locked
"Mail sent to the wrong Office 365 region" when relaying to other O365 tenants RRS feed

  • Question

  • I have an on-prem Exchange 2016 server that is set up to relay on premise SMTP generated from a variety of sources. It is not configured as an official hybrid for a variety of reasons that aren't really pertinent here. The outbound connector is configured with the following command:

    New-SendConnector -Name "Out to O365" -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn sm
    tp.contoso.com -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts contoso-com.mail.protection.outlook.com -TlsA
    uthLevel CertificateValidation

    And the inbound connector in O365 is set to authenticate based on the TLS cert with the host name of smtp.contoso.com.

    Good News:

    1. If I send mail to any of my accepted domains in O365 they get delivered perfectly and are even considered as internal mail which is great.

    2. If I send to a domain that isn't hosted within O365 such as gmail.com the mail gets relayed perfectly, even using the DKIM and SPF that is configured for our tenant.

    BAD NEWS:

    Mail that I send to another O365 tenant fails in the premise outbound queue with the error:

    Identity: AMAZRUSEPSMTP01\58\2220498092035
    Subject: test2
    Internet Message ID: <9a819456-9348-4ab3-a019-0dcca923847d@XXXXXX.yy.zzz.com>
    From Address: test2@contoso.com
    Status: Retry
    Size (KB): 3
    Message Source Name: SMTP:Default XXXXXXX
    Source IP: 10.109.10.115
    SCL: 0
    Date Received: 2/19/2019 2:13:21 PM
    Expiration Time: 2/21/2019 2:13:21 PM
    Last Error: 451 4.4.62 Mail sent to the wrong Office 365 region. ATTR35. For more information please go to https://go.microsoft.com/fwlink/?linkid=865268 [CO1NAM04FT018.eop-NAM04.prod.protection.outlook.com]
    Queue ID: AMAZRUSEPSMTP01\58
    Recipients:  rob@someothertenant.com;3;2;[{LED=451 4.4.62 Mail sent to the wrong Office 365 region. ATTR35. For more information please go to https://go.microsoft.com/fwlink/?linkid=865268 [CO1NAM04FT018.eop-NAM04.prod.protection.outlook.com]};{MSG=};{FQDN=};{IP=};{LRT=}];0;CN=Out to O365,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=cpb,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=cpb,DC=com;0

    Any help would be greatly appreciated!

    Rob


    • Edited by RobAxe Tuesday, February 19, 2019 8:43 PM
    Tuesday, February 19, 2019 7:56 PM

All replies

  • Hi Rob,

    To start with, I would like to ask the following questions:

    1. Did you get any NDR message from the sender side?
    2. If all of the other tenants couldn't receive the message from yours?
    3. How did you set up the send connector for outbound emails to the other tenant? 

    I have heard that issue could occur if the recipients' MX record is configured incorrectly. If that is not the issue, please follow the steps below for further troubleshooting:

    1. Check the send connector in your on-premise Exchange. Please tell us which connector you are using for outbound message to other O365 tenant, generally, we could set up a same connector for non-365 domain and other tenants using the recipients' MX record. Run the following command to check it:

    Get-SendConnector | fl >c:\connector.txt


    2. Check the message tracking log via the following command:

    Get-MessageTrackingLog -Recipients "<smtp_address>" -MessageSubject "<subject>" | fl >c:\msgtrace.txt


    Note: please send the txt files to the following address: ibsexc@microsoft.com. 

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Edited by Manu Meng Tuesday, February 26, 2019 2:25 AM
    Wednesday, February 20, 2019 8:59 AM
  • Now I have wider issues on the server. It appears as if O365 isn't recognizing the TLS certificate and connecting the server outbound messages to the O365 inbound connector. It is seeing my server as just another server on the Internet and causing some very odd behavior. If I put in connectors directly to domains or tell it to use MX records rather than using O365 as the smarthost everything works fine other than the fact that these internal server's IP's aren't in the SPF record. I need it to route through O365 though essentially the way a hybrid server would. I will email the details of the certificates, send and receive connectors.

    Thanks!!

    Rob

    Wednesday, February 20, 2019 10:10 PM
  • Switching to a receive connector in the cloud that uses IP address rather than certificate seems to do the trick. However that is obviously not optimal. Any tips on troubleshooting the certificate? I have an Entrust cert that is enabled for SMTP. I have the Helo set to the host name that is on the certificate and have the send connector set up to use TLS. Here is the send connector from onprem (edited to remove company info):


    AddressSpaces                : {smtp:*;1}
    AuthenticationCredential     : 
    CloudServicesMailEnabled     : True
    Comment                      : 
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    ConnectorType                : Default
    DNSRoutingEnabled            : False
    DomainSecureEnabled          : False
    Enabled                      : True
    ErrorPolicies                : Default
    ForceHELO                    : False
    Fqdn                         : smtp.contoso.com
    FrontendProxyEnabled         : False
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : AMAZRUSEPSMTP01
    Identity                     : All Outbound
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    MaxMessageSize               : 35 MB (36,700,160 bytes)
    Name                         : All Outbound
    Port                         : 25
    ProtocolLoggingLevel         : None
    Region                       : NotSpecified
    RequireOorg                  : False
    RequireTLS                   : True
    SmartHostAuthMechanism       : None
    SmartHosts                   : {contoso-com.mail.protection.outlook.com}
    SmartHostsString             : contoso-com.mail.protection.outlook.com
    SmtpMaxMessagesPerConnection : 20
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {AMAZRUSEPSMTP02, AMAZRUSEPSMTP01}
    TlsAuthLevel                 : CertificateValidation
    TlsCertificateName           : <I>CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for 
                                   authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", 
                                   C=US<S>CN=smtp.contoso.com, O=Contoso Company, L=Anytown, S=New Jersey, C=US
    TlsDomain                    : 
    UseExternalDNSServersEnabled : False

    Thursday, February 21, 2019 7:06 PM
  • Sorry for the delay.

    As you mentioned, you didn't set up a hybrid environment so it should be reasonable that O365 didn't recognize your Exchange server as its on-premises server. 

    I just read your email and I find that there is only one send connector in your Exchange server and is configured to  send outbound message to EOP, is that true?

    If that is true, how did the message flow to the third-party email system, like Gmail? Through O365 or send connector? How did you configure O365 to relay the message from Gmail? We need you to send a email's message header from the Gmail inbox to check the mail routing of the outbound message.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, February 26, 2019 2:41 AM
  • I have the same problem.

    Sending from a webserver from a known IP to O365 smtp relay.
    Inbound connector on O365 restricted to known IP.

    Mail gets delivered to own O365 tenant and all other NON O365 recipients.

    Recipients in OTHER O365 tenants are not delivered, "Mail sent to the wrong Office 365 region. ATTR35."

    I checked and doublechecked all DNS/Domain/Connector settings, all is exactly configured as mentioned in the MS articles.

    Thursday, October 3, 2019 12:52 PM
  • Hello

    just if you haven't read this

    https://docs.microsoft.com/en-us/exchange/troubleshoot/email-delivery/wrong-office-365-region-exo

    the main error is that Mx value is not the one gave in the tenant. (dns configuration)

    Olivier.

    Thursday, October 3, 2019 1:40 PM
  • Hello,

    Did you find some revelant information on this tread ?

    If its the case, could you mark them as usefull and mark the asnwer ?

    Thanks,

    Olivier

    Saturday, October 19, 2019 2:37 PM