Cannot Establish Exchange Connection

››

Cannot Establish Exchange Connection

What Are Exchange Connections Used For? Exchange Connections in MailArchiva are used for folder sync and direct import features. A separate SMTP connection is still required for day-to-day journaling purposes. If you are experiencing problems with regular archiving, refer to Archiving Stopped and the Exchange mail server integration instructions.

Note: Please ensure that you have specified the fully qualified domain name of the Exchange server in the ExchangeConnection server field (not an IP address and not simply a made up DNS name - it must be the actual fully qualified domain name of the server!)

Typical Connection Settings

Setting	Typical Value
Server Address	Fully Qualified Domain Name (FQDN) of Microsoft Exchange Client Access Server (CAS)
Autodiscover	Unchecked
Impersonate Account	journal@mailarchiva.com
Password	[password to impersonate account above]
Connection Mode	Secure
Sync Interval	1000 (lower this value for faster sync)
Sync Wait	250 (lower this value for faster sync)

Test Connection Resolutions

In order to diagnose Exchange connectivity problems, first check whether an Exchange Connection can be established. To do this, click the Test Connection button in Configuration->Connections->Exchange Client Connection. Thereafter, using a web browser verify that the url https://[exchange_ip_address]/ews/Exchange.asmx can be accessed on the machine running MailArchiva.

Refer to the below solutions for errors outputted by Exchange Connection Test:

active directory authentication must be defined in Logins!

A connection to Exchange requires that MailArchiva is configured to authenticate with Active Directory or Azure in Configuration->Logins. It is also a requirement that impersonation rights are assigned to an impersonation account. Refer to Folder Sync for more information.

failed to connect to mailbox journal@stimulussoft.local: failed to establish connection to server. Debug Log: The request failed. The remote server returned an error: (401)Unauthorized

In most cases, it is necessary to enter a user principal name (UPN) or email address in the Exchange Connection Impersonate Account field. However, depending on how Exchange is configured, it may be necessary to enter just the mailbox name (without the domain suffix). For example, contrary to the field hint, just enter journal (the mailbox name) and not journal@stimulussoft.local.

Furthermore, in Active Directory Users and Computers, make sure the flag to reset password on next login for the impersonation account is not checked. If the reset password flag is checked, a 401 error will result. Failing the above, ensure Windows Authentication is enabled in IIS->Default Web Site->EWS->Authentication Method on the Exchange Server.

Note: This issue has been observed in some versions of MS Exchange. See: http://stackoverflow.com/questions/13517323/exchange-web-service-api-and-401-unauthorized-exception for further information.

exchange test failed 192.168.210.215 failed:The request failed. The Url property on the ExchangeService object must be set.

It seems the Auto Discover service is not setup or working on your Exchange service. Uncheck the Auto Discovery checkbox.

failed to connect to mailbox journal@stimulussoft.local: Debug log: The account does not have permission to impersonate the requested user.

Impersonation rights for journaling is not setup correctly. Refer to Impersonation for further instructions.

Failed to connect to mailbox daisy@stimulussoft.local:Unable to access mailbox daisy@stimulussoft.local:Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0]

Disable ASP.Net Impersonation in IIS->Default Web Site->EWS->Authentication Method on Exchange Server

Test exchange connection using mailbox daisy@stimulussoft.local.. failed to connect to mailbox daisy@stimulussoft.local:Unable to access mailbox daisy@stimulussoft.local:Forbidden

Change SSL settings to match IIS->Default Web Site->EWS->SSL Settings the Connection Mode specified in Exchange Connection. Also, set EWS SSL Settings to Ignore Client Certificates.

Could not retrieve list of users from server 192.168.0.250:failed to locate users in the directory:Failed to locate authority for name: mailarchiva.stimulussoft.local

For security reasons, the authentication engine will always verify that the AD/LDAP server is actually who it says it is. Thus, the actual FQDN reported by AD must match the AD server address in Configuration-Logins. Normally, this error indicates that the actual name of the AD/LDAP server does not correlate with the AD/LDAP server name specified in Configuration->Logins. The resolution is to specify the real fully qualified domain name of the server (not merely a DNS name).

Name or service not known: Caused by: java.net.UnknownHostException: mailarchiva.stimulussoft.local: Name or service not known

This error is normally caused by the Java statement InetAddress.getLocalHost() throwing an exception. There are a few reasons why this may occur, the most prevalent of which is if local hostname / DNS is not setup correctly. It normally means that the hostname and fully qualified name of the server is not setup correctly. Furthermore, it may be necessary to create dns entry for the server on the local DNS. Other possible reasons are outlined at http://stackoverflow.com/questions/7348711/recommended-way-to-get-hostname-in-java

Failed to connect to mailbox extest_1ea06f331e634@stimulussoft.local:Unable to access mailbox extest_1ea06f331e634@stimulussoft.local:The account does not have permission to impersonate the requested user.

Impersonation rights were not assigned to the user specified in the Exchange Connection. Please refer to Exchange Impersonation to assign impersonation rights to the user.

The primary SMTP address must be specified when referencing a mailbox.

Upgrade to latest version. This issue was fixed by introducing primary mailbox attribute name and field in Configuration->Logins.

Note: It typically takes ten minutes or so for an impersonation command to take effect. Thus, after assigning Exchange Impersonation rights, it is prudent to wait a few minutes before running Test Exchange Connection again.

Internal Server Error.

Note: This error is returned from Microsoft Exchange directly, not the MailArchiva server itself.

To resolve the Internet Server Error:

Rename C:\Inetpub\wwwroot\web.config to C:\Inetpub\wwwroot\web.config.bak on the Windows server hosting IIS.
Run the command iisreset from the commandline.

Failing the above, Internal Error is often caused by a communication error between Microsoft Exchange and IIS. Common causes include:

Incorrect/missing permissions in MS Exchange
Problematic Exchange upgrades from earlier version and/or corrupted Exchange objects.

To resolve, please follow the Further Troubleshooting steps above. Failing that, it is helpful to examine both IIS and Exchange server event viewer logs. See: http://msexchangeguru.com/2013/09/24/e2013remote-server500internalservererror/. IIS logs normally located at C:\Windows\System32\LogFiles\W3SVC1. More detailed logging of HTTP 500 errors can be found under http://learn.iis.net/page.aspx/772/troubleshoot-with-failed-request-tracing/.

Resolution Walk Through

Ensure that Windows Authentication is enabled on EWS Site in IIS

a) Open the Microsoft IIS on the Exchange server
b) Expand Sites->EWS in the tree view on the left.
c) Double-click Authentication
d) Ensure that ASP.NET Impersonation is disabled and Windows Authentication is enabled
Ensure that EWS SSL Settings are set to not require a certificate

a) Open the Microsoft IIS on the Exchange server
b) Expand Sites->EWS in the tree view on the left
c) Double click SSL Settings
d) Check Require SSL and set client certificates to Ignore
Configure the Exchange Connector on the MailArchiva server.

a) Make sure the correct version of Microsoft Exchange is selected
b) The impersonation account must be in the form journal@stimulussoft.com (enter user principal name of impersonation account, not email address)
c) Connection Mode should be set to match the EWS Site SSL settings set earlier
Click the Test Connection button. If successful, the output will be displayed as follows:

Further Troubleshooting

Run the Test-WebServicesConnectivity Cmdlet From the Exchange Shell

The Test-WebServicesConnectivity command may require a preparation script called C:\Program Files\Microsoft\Exchange Server\V15\Scripts\new-TestCasConnectivityUser.ps1 to be executed prior.

The command will output the following:

    [PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>Test-WebServicesConnectivity
Source                              ServiceEndpoint                     Scenario                       Result Latency (MS)
------                              ---------------                     --------                       ------ -------
mailarchiva.stimulussoft.local      mailarchiva.stimulussoft.local      Autodiscover: SOAP Provider   Success 35
mailarchiva.stimulussoft.local      mailarchiva.stimulussoft.local      EWS: GetFolder   Success      53

On the MailArchivaArchiva server, open a web browser
Enter url https://[exchange_ip_address]/ews/Exchange.asmx.
Authenticate with the same user and password entered into the Exchange Connection.
You should be able to get a valid response (i.e. not 500 or 404 errors). On Exchange 2013, it outputs "You have created a service...". On Exchange 2010, it displayed the WSDL definition for the Exchange web service interface.

Service unavailable

If you get "service unavailable", you may have IIS connection limits defined which are preventing MailArchiva from completing the import. To remove these limits, follow the steps following:

Open IIS7 and navigate to SERVERNAME\Sites\SBS Web Applications
Under Actions/Configure click Limits.
Untick “Limit Number of connections”.

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.