Scenario:
Exchange 2007 (no Edge, one server with mailbox role, one server with hub+cas roles) behind a FortiGate appliance
Problem:
As soon as the UTM part of the FortiGate appliance is enabled, I had a lot of 451 4.4.0 and 400 4.4.7 errors shown in the message queue (outgoing)
Solution:
First, I had to check the Connectivitytimeout value for the send connector. Fortinet support pointed out that enabling ANY UTM check will add a delay that Exchange could not accept (it is something regarding incoming and outgoing mail, by the way). So, from the Exchange Management Shell I used
Get-SendConnector | fl
The value was 10 minutes, so no problem here
ConnectionInactivityTimeOut : 00:10:00
With a little bit of search, I have noticed that the problems was limited to a list of specific domains and it looked like something related to the use of HELO.
This post http://www.networkadminsecrets.com/2010/04/421-and-451-exchange-2007-errors.html was really useful and I have tried the suggested cmdlet
New-SendConnector -Name ForceHelo -AddressSpaces problemdomain.com -ForceHELO $true
It worked. Probably one of the UTM filters expected to open the connection with the external domain using HELO. I will investigate this one with people inside Fortinet, to have a confirmation.
