SMTP relay through Office 365 from on-prem to internet problem with internal users

I'm having challenges understanding why e-mails won't relay between internal user mailboxes (setup on Exchange Online) using the xxx.mail.protection.outlook.com endpoint from an on-premises IIS SMTP server to O365. We have a connector setup to allow mail from the external IP, the smart host points to the xxx.mail.protection.outlook.com on port 25, is set to anonymous authentication and TLS encryption. I can submit e-mails through the relay from mailboxes on the domain to external recipients, and I can even submit e-mails through the relay on the domain from users without mailboxes to other users with mailboxes on the same domain. But what I cannot do is submit e-mails from a user with a mailbox to another user with a mailbox on the same domain. So for example, *** Email address is removed for privacy *** to *** Email address is removed for privacy *** assuming both users have mailboxes. This always goes to badmail with the following response: smtp;554 5.2.0 STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message Cannot submit message. We need to allow messages to be routed between users, DL's, etc. on the same domain through the relay. Hopefully I'm just missing a piece of the puzzle here.


The main reason for this configuration is because there are internal applications that are configured to send through this SMTP server that cannot be changed. Formerly it was relaying through an internal Exchange 2010 server. However a migration from Exchange 2010 to Office 365 just occurred which prompted the update of the smart host on the internal server. But now most of the applications that send mail don't work because either they are sending mail to/from the same e-mail address, or they are sending mail to/from users on our domain and those are always being denied with the exception above.


Thanks in advance.

 

Question Info


Last updated December 8, 2019 Views 7,385 Applies to:

Hello JP,

 

Thanks for posting here.

 

Please check if you set up the accepted domain xxx.mail.protection.outlook.com with the Internal Relay feature to check it: In Office 365 Exchange Admin Center (EAC) > mail flow > accepted domains > edit xxx.mail.onmicrosoft.com > choose Internal Relay.
 

Meanwhile, for better help you, we'd like to know if both user1@domain.com and user2@domain.com are hosted on Office 365 online tenant? If so, you should to confirm if the MX record is pointing to EOP: <domain>.mail.protection.outlook.com.

 

Also, please see the Option 3 here to check if the configuration is correct on your side.

 

Regards,

Rudy

-------------------------------------------------
If you feel a reply works for you, please kindly vote or mark it as it will be beneficial to other community members reading this thread.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello JP,

Thanks for posting here.

Please check if you set up the accepted domain xxx.mail.protection.outlook.com with the Internal Relay feature to check it: In Office 365 Exchange Admin Center (EAC) > mail flow > accepted domains > edit xxx.mail.onmicrosoft.com > choose Internal Relay.
 

Meanwhile, for better help you, we'd like to know if both *** Email address is removed for privacy *** and *** Email address is removed for privacy *** are hosted on Office 365 online tenant? If so, you should to confirm if the MX record is pointing to EOP: <domain>.mail.protection.outlook.com.

Also, please see the Option 3 here to check if the configuration is correct on your side.

Regards,

Rudy

Hello Rudy,

So the MX record for the domain is the same record as we are using for the SMTP relay smart host - <domain>.mail.protection.outlook.com. This domain is NOT listed in the accepted domains. However, there is a xxx.mail.onmicrosoft.com in accepted domains that is currently set to authoritative. Are you suggesting we need to update that entry or add the mail.protection.outlook.com domain? The portal says it has to be done with the Office 365 admin. Or are we pointing to the wrong SMTP server on the O365 side?

Both boxes do reside on O365. The MX record is setup properly as well and as I mentioned above points to <domain>.mail.protection.outlook.com.

Per your suggestion on Option 3 - this is how we are setup with the exception of setting an authentication method. We're currently using anonymous because we've configured the connector to allow mail from the external IP of the internal SMTP server.

Thank you for your help!

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello JP,

 

Thanks for your reply.

 

From your information, the MX record is correct. Please just check the domain.com you mentioned above (user1@domain.com) in the EAC to check it and it's my fault to make this mistake.

 

Meanwhile, the configured connector will do the authentication working. But I have a question about those two internal users (user1 and user2) are Office 365 online licensed users, are they associated with to that "on-premises IIS SMTP server"? Generally, the mail from user1 is sent to user2 directly.

 

Regards,

Rudy

-------------------------------------------------
If you feel a reply works for you, please kindly vote or mark it as it will be beneficial to other community members reading this thread.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello JP,

Thanks for your reply.

From your information, the MX record is correct. Please just check the domain.com you mentioned above (*** Email address is removed for privacy ***) in the EAC to check it and it's my fault to make this mistake.

Meanwhile, the configured connector will do the authentication working. But I have a question about those two internal users (user1 and user2) are Office 365 online licensed users, are they associated with to that "on-premises IIS SMTP server"? Generally, the mail from user1 is sent to user2 directly.

Regards,

Rudy

Again I appreciate the help! So in this particular case what we have is a domain.com and user1 and *** Email address is removed for privacy *** would be considered the usernames for the O365 mail accounts. The internal SMTP server has no accounts - it's just a dummy virtual server that does nothing more than relay mail to O365 through the mx record host.

There's one catch. Even though all the accounts are based on domain.com, all the accounts have a domain.gov alias. So there also exists *** Email address is removed for privacy *** and *** Email address is removed for privacy ***. And typically users use this domain as their primary e-mail address. So when e-mails are being relayed, typically it's *** Email address is removed for privacy *** to *** Email address is removed for privacy ***. But these are configured as valid aliases on each user.

Both domain.com and domain.gov exist as domains in the EAC accepted domains and both as set to authoritative.
 
One more thing I'm testing behind the scenes is I've been sending e-mails directly to the O365 SMTP server over a telnet session between these two users in an attempt to understand if it's really a relay issue or if there is something else going on. I just did a test a few moments ago between those two users and at least on the surface the mail appeared to be accepted. I'm waiting to hear back from the user to see if they actually received the e-mail or if it bounced.

I'll update once I have that result.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello JP,

 

Thanks for your reply.

 

From your all description, I think the SMTP relay is configured correctly. But we are looking forward to your update.

 

Meanwhile, the accepted domain domain.gov should be set with Internal Relay as it is the primary one. Please test it and let us know the result.

 

We appreciate your time.

 

Regards,

Rudy

-------------------------------------------------
If you feel a reply works for you, please kindly vote or mark it as it will be beneficial to other community members reading this thread.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello JP,

Do you need further help? Thanks for your time.

Regards,

Rudy

-------------------------------------------------
If you feel a reply works for you, please kindly vote or mark it as it will be beneficial to other community members reading this thread.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.