I think this might be a quirk of Exchange 2016 or maybe a combination of Exchange 2016 running on Windows Server 2016.
I have had a Windows 2012R2 server running Exchange 2013 for a couple of years. Its a standalone Exchange server that's a member server in an AD domain. I have native IPv6 via HE with my own /48 prefix and my egress IPv4 traffic is NAT'd to a single dynamic IPv4 address.
It has been working flawlessly for a couple of years. It took me a bit of time to get the various DNS records correct initially, however its been flawless since.
I recently decided to retire the Exchange 2013 VM and replace it with Exchange 2016. I built a Windows 2016 server (Version 1607 OS Build 14393), got it patched to the latest versions of everything, added the prerequisites, prepared AD and then installed Exchange 2016 CU18. I then migrated everything over and then finally updated various DNS records and the external firewall NAT/Rules. Everything was working or so I thought. Then I sent an email to a Gmail recipient and got an undeliverable message from google:
mx.google.com gave this error:
[x.x.x.x] The IP you're using to send mail is not authorized to send email directly to our servers. Please use the SMTP relay at your service provider instead. Learn more at https://support.google.com/mail/?p=NotAuthorizedError n13si8706925wrj.468 - gsmtpAfter digging through various logs I can see that the Exchange 2016 server is using the IPv4 address of the server with the highest ranking MX record, even though it has both A & AAAA records.
2020-11-13T11:48:31.794Z,08D887BD691B7D56,SMTP,gmail.com,+,DnsConnectorDelivery 8fb227fc-ba17-49d2-947e-d54dbfcdc25e;QueueLength=TQ=1;RN=1;.
2020-11-13T11:48:32.041Z,08D887BD691B7D56,SMTP,gmail.com,>,"gmail-smtp-in.l.google.com[74.125.133.26, 2a00:1450:400c:c07::1a], alt1.gmail-smtp-in.l.google.com[209.85.233.27, 2a00:1450:4010:c03::1b], alt2.gmail-smtp-in.l.google.com[172.253.118.27, 2404:6800:4003:c05::1b], alt3.gmail-smtp-in.l.google.com[108.177.9..."
2020-11-13T11:48:32.059Z,08D887BD691B7D56,SMTP,gmail.com,>,Established connection to 74.125.133.26If I block connections to the IPv4 address of the Google SMTP server (74.125.133.26) then it fails the initial connection but retries the IPv6 address which works:
2020-11-13T11:52:13.905Z,08D887BD691B7D59,SMTP,gmail.com,+,DnsConnectorDelivery 8fb227fc-ba17-49d2-947e-d54dbfcdc25e;QueueLength=TQ=1;RN=1;.
2020-11-13T11:52:13.905Z,08D887BD691B7D59,SMTP,gmail.com,>,"gmail-smtp-in.l.google.com[74.125.133.26, 2a00:1450:400c:c07::1a], alt1.gmail-smtp-in.l.google.com[209.85.233.27, 2a00:1450:4010:c03::1b], alt2.gmail-smtp-in.l.google.com[172.253.118.27, 2404:6800:4003:c05::1b], alt3.gmail-smtp-in.l.google.com[108.177.9..."
2020-11-13T11:52:16.752Z,08D887BD691B7D59,SMTP,gmail.com,>,Failed connection to 74.125.133.26:25 (TimedOut:0000274C)[TargetIPAddress:74.125.133.26:25|MarkedUnhealthy|FailureCount:1|NextRetryTime:2020-11-13T11:53:16.751Z]
2020-11-13T11:52:16.753Z,08D887BD691B7D59,SMTP,gmail.com,-,Messages: 0 Bytes: 0 (Attempting next target)
2020-11-13T11:52:16.753Z,08D887BD691B7D5A,SMTP,gmail.com,*,Session Failover; previous session id = 08D887BD691B7D59; reason = SocketError
2020-11-13T11:52:16.753Z,08D887BD691B7D5A,SMTP,gmail.com,+,DnsConnectorDelivery 8fb227fc-ba17-49d2-947e-d54dbfcdc25e;QueueLength=TQ=0;RN=1;.
2020-11-13T11:52:16.775Z,08D887BD691B7D5A,SMTP,gmail.com,>,Established connection to 2a00:1450:400c:c07::1a
2020-11-13T11:52:17.344Z,08D887BD691B7D5A,SMTP,gmail.com,-,Messages: 1 Bytes: 3736 ()If I open a command prompt on the Exchange 2016 and attempt to telnet to gmail-smtp-in.l.google.com on port 25 it connects using IPv6 which is what I would expect with Windows 2016 as it prefers IPv6 over IPv4 by default.
What appears to be happening is the Exchange MTA is preferring IPv4 for outbound SMTP connections. I don't think this was the case with Exchange 2013 (or a combination of Server 2012R2 and Exchange 2013).
I am going to bring the original Windows 2012R2 server back online and install Exchange 2016 on it and then add a specific send connector for *.gmail.com via this and see what happens.
Andy