none
Distribution Group - Mail Flow Issue

    Question

  • Dear Folks,

    we are running Exchange 2010 with Hybrid Setup. We are currently facing an issue with Exchange online users. there is an on premises mailbox, let's say abc-user@domain.com > any email that is received to this on premises mailbox abc-user@domain.com it is forwarded to a distribution group; let's say xyz-group@domain.com. when an Exchange Online user send email to abc-user@domain.com > Exchange online user gets following error message.

    "Your message can't be delivered because delivery to this address is restricted.

    #550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822;"

    Note: Distribution Group has this check enabled and we can't remove that "Require that all senders are authenticated"while there are only few users who are getting NDR/ error message while other Exchange online users are able to send email to on premises mailbox, abc-user@domain.com and email is getting forwarded to distribution group xyz-group@domain.com

    please assist on this.


    Thanks, Sheeraz

    Wednesday, March 30, 2016 6:31 AM

Answers

  • This issue was not resolved. However; what we have learned that your environment has to be on latest update.

    What we did - we upgraded our on premises environment and then we also upgraded our DirSync tool to latest Azure AD Connect (AAD Connect) latest update - so it eventually resolved our issue.


    Thanks, Sheeraz

    Thursday, September 15, 2016 6:53 AM

All replies

  • It would appear that your hybrid SMTP connectors aren't set up properly to trust mail from the other side.  That's where I would look.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 31, 2016 6:24 AM
    Moderator
  • Hi,

    According to your description, I understand that failed send message from Online user to On-premise mailbox with error "Your message can't be delivered because delivery to this address is restricted".
    If I misunderstand your concern, please feel free to let me know.

    If you configure the auto-forward setting on mailbox (for example Allen) to DL and "Require that all senders are authenticated" is enabled on DL settings, outside sender will get "550 5.7.1" NDR if send message to Allen.

    Therefore, it's by design. Moreover, here's a link about 5.7.1:
    https://support.office.com/en-us/article/Fix-email-delivery-issues-for-error-code-5-7-1-in-Office-365-da1ff375-f88f-4a3e-b81f-06cdb6ecae3c

    For your question, we need disable "Require that all senders are authenticated" for this forwarding DL.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, March 31, 2016 6:44 AM
    Moderator
  • Thanks Allen,

    Well, i am suspecting that it is happening due to;  Exchange online users are being considered as External Users for On premises Exchange while it should not be the case. any thoughts on this please?


    Thanks, Sheeraz

    Friday, April 1, 2016 1:42 PM
  • Look at the connectors.  Report back with settings if you don't understand them.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, April 2, 2016 12:11 AM
    Moderator
  • well, by further troubleshooting we got to know that Exchange Online users can successfully send email to distribution group; xyz-group@domain.com but when any exchange online user send email to on premises mailbox abc-user@domain.com it does not get forwarded to distribution group; xyz-group@domain.com

    it is noted that it is happening with every Exchange Online user while On premises user can send email to on premises mailbox abc-user@domain.com and it gets forwarded to distribution group; xyz-group@domain.com as per our requirement.

    Well, it looks like some connectors Misconfiguration - can anyone please assist how can we change "X-MS-Exchange- Organization-AuthAs" from Anonymous to Internal for Exchange online users that is appearing in Email Header?

    Thanks, Sheeraz

    Tuesday, April 5, 2016 4:03 PM
  • How is the mailbox configured to forward the mail?  Please be specific, complete and detailed, and don't leave anything out.

    Instead of using forwarding rules on mailboxes, why not have people send directly to a group of which the mailbox is a member?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, April 5, 2016 4:34 PM
    Moderator

  • Our Environment is: We are running Exchange 2010 with Hybrid Setup.

    Issue: There is an on premises mailbox, let's say abc-user@domain.com > any email that is received to this on premises mailbox abc-user@domain.com it keeps a copy and forward the email to a distribution group; let's say xyz-group@domain.com.

    This scenario is functional as required with On-Premises Users but

    when an Exchange Online user send email to abc-user@domain.com > Exchange online user gets following error message.

    "xyz-group@domain.com

    Your message can't be delivered because delivery to this address is restricted.

    #550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822; abc-user@domain.com"

     

    Our Objective: We require same behavior like it is currently Happening with On-Premises Exchange users, i.e When Exchange Online Users send email to On-Premises mailbox abc-user@domain.com > it should be delivered to mailbox abc-user@domain.com (which is ok) and it should also get forwarded to distribution group; xyz-group@domain.com and Exchange Online Users should not get any NDR.

    Our Observations so far: While analyzing NDR header, we observed that for Exchange Online Users, there is an attribute appearing as "X-MS-Exchange- Organization-AuthAs: Anonymous"

    we suspect that we need to find a way to change "X-MS-Exchange- Organization-AuthAs" from Anonymous to Internal for all email messages for Exchange online users. is this correct understanding? or do we need to move into any other direction?

    Note: Distribution Group xyz-group@domain.com has this check enabled and we can't remove that "Require that all senders are authenticated"

    please assist.




    Thanks, Sheeraz

    Tuesday, April 5, 2016 5:27 PM
  • It appears as if you've found a corner case where authentication fails.  I recommend you open a ticket with Microsoft Support and report it and they can rule whether it's by design or a bug.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, April 5, 2016 8:43 PM
    Moderator
  • Thanks Ed,

    Well, anyone who can suggest, how can we modify "X-MS-Exchange- Organization-AuthAs" from Anonymous to Internal for Exchange online users that is appearing in Email Header?


    Thanks, Sheeraz

    Wednesday, April 6, 2016 7:25 AM
  • We have the exact same issue in our hybrid environment. (Exch 2010 - off 365 ).

    Did you find any solution or workaround to this issue ?

    regards,

    Yv

    Wednesday, September 14, 2016 12:59 PM
  • This issue was not resolved. However; what we have learned that your environment has to be on latest update.

    What we did - we upgraded our on premises environment and then we also upgraded our DirSync tool to latest Azure AD Connect (AAD Connect) latest update - so it eventually resolved our issue.


    Thanks, Sheeraz

    Thursday, September 15, 2016 6:53 AM