0

We are running a on premise exchange 2019 and some users on office 365. It is configured as a hybrid deployment and we created a send connector, to use office 365 as smarthost for our on premise exchange.

The smarthost domain is configured with the address {MSGUID}.mail.protection.outlook.com as the documentation outlines. No authentication is used, but the o365 conenctor validates the (static) IP Adress of our on premise exchange.

Now, this is working perfectly fine for any mail that users are sending. Office 365 gladly takes all outbound mails and delivers them.

However, when the exchange server itself is generating SYSTEM-MAILS (out of office, auto replies, bounce mails) it is using the very same connector (obviously), but every mail THEN is rejected with LED=451 4.4.62 Mail sent to the wrong Office 365 region. ATTR35.

Microsoft is not very helpfull on this, they just refer to their doucmentation, repeating that a "wrong office 365 region" is used - their support does not understand that it's working for ANY mail as it should - except system mails from the exchange server.

When looking at the stuck mails, the only difference I can note, is that system-mails don't set a return-path. But I also couldn't find a way to configure the ExternalPostmasterAdress with a return path.

enter image description here

Any one ever had this issue? It makes no difference, if the postmaster@ has a local user mailbox, is an alias of a local mailbox or not even existing.

Manually sending a email through telnet (from postmaster) and the very same {MSGUID}.mail.protection.outlook.com works as well.

Just if the mail is generated by exchange itself - it is rejected by o365.

dognose
  • 174

1 Answers1

0

I've figured out the reason, and the Error Message generated by Office 365 was kinda missleading.

By default, the Send-Connector is created with the Source-IP 0.0.0.0 and the exchange server properly adjusts this, when emails are send through the server from external clients.

The O365-Connector authenticating based on IP then accepts this mail.

When however the exchange server itself is the mail origin, exchange doesn't insert it's external ip address, but it's internal - and then the mail is rejected by o365 with the error mentioned above.

Fixing this is quite easy, just make sure the Send-Connector is always using it's external IP Address:

[PS] C:\Windows\system32>Get-SendConnector -Identity "O365 Relay" | fl

...
Name                         : O365 Relay
...
SourceIPAddress              : 0.0.0.0
...

Assign with:

Get-SendConnector -Identity "O365 Relay" |Set-SendConnector -SourceIPAddress xxx.xxx.xxx.xxx

As so often, the Microsoft UI to configure the Send-Connector lacks the option for setting the Source-IP - else it would have been more obvious to set something up there.

ps.: No, you cannot easily fake other IPs - O365 validates the actual physical ip the mail is coming from AS WELL as the source ip outlined in the headers. They need to match.

dognose
  • 174