At Terrace.COM,
Set-transportConfig
set-transportconfig -TLSReceiveDomainSecureList van.com
set-transportconfig -TLSSendDomainSecureList terrace.com
Because I haven't configured TLS authentication yet and VAN.COM send connector uses the DNS MX record for delivery, VAN.COM organization cannot send mail to Terrace.com.
The error message shows in the queue viewer at VAN.COM exchange 2007:
Last Error: 451 4.7.3 The admin has temporarily disallowed this secure domain.
At terrace.com,
set-transportconfig -TLSReceiveDomainSecureList a.a
set-transportconfig -TLSSendDomainSecureList a.a
then, mail delivery to terrace.com is restored.
Actually, from Event Viewer at Terrace.com domain controller, you could find the application error record:
Source: MSExchangeTransport
The connection to domain 'van.com' on connector 'Internet' could not be established for the exchange of domain-secured e-mail because the DomainSecureEnabled parameter on the connector was not set to true. Set the value of the DomainSecureEnabled parameter to true, or remove domain 'van.com' from the list of domains for which domain secured e-mail is enabled.