none
Mail flow stop from Office 365 to On-premise exchange server RRS feed

  • Question

  • Hello All,

    I successfully setup the Hybrid configuration in Exchange 2013 with Office 365. Two users migrated successfully. The connectors are looked fine yesterday. But today when these two users complain their mails not reaching to on-premise mailboxes. I checked and found the below error on Outbound to On-premise server. 

    450 4.4.317 Cannot connect the remote server [Message=451 5.7.3 STARTTLS is required to send mail]

    All mails are pending. Please help where to check. I opened a case with Office 365 support, and they said it is problem with our on-premise Exchange 2013 server settings, and they can not help much as their are only Office 365 support.

    Please help urgently

    Thanks in advance.

    Prabodha

    Tuesday, June 6, 2017 11:17 AM

Answers

  • Disable any SMTP scanning of any sort between Office 365 and Exchange.  As you have found, it will break things.

    What I have done to fix the mailbox move error you're seeing is to remove and recreate the move request.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by PK Sarangi Tuesday, June 13, 2017 6:40 AM
    Monday, June 12, 2017 4:54 PM
    Moderator

All replies

  • Hi Prabodha,

    Welcome to the Office 2013 and Office 365 ProPlus IT Pro General Discussions forum.

    Since this forum is for questions and feedback related to Office desktop applications and your question is more related to Exchange server side, I'll move it to a more appropriate forum:

    https://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=onlineservicesexchange

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    Regards,

    Steve Fan


    Please remember to mark the replies as answers if they helped.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 7, 2017 6:50 AM
    Moderator
  • Thanks Steve, I will follow up there. Actually sometimes I am not able to find the appropriate forum on search. 
    Thursday, June 8, 2017 7:56 AM
  • Hi, PK Sarangi1

    Have you recently installed new certificate in your environment? Check the KB:

    https://support.microsoft.com/en-us/help/2989382/can-t-receive-mail-in-a-hybrid-environment-after-you-install-a-new-certificate-on-the-server

    And is there anything between on-premise and exchange online, something like the following firewall.

    Cisco ASA
    Dell SonicWall
    Barracuda


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 9, 2017 5:07 AM
  • Hi Lynn,

    No, there is no new certificate installed on the environment. 

    Yes there is Cyberoam (Sophos) firewall. And yes, after I disable the SMTP scanning in the firewall, everything works fine.

    But after disable the SMTP scanning, there are lots of SPAM coming to user's mailbox. Because the MX record is pointing directly to local server. I will change the MX record to EOP once migration will complete. Also, there is no option for SMTPS scanning in the firewall for ESMTP.

    Is there any guideline to enable SMTP scanning on firewall and bypass the O365 mailflow? I can make rules in firewall but I need to enter the HOST entries for Exchange Online or EOP. I need the details to make the HOST entry and create rules to bypass the SMTP scanning.

    Thanks a lot

    Prabodha


    • Edited by PK Sarangi Friday, June 9, 2017 6:40 AM
    Friday, June 9, 2017 6:37 AM
  • Hybrid SMTP mail between on-premises and Exchange Online Protection should never go through any third-party message hygiene or relay server, appliance or cloud service.

    Open a different IP address for connections between Exchange Online Protection and on-premises Exchange, assign a DNS name hostname to it like hybrid.company.com, and run the Hybrid Configuration Wizard to change the on-premises SMTP endpoint so that it bypasses the antispam server.  You can continue to have your inbound Internet mail delivered to it.  You may lock down the firewall on hybrid.company.com to the EOP IP addresses so that spammers can't send through that port.  You don't have to change any MX records.

    https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx

    Why are you using a third-party antispam service instead of just routing your inbound mail from the Internet through Exchange Online Protection?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!



    Sunday, June 11, 2017 12:24 AM
    Moderator
  • Hi Ed,

    No third party spam engine, instead the MX pointer point to the public IP of exchange server. There is no Edge transport server. Only one Cyberoam Next Generation firewall, where the rule applied from WAN to LAN, port 25 allowed with 'SMTP scanning' enabled. 

    This firewall causes problem and blocking ESMTP traffic from O365 mail receive to exchange server, when the SMTP scanning enabled. Once I disabled the SMTP scanning, there is no problem. But more SPAMMING to users.

    I am in the process of mailbox migration, once that complete the MX record will change to point to Exchange Online. 

    Right now I am facing another issue of mailbox migration. The migration failing constantly with error "Transient error SourceMailboxAlreadyBeingMovedTransientException has occurred. The system will retry..."

    I will configure firewall, once this migration problem resolved. 

    Thanks a lot

    Prabodha

    Sunday, June 11, 2017 9:45 AM
  • Disable any SMTP scanning of any sort between Office 365 and Exchange.  As you have found, it will break things.

    What I have done to fix the mailbox move error you're seeing is to remove and recreate the move request.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by PK Sarangi Tuesday, June 13, 2017 6:40 AM
    Monday, June 12, 2017 4:54 PM
    Moderator
  • Hi Ed,

    The firewall rule is like incoming ANY to Exchange server the SMTP scanning applied. The MX record pointed to exchange server public IP. If I disable the SMTP scanning immediately SPAM mails are coming to users.

    Is it OK to change the MX record to Office 365 even before migrating the users?

    I did not able to find any article to bypass mails from Office365 to On-premise. I already entered Exchange Online Protection IP ranges in a group and applied it, but that is not working.

    Thanks

    Prabodha

    Tuesday, June 13, 2017 1:23 PM
  • The MX record setting has nothing to do with mailbox moves.

    SMTP between Exchange Online Protection and your on-premises server should be direct, without any message hygiene appliance, server or cloud service, or any non-Exchange relay host in between.  That's what I mean.  You can specify the host that outbound mail from Exchange Online Protection goes to in the Hybrid Configuration Wizard.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, June 13, 2017 6:56 PM
    Moderator