Thanks for the response, Andreas.

"No Changes Pending" is the status on the C160.  After bringing the replacement C160 up to date on all system upgrades (it's running 7.1.3-010), I loaded the saved configuration that had been working.  Both our email servers are in the RELAYLIST, by both specific IP address and a subnet/CIDR range entry. 

No errors on the Exchange server.  Message just accumulate in the queues, both for outbound and internal mail between servers. 

To test relay on the C160, I've TELNETed from the Exchange serves to the C160 and get the correct responses to an EHLO - the FQDN, 8BITMIME, SIZE 5242800, STARTTLS.  I then manually send a message Rcpt: to myself, and it is delivered correctly.  This is what indicates to me that the issue is at the Exchange servers.  I've set the Smart Host on the virtual SMTP servers on the Exchange systems to the C160's address - [x.x.x.x].

My ability to test is severely restricted during production hours, as users will rightfully start complaining about non-deliveries in very short order.

I'm wondering if I have to setup an Incoming Relay, but I'm sure we didn't have to do this when we had the evaluation unit up last summer.  One of my frustrations is with the documentation, as it seems primarily to be directed at processing incoming email, for which we won't be using the C160. 

Hi

The incoming relay option is used when you have an additional system or appliance that traffic it routed through on the inbound side. This would not be used for relaying traffic outbound.  The purpose of the incoming relay is to allow you to accurately score SBRS for then inbound host by specifying the number of inbound hops so I don't think that is your issue here.

One question here is did you restart the SMTP service on Exchange?  I know after creating the smart host connector this typically has to be done. If your able to telnet to the appliance from the exchange server, using port 25 and you can manually send a message outbound then you likely have everything set up correctly.  If the IronPort appliance was rejecting the messages you would see an indication of this in the mail logs on the IronPort. You would also likely see errors on the Exchange side.   If the Messages are backing up on the Exchange side, then they may not be making it out of the Queue process on exchange itself which is what leads me to believe you need to restart the service.

Christopher C Smith

CSE

Cisco IronPort Customer Support

Thanks for the clarification on the relay.   Hadn't realized the setting is for inbound traffic.

After each attempt, I've been restarting both the Exchange Routing service and the SMTP server service.  I'm thinking it is probably an issue with the smart host settings for the default and TLS-enabled virtual servers, but I've tried every combination of setting the appliance as the smart host on the virtual servers and their associated connectors, separately and simultaneously both.  No luck.

I've partially solved the problem.  It turns out a setting I found in the IP knowledgebase was incorrect.  I needed to set the C160 as the smart host on the SMTP connectors, not on the virtual servers.

Now the issue is that although most mail is being delivered, 100's of messages are backing up on the Exchange servers in the "Messages queued for deferred delivery" queue.  The users will get one of a couple of errors back:.

From a remote email server:

The message could not be delivered because the remote server returned the following error:

                                     554 5.4.6 Hop count exceeded - possible mail loop

From our own email server:

           A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.  Contact your administrator.

Somehow I've got messages looping between the Exchange server and the C160.

Any ideas?  I hope everyone hasn't yet gone home on a Friday afternoon. 

Turned out the loop was caused by the "All Other Domains" in the SMTP Routes List.  Case closed.