none
Incomming mail fails with 550

    Question

  • When a specific message is sent to our Edge Transport server, the message fails with RecipientStatus "{[{LRT=};{LED=550 authentication required};{FQDN=};{IP=}]}" according to Get-MessageTrackingLog

    Signature?

    Thursday, February 16, 2017 10:50 AM

Answers

  • So no mail flow restrictions on user mailboxes.

    Hence, it is the default receive connector on Edge server that is not allowing the connection to your domain.

    The above articles should help you point in right direction

      If it is only one specific domain, then you can check if the domain is not blacklisted in your org> else whitelist the domain

    Get-receiveconnector | select PermissionGroups

    • Edited by Akabe Thursday, February 16, 2017 1:27 PM
    • Marked as answer by Nieck Thursday, February 16, 2017 2:03 PM
    Thursday, February 16, 2017 1:13 PM

All replies

  • Hi Nieck,

    Please check the Output of below commands

    Get-SendConnector | Format-List Name,Usage,AddressSpaces,SourceTransportServers,DSNRoutingEnabled,SmartHosts,SmartHostAuthMechanism
    Get-ReceiveConnector | Format-List Name,Usage,AuthMechanism,Bindings,RemoteIPRanges

    Thursday, February 16, 2017 11:19 AM
  • This is happening while sending to external or receiving from external mails?

    check the mailboxes are enabled for below parameter yes disable the same.

    -RequireSenderAuthenticationEnabled 


    Jayakumar K

    Thursday, February 16, 2017 12:00 PM
  • This happends while receiving mail from external mailaddresses

    Signature?

    Thursday, February 16, 2017 12:01 PM
  • Get-SendConnector | Format-List Name,Usage,AddressSpaces,SourceTransportServers,DSNRoutingEnabled,SmartHosts,SmartHostAuthMechanism
    
    Name                   : EdgeSync - Default-First-Site-Name to Internet
    AddressSpaces          : {smtp:*;100}
    SourceTransportServers : {}
    SmartHosts             : {}
    SmartHostAuthMechanism : None
    
    Name                   : EdgeSync - Inbound to Default-First-Site-Name
    AddressSpaces          : {smtp:--;100}
    SourceTransportServers : {}
    SmartHosts             : {--}
    SmartHostAuthMechanism : ExchangeServer
    
    Name                   : Outbound to Office 365
    AddressSpaces          : {smtp:tenantid.mail.onmicrosoft.com;1}
    SourceTransportServers : {}
    SmartHosts             : {}
    SmartHostAuthMechanism : None
    
    
    Get-ReceiveConnector | Format-List Name,Usage,AuthMechanism,Bindings,RemoteIPRanges
    
    Name           : Default internal receive connector EDGESERVER
    AuthMechanism  : Tls, ExchangeServer
    Bindings       : {0.0.0.0:25}
    RemoteIPRanges : {0.0.0.0-255.255.255.255}


    Signature?


    • Edited by Nieck Thursday, February 16, 2017 12:05 PM
    Thursday, February 16, 2017 12:05 PM
  • get-mailbox mailbox@contoso.com | select *requi*
                                                                                         RequireSenderAuthenticationEnabled
                                                                                         ----------------------------------
                                                                                                                      False


    Signature?

    Thursday, February 16, 2017 12:08 PM
  • The external sender > Is that sender sending an email to a distribution group or a user mailbox?

    I assume you have an edge subscription set up?



    • Edited by Akabe Thursday, February 16, 2017 12:20 PM
    Thursday, February 16, 2017 12:19 PM
  • The external sender > Is that sender sending an email to a distribution group or a user mailbox?

    The external sender is sending to a user mailbox

    I assume you have an edge subscription set up?

    That is correct

    Get-sendconnector
    
    Identity                                       AddressSpaces                         Enabled
    --------                                       -------------                         -------
    EdgeSync - Default-First-Site-Name to Internet {smtp:*;100}                          True   
    EdgeSync - Inbound to Default-First-Site-Name  {smtp:--;100}                         True   
    Outbound to Office 365                         {smtp:tenantid.mail.onmicrosoft.com;1} True   
    
    
    
    Get-ReceiveConnector
    
    Identity                                                       Bindings     Enabled
    --------                                                       --------     -------
    ex-edge-svr01\Default internal receive connector EX-EDGE-SVR01 {0.0.0.0:25} True   


    Signature?


    • Edited by Nieck Thursday, February 16, 2017 12:26 PM
    Thursday, February 16, 2017 12:25 PM
  • Thnx Nieck

    Is this issue limited to a single external domain or all external emails (domains) are affected? Is this issue w.r.t to a single Mailbox user or multiple?

    Are there any mail flow restrictions on a mailbox user > Restriction like not to accept emails externally or from a specific users only





    • Edited by Akabe Thursday, February 16, 2017 12:35 PM added info
    Thursday, February 16, 2017 12:32 PM
  • Hi Akabe,

    This issue is limited to one single external domain as far as I know.


    Signature?

    Thursday, February 16, 2017 12:34 PM
  • just added few more questions in my above comment
    Thursday, February 16, 2017 12:35 PM
  • Hi Akabe,

    Can you tell me which properties I can output for get-mailbox?

    get-mailbox mailbox@contoso.com | select *requi*
                                                                                         RequireSenderAuthenticationEnabled
                                                                                         ----------------------------------
                                                                                                                      False


    Signature?

    Thursday, February 16, 2017 12:43 PM
  • Get-Mailbox <identity> | fl AcceptMessagesOnlyFrom,AcceptMessagesOnlyFromDLMembers,RejectMessagesFrom,RejectMessagesFromDLMembers,RequireSenderAuthenticationEnabled, AcceptMessagesOnlyFromSendersOrMembers,RejectMessagesFromSendersOrMembers 
    
    Also, get-mailbox identity |select forwa*, del* 



    • Edited by Akabe Thursday, February 16, 2017 12:54 PM added info
    Thursday, February 16, 2017 12:47 PM
  • Get-Mailbox usermailbox@contoso.com | fl AcceptMessagesOnlyFrom,AcceptMessagesOnlyFromDLMembers,RejectMessagesFrom,RejectMessagesFromDLMembers,RequireSenderAuthenticationEnabled
    
    AcceptMessagesOnlyFrom             : {}
    AcceptMessagesOnlyFromDLMembers    : {}
    RejectMessagesFrom                 : {}
    RejectMessagesFromDLMembers        : {}
    RequireSenderAuthenticationEnabled : False
    
    
    get-mailbox usermailbox@contoso.com | fl forwa*, del*
    
    ForwardingAddress          :
    ForwardingSmtpAddress      :
    DeliverToMailboxAndForward : False
    



    • Edited by Nieck Thursday, February 16, 2017 12:57 PM
    Thursday, February 16, 2017 12:56 PM
  • Get-mailbox identity | select 

    AcceptMessagesOnlyFromSendersOrMembers,RejectMessagesFromSendersOrMembers

    Is only one mailbox affected or all of them cant receive emails from this specific external sender?

    Thursday, February 16, 2017 12:59 PM
  • Also can you check what permission is assigned to the receive connector on edge server 

    Check below article for permissions assigned to the receive connector for external users 

    - https://technet.microsoft.com/en-us/library/aa996395(v=exchg.160).aspx

    How to assign permission to a receive connector:-

    - https://technet.microsoft.com/en-us/library/bb232021(v=exchg.80).aspx

    Thursday, February 16, 2017 1:09 PM
  • Issue applies to multipe mailboxes.

    Get-Mailbox -id user1@contoso.com | select *requi*,AcceptMessagesOnlyFrom,AcceptMessagesOnl
    yFromDLMembers,RejectMessagesFrom,RejectMessagesFromDLMembers,AcceptMessagesOnlyFromSendersOrMembers,RejectMessagesFromS
    endersOrMembers,forwa*, del*
    
    
    RequireSenderAuthenticationEnabled     : False
    AcceptMessagesOnlyFrom                 : {}
    AcceptMessagesOnlyFromDLMembers        : {}
    RejectMessagesFrom                     : {}
    RejectMessagesFromDLMembers            : {}
    AcceptMessagesOnlyFromSendersOrMembers : {}
    RejectMessagesFromSendersOrMembers     : {}
    ForwardingAddress                      :
    ForwardingSmtpAddress                  :
    DeliverToMailboxAndForward             : False
    
    Get-Mailbox -id user2@contoso.com | select *requi*,AcceptMessagesOnlyFrom,AcceptMessagesOnl
    yFromDLMembers,RejectMessagesFrom,RejectMessagesFromDLMembers,AcceptMessagesOnlyFromSendersOrMembers,RejectMessagesFromS
    endersOrMembers,forwa*, del*
    
    
    RequireSenderAuthenticationEnabled     : False
    AcceptMessagesOnlyFrom                 : {}
    AcceptMessagesOnlyFromDLMembers        : {}
    RejectMessagesFrom                     : {}
    RejectMessagesFromDLMembers            : {}
    AcceptMessagesOnlyFromSendersOrMembers : {}
    RejectMessagesFromSendersOrMembers     : {}
    ForwardingAddress                      :
    ForwardingSmtpAddress                  :
    DeliverToMailboxAndForward             : False



    Signature?

    Thursday, February 16, 2017 1:11 PM
  • So no mail flow restrictions on user mailboxes.

    Hence, it is the default receive connector on Edge server that is not allowing the connection to your domain.

    The above articles should help you point in right direction

      If it is only one specific domain, then you can check if the domain is not blacklisted in your org> else whitelist the domain

    Get-receiveconnector | select PermissionGroups

    • Edited by Akabe Thursday, February 16, 2017 1:27 PM
    • Marked as answer by Nieck Thursday, February 16, 2017 2:03 PM
    Thursday, February 16, 2017 1:13 PM
  • Get-receiveconnector | select PermissionGroups
    
    PermissionGroups
    ----------------
    AnonymousUsers, ExchangeServers, Partners

    For some reason, mail flow is working now:

    External sender
    Two days ago: Get-messagetrackinglog -> RecipientStatus: {LED=550 authentication required};{FQDN=};{IP=}]}
    Right now: Get-messagetrackinglog -> RecipientStatus: {250 Accepted}

    Signature?

    Thursday, February 16, 2017 1:56 PM
  • Good to know the issue is resolved now. It was good working with u on this issue 

    You can mark any helpful post/answer for other users to know about the resolution


    • Edited by Akabe Thursday, February 16, 2017 2:02 PM
    Thursday, February 16, 2017 2:02 PM