locked
Sent mail from Exchange Online via On-Premises to another Exchange Online enviroment RRS feed

  • Question

  • Hello,

    I am currently migrating a customer of ours to Exchange Online from Exchange 2013. We have created a new Exchange 2016 cluster and configured the DAG cluster to be the hybrid servers. The mailboxes still remain on Exchange 2013. We have migrated a couple of users to Exchange Online for testing purposes.

    The customer has on-premises e-mail filtering via an Appliance. We have routed all traffic to be send via these appliances. The customer uses forced TLS and needs the mailflow to keep going via On-Prem. The problem is that when an Exchange Online mailbox sends an e-mail to an Exchange Online mailbox from another tenant that the e-mail is not routed via the on-prem appliances but it is routed via Internet:

    When an e-mail is sent to a mailbox which is not in Exchange Online the mail is routed via On-Premises. So you would say the configuration is correct of the Hybrid Connection.

    How can I get all traffic, including mail to other Exchange Online tenants to be routed via On-Premises? Centralized E-mail Transport is configured in the Hybrid Configuration Wizard and the send connector for the hybrid connection shows that all (*) domains needs to be routed via On-Premises.

    Is this even possible? Does the Exchange Online Backend handle this as "internal" e-mail?

    Thanks in advance!

    Niels


    • Edited by NKO_IT Tuesday, May 19, 2020 11:53 AM
    Tuesday, May 19, 2020 11:39 AM

All replies

  • The problem is that when an Exchange Online mailbox sends an e-mail to an Exchange Online mailbox from another tenant that the e-mail is not routed via the on-prem appliances but it is routed via Internet:

    Then its working as it should, right?

    Where does the mx record point to?

    Tuesday, May 19, 2020 12:20 PM
  • Hello,

    Thanks, the E-mail sent from Exchange Online to another Exchange Online tenant should be routed via On-Premises and not via Internet. We want to route all traffic via On-Premises for external mail.

    The MX record points to the on-prem SPAM Appliances.

    Thanks,

    Niels

    Tuesday, May 19, 2020 12:25 PM
  • Hello,

    Thanks, the E-mail sent from Exchange Online to another Exchange Online tenant should be routed via On-Premises and not via Internet. We want to route all traffic via On-Premises for external mail.

    The MX record points to the on-prem SPAM Appliances.

    Thanks,

    Niels

    https://techcommunity.microsoft.com/t5/exchange-team-blog/office-365-message-attribution/ba-p/749143

    FAQ #3 – Does mail between Office 365 tenants always use MX records?

    Yes - except when we’re not expected to. Going back to our example, if a message is truly attributed to contoso.com initially, then when we’re ready to send the message to tailspintoys.com, we will absolutely look up the MX record.  However, there are some exceptions you should be aware of:

    1. Contoso.com can override the routing logic by creating an outbound connector for tailspintoys.com.  This case is the most obvious and is no different than Exchange’s (or any other SMTP server’s) routing logic.
    2. If the mail appears to already be incoming to tailspintoys.com, then we wouldn’t want to route it back out to the tailspintoys.com MX record.  This can happen if contoso.com doesn’t have a properly configured inbound connector. Without a proper connector, we see the message as incoming to tailspintoys.com.
    3. We also give each tenant an onmicrosoft.com address.  These addresses can always be used to route directly to Office 365, no matter where the MX record points (this is how cross premise mail flow works between on-premises and the cloud).


    Tuesday, May 19, 2020 2:08 PM
  • Thank you Andy, but this does not answer my question. 

    The e-mail destined for tailspintoys.com needs to go via the On-Prem mail appliance but it is routed via the internet. I want to route all traffic for contoso.com via On-Prem. I have enabled:

    Centralized E-mail Transport.

    Made sure RouteAllMessagesViaOnPremises equals True

    Did I forget to configure something?

    Thanks,

    Niels

    Tuesday, May 19, 2020 2:18 PM
  • Thank you Andy, but this does not answer my question. 

    The e-mail destined for tailspintoys.com needs to go via the On-Prem mail appliance but it is routed via the internet. I want to route all traffic for contoso.com via On-Prem. I have enabled:

    Centralized E-mail Transport.

    Made sure RouteAllMessagesViaOnPremises equals True

    Did I forget to configure something?

    Thanks,

    Niels

    But when another Exchange Online tenant looks up that org to send mail to it, its looks for the MX record which currently points on-prem right? That should then go through that on-prem appliance. Not sure I understand what the difference or issue is? Maybe I am reading this incorrectly.
    Tuesday, May 19, 2020 2:28 PM
  • Hi Andy,

    I will elaborate:

    I want all traffic in my Exchange Online environment to be sent and received by my Hybrid Exchange Server.

    So when a Exchange Online user sends an e-mail to someone externally I want it to be routed via on-premises and not directly via the internet. This is because of compliancy reasons. 

    In this image, everything should be green for on-premises:

    Tuesday, May 19, 2020 2:36 PM
  • Ok, you are referring then to the outbound mail your ExO tenant sends then, I was reading that the other way.

    So what you are seeing if I have it right now:

    1. User in your ExO tenant sends message to another ExO tenant.

    2. Message goes to other ExO tenant "directly" instead of routing through on-prem.

    3. If the recipient is not in Office 365, how does the mail route?

    Can you post the OutBOundConnector settings from Powershell?

    And the get-hybridConfiguration from on-prem PS showing that Centralized Mail FLow is enabled as a feature.

    Tuesday, May 19, 2020 3:25 PM
  • Hi Andy,

    Thanks, that is correct:



        Get-OuboundConnector
    RunspaceId                    : e*-c*-4*-9*-a*
    Enabled                       : True
    UseMXRecord                   : False
    Comment                       :
    ConnectorType                 : OnPremises
    ConnectorSource               : AdminUI
    RecipientDomains              : {*}
    SmartHosts                    : {*.*****.*}
    TlsDomain                     : *.*****.*
    TlsSettings                   : DomainValidation
    IsTransportRuleScoped         : False
    RouteAllMessagesViaOnPremises : True
    CloudServicesMailEnabled      : True
    AllAcceptedDomains            : False
    TestMode                      : False
    LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
    ValidationRecipients          : {*@*****.*}
    IsValidated                   : False
    LastValidationTimestamp       : 5/19/2020 4:33:17 PM
    AdminDisplayName              :
    ExchangeVersion               : 0.1 (8.0.535.0)
    Name                          : Outbound to 1*-6*-4*-8*-3*
    DistinguishedName             : CN=Outbound to 1*-6*-4*-8*-3*,CN=Transport Settings,CN=Configurat
                                    ion,CN=*.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR06A007,DC=PROD,DC=OUTLOO
                                    K,DC=COM
    Identity                      : Outbound to 1*-6*-4*-*-3*
    ObjectCategory                : EURPR06A007.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
    ObjectClass                   : {top, msExchSMTPOutboundConnector}
    WhenChanged                   : 5/19/2020 4:33:29 PM
    WhenCreated                   : 4/21/2020 3:07:47 PM
    WhenChangedUTC                : 5/19/2020 2:33:29 PM
    WhenCreatedUTC                : 4/21/2020 1:07:47 PM
    ExchangeObjectId              : 2*-4*-4*-8*-6*
    OrganizationId                : EURPR06A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted
                                    Organizations/*.onmicrosoft.com -
                                    EURPR06A007.PROD.OUTLOOK.COM/ConfigurationUnits/*.onmicrosoft.com/Configuration
    Id                            : Outbound to 1*-6*-4*-8*-3*
    Guid                          : 2*-4*-4*-8*-6*
    OriginatingServer             : AM4PR06A007DC02.EURPR06A007.PROD.OUTLOOK.COM
    IsValid                       : True
    ObjectState                   : Unchanged

        

    get-hybridConfiguration


    RunspaceId                : 5*-6*-4*-8*-7*
    ClientAccessServers       : {}
    EdgeTransportServers      : {}
    ReceivingTransportServers : {*-*, *-*}
    SendingTransportServers   : {*-*, *-*}
    OnPremisesSmartHost       : **.*********.***
    Domains                   : {*********.***}
    Features                  : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail, CentralizedTransport, Photos}
    ExternalIPAddresses       : {}
    TlsCertificateName        : <I>CN=*, OU=w*, O=*, C=US<S>CN=*.*********.***, OU=*, O=*., L=*, S=*, C=*
    ServiceInstance           : 0
    AdminDisplayName          :
    ExchangeVersion           : 0.20 (15.0.0.0)
    Name                      : Hybrid Configuration
    DistinguishedName         : CN=Hybrid Configuration,CN=Hybrid Configuration,CN=*,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=*,DC=*,DC=*
    Identity                  : Hybrid Configuration
    Guid                      : 2*-8*-4*-b*-e*
    ObjectCategory            : *.*.*/Configuration/Schema/ms-Exch-Coexistence-Relationship
    ObjectClass               : {top, msExchCoexistenceRelationship}
    WhenChanged               : 22-4-2020 15:45:49
    WhenCreated               : 21-4-2020 15:06:40
    WhenChangedUTC            : 22-4-2020 13:45:49
    WhenCreatedUTC            : 21-4-2020 13:06:40
    OrganizationId            :
    Id                        : Hybrid Configuration
    OriginatingServer         : *-*.*.*.*
    IsValid                   : True
    ObjectState               : Unchanged

    Thanks

    Wednesday, May 20, 2020 7:41 AM
  • Hi NK0_IT,

    Does this issue only occur between tenants?

    When you send from a on-premise user, will it route via on-prem Exchange?

    Please try to track the message in on-prem Server and Online Server and post the results here.

    Regards,

    Eric Yin


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, May 20, 2020 9:36 AM
  • Hi Andy,

    Thanks, that is correct:



        Get-OuboundConnector
    RunspaceId                    : e*-c*-4*-9*-a*
    Enabled                       : True
    UseMXRecord                   : False
    Comment                       :
    ConnectorType                 : OnPremises
    ConnectorSource               : AdminUI
    RecipientDomains              : {*}
    SmartHosts                    : {*.*****.*}
    TlsDomain                     : *.*****.*
    TlsSettings                   : DomainValidation
    IsTransportRuleScoped         : False
    RouteAllMessagesViaOnPremises : True
    CloudServicesMailEnabled      : True
    AllAcceptedDomains            : False
    TestMode                      : False
    LinkForModifiedConnector      : 00000000-0000-0000-0000-000000000000
    ValidationRecipients          : {*@*****.*}
    IsValidated                   : False
    LastValidationTimestamp       : 5/19/2020 4:33:17 PM
    AdminDisplayName              :
    ExchangeVersion               : 0.1 (8.0.535.0)
    Name                          : Outbound to 1*-6*-4*-8*-3*
    DistinguishedName             : CN=Outbound to 1*-6*-4*-8*-3*,CN=Transport Settings,CN=Configurat
                                    ion,CN=*.onmicrosoft.com,CN=ConfigurationUnits,DC=EURPR06A007,DC=PROD,DC=OUTLOO
                                    K,DC=COM
    Identity                      : Outbound to 1*-6*-4*-*-3*
    ObjectCategory                : EURPR06A007.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-SMTP-Outbound-Connector
    ObjectClass                   : {top, msExchSMTPOutboundConnector}
    WhenChanged                   : 5/19/2020 4:33:29 PM
    WhenCreated                   : 4/21/2020 3:07:47 PM
    WhenChangedUTC                : 5/19/2020 2:33:29 PM
    WhenCreatedUTC                : 4/21/2020 1:07:47 PM
    ExchangeObjectId              : 2*-4*-4*-8*-6*
    OrganizationId                : EURPR06A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted
                                    Organizations/*.onmicrosoft.com -
                                    EURPR06A007.PROD.OUTLOOK.COM/ConfigurationUnits/*.onmicrosoft.com/Configuration
    Id                            : Outbound to 1*-6*-4*-8*-3*
    Guid                          : 2*-4*-4*-8*-6*
    OriginatingServer             : AM4PR06A007DC02.EURPR06A007.PROD.OUTLOOK.COM
    IsValid                       : True
    ObjectState                   : Unchanged

        

    get-hybridConfiguration


    RunspaceId                : 5*-6*-4*-8*-7*
    ClientAccessServers       : {}
    EdgeTransportServers      : {}
    ReceivingTransportServers : {*-*, *-*}
    SendingTransportServers   : {*-*, *-*}
    OnPremisesSmartHost       : **.*********.***
    Domains                   : {*********.***}
    Features                  : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail, CentralizedTransport, Photos}
    ExternalIPAddresses       : {}
    TlsCertificateName        : <I>CN=*, OU=w*, O=*, C=US<S>CN=*.*********.***, OU=*, O=*., L=*, S=*, C=*
    ServiceInstance           : 0
    AdminDisplayName          :
    ExchangeVersion           : 0.20 (15.0.0.0)
    Name                      : Hybrid Configuration
    DistinguishedName         : CN=Hybrid Configuration,CN=Hybrid Configuration,CN=*,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=*,DC=*,DC=*
    Identity                  : Hybrid Configuration
    Guid                      : 2*-8*-4*-b*-e*
    ObjectCategory            : *.*.*/Configuration/Schema/ms-Exch-Coexistence-Relationship
    ObjectClass               : {top, msExchCoexistenceRelationship}
    WhenChanged               : 22-4-2020 15:45:49
    WhenCreated               : 21-4-2020 15:06:40
    WhenChangedUTC            : 22-4-2020 13:45:49
    WhenCreatedUTC            : 21-4-2020 13:06:40
    OrganizationId            :
    Id                        : Hybrid Configuration
    OriginatingServer         : *-*.*.*.*
    IsValid                   : True
    ObjectState               : Unchanged

    Thanks

    Consider re-running the Hybrid Wizard again.
    Saturday, May 23, 2020 4:35 PM
  • Will do, will let you know!
    Monday, May 25, 2020 6:33 AM
  • Hi,

    I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Regards,

    Eric Yin


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, May 29, 2020 6:51 AM
  • Hi Eric Yin,

    Thanks, but we ended up with creating a Ticket with Microsoft Support.

    I will post the solution when we figure it out.

    Thanks,

    Niels

    Friday, May 29, 2020 6:59 AM
  • Hi NKO_IT,

    Hope they can solve it for you.

    Waiting for your response.

    Regards,

    Eric Yin


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 5, 2020 9:13 AM