If you don’t find any issues with the above steps and you have this problem for all domains you’re trying to send to, contact your ISP. They may be blocking outbound port 25 from your network.
5) Check your Exchange server or smart host IP is not blacklisted
Recipient mail filters respond differently to blacklisted IPs. It’s possible that the recipient mail server may not allow a connection if your IP is found on a blacklist. To check for this, go to https://testconnectivity.microsoft.com/ and select the “Outbound SMTP Email” test as in the screenshot below. Enter your sending IP address and an email address. Your sending IP address is the public IP that will connect to the recipient mail server. If you are using a smart host, this is the public IP of the smart host and if you’re not using a smart host then this is the public IP of your Exchange server.
If you find your IP or domain on any blacklists, you will need to unlist your IP. Each blacklist provider is different so read through the information on their website to work out how.
6) Check applications on the server
An application on the server may be blocking
the connection. This is commonly misconfigured antivirus software. An example of this is McAfee Access Protection where, if misconfigured, doesn’t allow outbound SMTP traffic. Troubleshoot any application which has the ability to block network traffic. You need to add an exception to allow SMTP traffic to your smart host. If you’re not using a smart host then you need to add an exception to allow SMTP traffic to the internet.
7) Check your smart host configuration
Most smart hosts only allow certain IPs to relay email. Check that the IP of your Exchange server is allowed to relay email through your smart host.