In the Queue Viewer on the Exchange 2013 server I could see the following message:
451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.This message indicates that Exchange Server authentication is failing before the message is sent. This can happen because of the following reasons:
- A firewall between the servers strips out extended SMTP verbs that are required for Exchange Server authentication. Specifically the following SMTP verbs must be allowed: X-ANONYMOUSTLS, X-EXPS, and GSSAPI. In most cases, this is not an issue on internal networks.
- Exchange Authentication is not enabled on the receive connector being used. This is most likely.
- Default ServerName
- Anonymous Relay for internal devices
This made me suspect that the Anonymous Relay connector was being used instead of the Default connector. To confirm this I looked in the SMTP Receive protocol log in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive. Searching the most recent log for the IP address of the Exchange 2013 server showed that the Anonymous Relay connector was being used.
I then looked in the configuration of the Anonymous Relay connector on the Network tab. There were a large number of remote IP addresses listed as allowed to use the Anonymous Relay connector (probably more than there should be, but that's an issue for another day). The entire subnet that the Exchange 2013 was located on was listed.
Exchange Server chooses a receive connector to use based on how specific the remote IP addresses listed in the connector are. The subnet listed in the Anonymous Relay connector was more specific that the 0.0.0.0-255.255.255.255 listed in the Default connector. Therefore the Anonymous Relay connector was being used.
To fix this problem, I added the individual IP addresses of the Exchange 2013 servers to the Default connector on the Exchange 2007 server. This was then more specific than the subnet in the Anonymous Relay connector. After this was complete, the Default connector was used.