none
Email from Office365 can't reach On premise mailboxes in Hybrid Exchange 2010

    Question

  • Dear Exchange Expert,

    Currently we are implementing the Office 365 Hybrid in our environment which is running Exchange 2010. We have finished the HWC and we are now migrating the first pilot test account and has been successfully completed. However after test, I found that there is issue with email flow:

    1. Email from External Domain (yahoo/Hotmail) to migrated O365 User, Pass Test

    2. Email from Migrated O365 User to External Domain (yahoo/Hotmail), Pass Test

    3. Email from Non migrated on premise users to migrated O365 User, Pass Test

    4. Email from Migrated O365 User to Non Migrated On Premise Users, Failed Test

    After doing tracing, I found the error message below. Currently the message is still pending and going nowhere.

    Please help to advise what is the issue caused.

    Thanks.


    Regards,

    Tuesday, March 8, 2016 11:36 AM

All replies

  • I can't read the error message.  Please post it as text.

    Obviously something is wrong with your outbound connector, or your firewall or server is blocking inbound mail from Office 365.  You might try relaxing the security configuration.  I've found that the strict certificate matching requirements sometimes doesn't work.  Also, if you have some kind of SMTP relay or filter between Exchange Online and on-premises Exchange it will break things. 

    More information is required to tell you anything further.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, March 8, 2016 2:46 PM
    Moderator
  • I can't read the error message.  Please post it as text.

    Obviously something is wrong with your outbound connector, or your firewall or server is blocking inbound mail from Office 365.  You might try relaxing the security configuration.  I've found that the strict certificate matching requirements sometimes doesn't work.  Also, if you have some kind of SMTP relay or filter between Exchange Online and on-premises Exchange it will break things. 

    More information is required to tell you anything further.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Hi Ed,

    Here is the error message:

    Reason: [{LED=450 4.4.101 Proxy session setup failed on Frontend with  ‎'451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure, Reason:SubjectMismatch." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate.

    From the trace result in office 365, it was stated that the email is still on pending for delivery with the error message above, meaning that it is not even out of the o365 to our firewall and mail server yet. do you think the issue with the inbound email into our firewall?

    may i know what are the IP address required so in case i can add them into my firewall?

    Thanks.

    Tuesday, March 8, 2016 3:44 PM
  • I've seen that plenty.  It looks like Exchange Online (EOP) doesn't like the certificate.  If you can't resolve that, you can go to Admin > Exchange > mail flow > connectors > (Outbound connector to your on-premises Exchange) > Properties > Next > Next > Next >

    Then on the "How should Office 365 connect to your server?" page, select "Any digital certificate..." and see if that works.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, March 8, 2016 3:56 PM
    Moderator
  • Hi,

    Besides ED's suggestion, you can follow the following procedure to check Exchange settings if it correct.

    Firstly, because the error message indicates that it maybe caused by certificate, you can use Get-ExchangeCertificate command to query Exchange Certificate, then, use Get-ExchangeCertificate -Thumbprint certificatethumbprint | fl to check if certificate domain configuration is correct.

    Then, check Receive Connector settings on ON-premise server, make sure O365 IP address is in its IP range. You can also use Get-ReceiveConnector command to get the detailed information about receive connector if there is any problem with it.

    Please also verify the hybrid configuration with following command:

    Get-HybridConfiguration


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 9, 2016 9:56 AM
  • I've seen that plenty.  It looks like Exchange Online (EOP) doesn't like the certificate.  If you can't resolve that, you can go to Admin > Exchange > mail flow > connectors > (Outbound connector to your on-premises Exchange) > Properties > Next > Next > Next >

    Then on the "How should Office 365 connect to your server?" page, select "Any digital certificate..." and see if that works.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Hi Ed,

    Try your suggestion above to change for the outbound connector to the "Any Digital Certificate" can't work . it is not even able to validate it successfully. below is the error message:

    Then I put back the setting to go through the CA certificate, it is able to validate but sending test email is failed. Further, I check the details on the error message as shown below. we can see that all are passed except for the TLS thing, which I don't understand.

    Please help to advise on this.

    Thanks in Advance Ed.

    Regards,

    Wednesday, March 9, 2016 11:39 AM
  • Hi,

    Besides ED's suggestion, you can follow the following procedure to check Exchange settings if it correct.

    Firstly, because the error message indicates that it maybe caused by certificate, you can use Get-ExchangeCertificate command to query Exchange Certificate, then, use Get-ExchangeCertificate -Thumbprint certificatethumbprint | fl to check if certificate domain configuration is correct.

    Then, check Receive Connector settings on ON-premise server, make sure O365 IP address is in its IP range. You can also use Get-ReceiveConnector command to get the detailed information about receive connector if there is any problem with it.

    Please also verify the hybrid configuration with following command:

    Get-HybridConfiguration


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Hi Roger,

    I have run the command get-exchangecertificate | format list to double check on the certificate and the result is pass. the RootCAType is third party, the Services assigned is IIS and SMTP, the Not After is till march 2017 and not expired, and the status is valid.

    I am currently confuse what will be the issue causing this.

    On my premise server, the receive connector is okay and I have more than 20 IPs address from O365. do you know where to confirm or get complete list?

    Thanks.

    Wednesday, March 9, 2016 11:58 AM
  • Hi,

    Besides ED's suggestion, you can follow the following procedure to check Exchange settings if it correct.

    Firstly, because the error message indicates that it maybe caused by certificate, you can use Get-ExchangeCertificate command to query Exchange Certificate, then, use Get-ExchangeCertificate -Thumbprint certificatethumbprint | fl to check if certificate domain configuration is correct.

    Then, check Receive Connector settings on ON-premise server, make sure O365 IP address is in its IP range. You can also use Get-ReceiveConnector command to get the detailed information about receive connector if there is any problem with it.

    Please also verify the hybrid configuration with following command:

    Get-HybridConfiguration


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Hi Roger,

    I have run the command get-exchangecertificate | format list to double check on the certificate and the result is pass. the RootCAType is third party, the Services assigned is IIS and SMTP, the Not After is till march 2017 and not expired, and the status is valid.

    I am currently confuse what will be the issue causing this.

    On my premise server, the receive connector is okay and I have more than 20 IPs address from O365. do you know where to confirm or get complete list?

    Thanks.

    For the complete list of IPs:

    https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx


    Blog:    Twitter:   

    Wednesday, March 9, 2016 12:14 PM
  • Hi,

    Besides ED's suggestion, you can follow the following procedure to check Exchange settings if it correct.

    Firstly, because the error message indicates that it maybe caused by certificate, you can use Get-ExchangeCertificate command to query Exchange Certificate, then, use Get-ExchangeCertificate -Thumbprint certificatethumbprint | fl to check if certificate domain configuration is correct.

    Then, check Receive Connector settings on ON-premise server, make sure O365 IP address is in its IP range. You can also use Get-ReceiveConnector command to get the detailed information about receive connector if there is any problem with it.

    Please also verify the hybrid configuration with following command:

    Get-HybridConfiguration


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Hi Roger,

    I have run the command get-exchangecertificate | format list to double check on the certificate and the result is pass. the RootCAType is third party, the Services assigned is IIS and SMTP, the Not After is till march 2017 and not expired, and the status is valid.

    I am currently confuse what will be the issue causing this.

    On my premise server, the receive connector is okay and I have more than 20 IPs address from O365. do you know where to confirm or get complete list?

    Thanks.

    For the complete list of IPs:

    https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx


    Blog:    Twitter:   

    Hi Andy,

    Thanks. I have added those addresses in my whitelisted list. however, issue still persists. no email come in.

    Please advise.

    THanks

    Wednesday, March 9, 2016 3:21 PM
  • Have you opened a support ticket with Online Support?  They can hold your hand and walk you through it.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, March 9, 2016 6:15 PM
    Moderator
  • Use the Exchange Remote Connectivity Analyzer (http://exrca.com) to check.  They can help with certificate issues.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, March 9, 2016 6:17 PM
    Moderator
  • Have you opened a support ticket with Online Support?  They can hold your hand and walk you through it.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Hi Ed,

    Not yet. i has been planning to troubleshoot what will be the issue first as currently our on premise mailboxes are still running as usual. this is the first test account that being migrated in this hybrid environment.

    do you still have any idea what will be the issue?


    Thanks so much Ed

    Thursday, March 10, 2016 6:47 AM
  • Henry2050 - Could you post here what the resolution was for this situation?
    Monday, May 23, 2016 1:23 AM