I'm having challenges understanding why e-mails won't relay between internal user mailboxes (setup on Exchange Online) using the xxx.mail.protection.outlook.com endpoint from an on-premises IIS SMTP server to O365. We have a connector setup to allow mail from the external IP, the smart host points to the xxx.mail.protection.outlook.com on port 25, is set to anonymous authentication and TLS encryption. I can submit e-mails through the relay from mailboxes on the domain to external recipients, and I can even submit e-mails through the relay on the domain from users without mailboxes to other users with mailboxes on the same domain. But what I cannot do is submit e-mails from a user with a mailbox to another user with a mailbox on the same domain. So for example, *** Email address is removed for privacy *** to *** Email address is removed for privacy *** assuming both users have mailboxes. This always goes to badmail with the following response: smtp;554 5.2.0 STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message Cannot submit message. We need to allow messages to be routed between users, DL's, etc. on the same domain through the relay. Hopefully I'm just missing a piece of the puzzle here.
The main reason for this configuration is because there are internal applications that are configured to send through this SMTP server that cannot be changed. Formerly it was relaying through an internal Exchange 2010 server. However a migration from Exchange 2010 to Office 365 just occurred which prompted the update of the smart host on the internal server. But now most of the applications that send mail don't work because either they are sending mail to/from the same e-mail address, or they are sending mail to/from users on our domain and those are always being denied with the exception above.
Thanks in advance.