Applies to: Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-09-11

This topic explains how to resolve issues related to inbound messages not being delivered from external domains to a server that is running Microsoft Exchange Server 2007 with the Edge Transport server role installed. Inbound e-mail messages are rejected with a non-delivery report (NDR) similar to the following being returned to the sender:

This issue commonly occurs when the Edge Transport server role is deployed in a perimeter network configuration and the Internet Protocol (IP) address of the internal firewall is blocked by the Edge Transport server. This issue can also occur in a non-perimeter network scenario if one or more Hub Transport server IP addresses are blocked by the Edge Transport server.

You can confirm that this situation is occurring by running the Get-IPBlockListEntry cmdlet on the Edge Transport server and then examining the output for the IP address of the internal SMTP server or the internal firewall's IP address. Then, you can resolve this issue by modifying the internal SMTP servers list and then removing the blocked IP from the IP block entry list.

Before You Begin

To perform this procedure, the account you use must be delegated the following:

  • Membership in the local Administrators group

  • Exchange Organization Administrator role

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.


To use the Exchange Management Shell to identify blocked IP addresses and modify the internal SMTP servers list on an Edge server

  1. Start the Exchange Management Shell.

  2. Run the Get-IPBlockListEntry cmdlet and then locate the IP address of the internal SMTP server or internal firewall's IP address that is being blocked. Note the line number of the blocked IP.

  3. Run the Set-TransportConfig cmdlet as follows:

    Copy Code
    set-TransportConfig -InternalSMTPServers <IP address of Hub Transport server to be added>
  4. Run the Start-EdgeSynchronization cmdlet to force replication.

  5. Confirm that the Hub Transport server IP address you added has been replicated by running the Get-TransportConfig cmdlet.

  6. Inspect the Get-TransportConfig output and confirm that the IP address you added in step 3 is shown.

  7. Run the Remove-IPBlockListEntry cmdlet as follows:

    Copy Code
    Remove-IPblockListEntry -Identity <line #>
    Replace <line #> with the line number that you noted in step 2 identifying the blocked IP address when Get-IPBlockListEntry was run.
  8. Send a test message to confirm that message traffic is flowing correctly.

For More Information

For more information about the Get-IPBlockListEntry cmdlet, see Get-IPBlockListEntry. For more information about the Set-TransportConfig cmdlet, see Set-TransportConfig. For more information about the Start-EdgeSynchronization cmdlet, see Start-EdgeSynchronization.