I was having trouble receiving emails from Office 365 on my Exchange Server 2003 lately. It seems that any email sent from Office 365 got bounced back after 2 days of trying with diagnostic information attached like below:
9/11/2015 2:27:25 PM - Remote Server at domain.com returned '550 4.4.7 QUEUE.Expired; message expired' 9/11/2015 2:07:22 PM - Remote Server at domain.com returned '451 4.4.0 SMTPSEND.SuspiciousRemoteServerError; remote server disconnected abruptly; retry will be delayed'
The first message “550 4.4.7 Queue.Expired” doesn’t help at all because all it tells is that your mail server is having trouble receiving emails.
The second one “451 4.4.0 SMTPEND.SuspiciousRemoteServerError”, however, shred some lights where it may go wrong. A quick Google search revealed 2 potential causes that may trigger this particular problem.
The first one, mentioned in this Office 365 forum thread, is the firewall SMTP Fixup protocol in Cisco router when using TLS encryption. The solution is to disable it. However, since I don’t have Cisco router on my network. This fix didn’t really apply to my case. If you have Cisco router and Exchange Server 2008 or above, this may help.
The second one makes more sense to me. In a thread on Spiceworks forum, the author of the post had an update that explains exactly what happened:
Microsoft has started disabling TLS 1.0 and certain low grade ciphers on its Exchange/Outlook Online Protection. Apparently Windows 2003 IIS SMTP services only supports up to TLS 1.0. The reason it was random was that only 75% of Microsoft’s servers had been updated to remove TLS 1.0.
Since Exchange Server 2003 was hosted on Windows Server 2003, TLS 1.0 is the only encryption supported. And that’s why emails got bounced eventually after 2 days of trying, because the handshake through TLS never got negotiated successfully.
Comparing to finding the issue, making a plan to fix it is much more difficult. Theoretically, there is just impossible to patch Windows Server 2003 to support TLS 1.1 or 1.2. But it’s still worth trying what this Microsoft KB suggested and install this hotfix to add support for the cipher suites in Windows Server 2003.
After applying the hotfix, download IIS Crypto to check and enhance the SSL/TLS cipher suites offered by IIS. If you are lucky, you will see TLS 1.1 and TLS 1.2 as the available protocols, like below.
But if not, time to think of an upgrade plan, either move to a later version of Exchange Server or migrate to the cloud such as Office 365. But if you are looking for a temporary solution for the time being, setting up a SMTP service on a Windows Server 2008 R2 or Server 2012 to act as a mailman to rely all incoming emails should work fine and that’s what helped me to solve this issue. You can follow this guide to set up and configure SMTP service on Windows Server 2012 to rely your incoming mails.