locked
Relay Error 554.5.7.1 Ky RRS feed

  • Question

  • We have an on-prem/365 environment.  Mail flow should all be routing to 365.  The on-prem is a stub basically.  We have a few Contacts that are routing to external, Salesforce, to create incidents.  We have an external ESA, Proofpoint.

    If a user sends an email one of these contacts from within our Org, no problem.  But if a user sends to one of these Contacts from outside our Org (which is why it's set up) then they're getting a relay error.  I'm having a hard time wrapping my brain around the routing.  Message bounce text in first comment.


    Ben Rollman

    Thursday, June 11, 2020 1:51 PM

All replies

  • From: Microsoft Outlook <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@***medical.onmicrosoft.com> Date: Wed, Jun 10, 2020 at 10:16 AM Subject: Undeliverable: Test Email To: <contact+SRS=jLKYA=7X=gmail.com=mepamo@domain.org>
     
    contact+SRS=jLKYA=7X=gmail.com=mepamo is not authorized to relay messages through the server that reported this error.
    contact+SRS=jLKYA=7X. . . 
    Office 365 
    contact 
    Sender 
    Action Required 
    Sender not authorized for relay 
     
    Original Message Details
    Created Date:
    6/10/2020 3:16:18 PM
    Sender Address:
    contact+SRS=jLKYA=7X=gmail.com=mepamo@domain.org
    Recipient Address:
    Subject:
    Test Email
     Error Details
    Reported error:
    550 5.7.367 Remote server returned not permitted to relay -> 554 5.7.1 <contact@a-2cmxh6qzasgbrsmiy3d31d83vx8mpjyk5zhvc17fcj39794sa2.1a-z9gieas.na24.case.contoso.com>: Relay access denied 
    DSN generated by:
    Remote server:
     
    Message Hops
    HOP
    TIME (UTC)
    FROM
    TO
    WITH
    RELAY TIME
    1
    6/10/2020  3:16:30 PM
    SMTP
    12 sec
    2
    6/10/2020  3:16:30 PM
    ESMTPS
    *
    3
    6/10/2020  3:16:31 PM
    ESMTPS
    1 sec
    4
    6/10/2020  3:16:31 PM
    us2-mdac16-35.ut7.mdlocal
    ESMTP
    *
    5
    6/10/2020  3:16:31 PM
    ESMTP
    *
    6
    6/10/2020  3:16:32 PM
    Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
    1 sec
    7
    6/10/2020  3:16:32 PM
    Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
    *
    8
    6/10/2020  3:16:32 PM
    Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
    *

    X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR22MB0471

    Ben Rollman

    Thursday, June 11, 2020 1:52 PM
  • Original Message Headers
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
     b=lSuzW5X43+wni3bHJf8tEP0iyJjm4E7QKR+AQtnoKdEh7NahB82KkXeEH4Zvtt9xM0acOvZOhaOYI7cKqHHk68DMaCQuL65GI5Vrs3hNCMcipaZ+aeuYSOdVH8nnuuaJkw9KaBME23i2uMVYgEs6+5nx50wkyrR0KOmrZH7VVy+uSyR7LQhOQRb5vflb0OP4CoHAA2r2p2NTzWGJXxMYoBg7gb8FlEKd3iOBlaaKRvxNRzlYhsWQHLKtdPYHnWu0olQTPp1qUCyfEO9C4w6G+GTVDAzfZzkHwBqAT0+m+NuyBI4VSRpU8WAeDwzhcq+zx6htZyO6tzMbMUPV3EPXQA==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
     s=arcselector9901;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=SVFBL1HdIzO/+NcKihjpI5AVPpuvRGYG3VjcIK4XwiA=;
     b=kRfsbt2ZI6anO2MtQusSfJTRObN6B7Gt/sNhh506PyzWLwoCy9tzujHhLnxB/pkUSo0Uxsmx7PJeJRtjOTp3RPq6cP5VDSWjg31mkV237yI5elwwy026qFzZuX1qG4P/kEBCnhBFr+xVucHGOGlz7EDskIohRDkCkRm6UsliejsFBkuILRn6AUGNlBa9pvnFcLNK9nTHzc9/azDV7EOxILtHPHEM4tla4LP5H0aCQr2fMnlaelmfiqHwyq4iYTMLkiNIIVZwsD+fAodHjk9Sb6S0sVKWtpeatEyQZNHD7E3ysqzvxdL1gCm1+tcrPzyPhSm7UUeEZhRM/Y/hQKlQIQ==
    ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
     dkim=none; arc=none
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
     d=***Medical.onmicrosoft.com; s=selector2-***Medical-onmicrosoft-com;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=SVFBL1HdIzO/+NcKihjpI5AVPpuvRGYG3VjcIK4XwiA=;
     b=k5PViQJObKr3BoqVyQZREGWKRoML4xf55mtSDi7NQQzF/goqgBmCQNPCQy9bNv4J8VoFUQrKd3zNTTaPGYetGKGlnMiaGNSZpm76oAyJoMz/HO1rp8fG0XAHB6rEboE4CHyUqwvS2nOHKgy3A+OWDHhq0AT4sCzo8CBp6ztaTOw=
    Received: from DM5PR07CA0070.namprd07.prod.outlook.com (2603:10b6:4:ad::35) by
     CY4PR22MB0471.namprd22.prod.outlook.com (2603:10b6:903:b6::12) with Microsoft
     SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.3066.20; Wed, 10 Jun 2020 15:16:32 +0000
    Received: from DM6NAM11FT034.eop-nam11.prod.protection.outlook.com
     (2603:10b6:4:ad:cafe::c4) by DM5PR07CA0070.outlook.office365.com
     (2603:10b6:4:ad::35) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.20 via Frontend
     Transport; Wed, 10 Jun 2020 15:16:32 +0000
    Authentication-Results: spf=softfail (sender IP is 148.***.***.52)
     smtp.mailfrom=gmail.com; domain.org; dkim=fail (body hash did not verify)
     header.d=gmail.com;domain.org; dmarc=fail action=none header.from=gmail.com;
    Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
     gmail.com discourages use of 148.***.***.52 as permitted sender)
    Received: from dispatch1-us1.ppe-hosted.com (148.***.***.52) by
     DM6NAM11FT034.mail.protection.outlook.com (10.13.173.47) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 15:16:32 +0000
    Received: from mx1-us1.ppe-hosted.com (unknown [10.7.65.249])
            by dispatch1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id E016720098
            for <contact@domain.org>; Wed, 10 Jun 2020 15:16:31 +0000 (UTC)
    Received: from us2-mdac16-35.ut7.mdlocal (unknown [10.7.65.65])
            by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id DE8B8200AA
            for <contact@domain.org>; Wed, 10 Jun 2020 15:16:31 +0000 (UTC)
    X-Virus-Scanned: Proofpoint Essentials engine
    Received: from mx1-us1.ppe-hosted.com (unknown [10.7.65.176])
            by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTPS id 37CCE140066
            for <contact@tmait.org>; Wed, 10 Jun 2020 15:16:31 +0000 (UTC)
    Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.***.***.51])
            (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
            (No client certificate requested)
            by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTPS id E35BE680098
            for <contact@domain.org>; Wed, 10 Jun 2020 15:16:30 +0000 (UTC)
    Received: by mail-ej1-f51.google.com with SMTP id q19so2998413eja.7
            for <contact@domain.org>; Wed, 10 Jun 2020 08:16:30 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=gmail.com; s=20161025;
            h=mime-version:from:date:message-id:subject:to;
            bh=5EWbPdbT4Fy5MNVZYRjZeLSGtNF1EMg3Clv2RIGop/A=;
            b=TmVexrqvNC+ASyqN3gx8/wBuQOwg+e0KBEMsEmw1n1tM3jHq53XidtrYCsXe6GPUt0
             aDLQdUJleSwrJgOHcKji2ktVxQQRwrdjkcRPQoojNJL5dBHDqI5WBtk+nvMrV6PnRB9R
             XU4K3lory3/QX19wdvIpo8I3HNkBvrj/rpkDosM9V2dXu24fT6otOFJ/vLS7QMHVGwNn
             oGNLVnLOBv+iowu9TtrQMfHxxWbCqpP0cSdBgXhOoPyI0doyL2fpcR/PG2j2Qh09/mno
             mUIQGHjKTRB9AFASLYRDOYUdaqZXqD11AHTI60W+V3nwpQR+3HxuCLA4QYCfcxzIqYI3
             89sQ==
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=1e100.net; s=20161025;
            h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
            bh=5EWbPdbT4Fy5MNVZYRjZeLSGtNF1EMg3Clv2RIGop/A=;
            b=QknEnmActDoBILo+LW6yY9grlT4FFWwz+oVRltDhxco/lvG2XFbDcBNhC/VOVzPweO
             0TWzmHZcE9sjTFYUaYHSnkqv0pMlsXMBHNg7QwB2utKGGzAqu7txSIpIF/uR8v1bvbnW
             IJRsBmsgUt3ISnPN5q6CVa5/7RA4U+tSwq/FZC8yXD79C0j1H6ID7C+Kh0A3vSlqxN68
             LP/0vHzuil5grAjHK0Xjnc2iN7bGXhxiGG1RFoSvfQbHJg0rZkGsfMmrLEMW/Q5dFLnT
             9eHpmJ0MohU2oHHw688osXYujB6hSnZb6Jz5QMZWoEYpWVAFjuKfHP8JfbJRCvDTt+nE
             zDDg==
    X-Gm-Message-State: AOAM531YC1gxXY5XHP73f21ocKFrzz6FTuC9ZzJedlsAKaBnnGmgPyUG
            0wacVJ+cCr0ZlU1eOuCjvjiAWkXqqBLiH4u6Rrwm
    X-Google-Smtp-Source: ABdhPJxCa61PwNfL2wMILn9OWjnB4ErnsdOcUL+rqQui2BUTCx/B6Bmrlsp63mr2pp2JdiCWQtGJw6D74y0b0yPmHpg=
    X-Received: by 2002:a17:906:9397:: with SMTP id l23mr4069943ejx.79.1591802189148;
     Wed, 10 Jun 2020 08:16:29 -0700 (PDT)
    MIME-Version: 1.0
    From: Megan Page Montgomery <user@gmail.com>
    Date: Wed, 10 Jun 2020 10:16:18 -0500
    Message-ID: <CAF1NNU0MbkAt5Z=cKydYTfO5LrXvRB2zA+gs-iZ+3eVHNSY2og@mail.gmail.com>
    Subject: Test Email
    To: contact@domain.org
    Content-Type: multipart/alternative; boundary="00000000000009783105a7bc54d0"
    X-MDID: 1591802191-wZHy-_66fnit
    Return-Path: user@gmail.com
    X-EOPAttributedMessage: 0
    X-EOPTenantAttributedMessage: 402c07d6-7e7a-4504-bd2f-f68ee7777b34:0
    X-Forefront-Antispam-Report:
            CIP:148.163.129.52;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:dispatch1-us1.ppe-hosted.com;PTR:dispatch1-us1.ppe-hosted.com;CAT:NONE;SFTY:;SFS:(136003)(396003)(39850400004)(376002)(346002)(70586007)(68406010)(42186006)(76482006)(26005)(8676002)(316002)(82202003)(82310400002)(73392003)(336012)(166002)(3480700007)(356005)(2160300002)(498600001)(7636003)(33964004)(82740400003)(5660300002)(2906002)(34206002)(86362001)(6666004)(564344004)(7596003)(7116003)(55446002);DIR:OUT;SFP:1102;
    X-MS-PublicTrafficType: Email
    X-MS-Office365-Filtering-Correlation-Id: a50ac02a-0202-4e26-97e1-08d80d51422a
    X-MS-TrafficTypeDiagnostic: CY4PR22MB0471:
    X-LD-Processed: 402c07d6-7e7a-4504-bd2f-f68ee7777b34,ExtAddr
    X-Microsoft-Antispam-PRVS:
            <CY4PR22MB04716F6189F885CDB47D2E2BC0830@CY4PR22MB0471.namprd22.prod.outlook.com>
    X-MS-Oob-TLC-OOBClassifiers: OLM:181;
    X-Forefront-PRVS: 0430FA5CB7
    X-MS-Exchange-SenderADCheck: 2
    X-Microsoft-Antispam: BCL:0;
    X-Microsoft-Antispam-Message-Info:
     vXCeWDpbhicRW1A0NU9tt8L2G6UJdnqko8gKcRMBQ1eKLG75qA8u5kq1yK0iI7IrjlFDK6s5iPkkdOL7ZrlGi33JwqBXAAwQejDYIgy/joWG/DIh5Pd7H79Wjr9IRe7WF46qccz2LfGAp50io1raxGxjz65Qmg7uxEoxOYBB9PbPk3UCii10/Z4kTDz2TOhgYFfvYLZLXohgYH+VaXOo4myaDu93ADnBy1DgyoHaJhOOvF8cDJb0lrbo/CXqjmHb8ehyYqnzF6lvlzzDE/yICfq+zFEqy6tqv4iT1hGn6k7372U1tgaJO0zzL1B0rTGBqlcpWG2qVHx5pMbGNPJ53pGpIEgXZJlLpXOYtngTQPhVPYABomfk8PbxK/pPWOb/jdsxuk60SDJoyzUOd+5oKT3Nf/XEPquf22A3Yza9FL19UP7LTIvOTAh+UDG7XdBgOJav+3u9pIoRciXSYDAXpg==
    X-Auto-Response-Suppress: DR, OOF, AutoReply
    X-MS-Exchange-Transport-Forked: True
    X-OriginatorOrg: domain.org
    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2020 15:16:32.5345
     (UTC)
    X-MS-Exchange-CrossTenant-Network-Message-Id: a50ac02a-0202-4e26-97e1-08d80d51422a
    X-MS-Exchange-CrossTenant-Id: 402c07d6-7e7a-4504-bd2f-f68ee7777b34
    X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

    Ben Rollman

    Thursday, June 11, 2020 1:52 PM
  • Hi,

    Since our forum is a public platform, we helped to cover your domain name and IP addresses. Please don't forget to remove your private information next time.

    Can the gmail account send messages to the user mailbox in your organization successfully?

    Is the external address is an O365 account as well?

    From the message header, we can see that:

    • "Authentication-Results: spf=softfail (sender IP is 148.***.***.52) smtp.mailfrom=gmail.com; domain.org; dkim=fail (body hash did not verify) header.d=gmail.com;domain.org; dmarc=fail action=none header.from=gmail.com"
    • "Received-SPF: SoftFail (protection.outlook.com: domain of transitioning gmail.com discourages use of 148.***.***.52 as permitted sender)".

    It seems that the external message is not allowed to send messages to another external mailbox through O365. When send messages to the mail contact, the message is resolved to the external email address of the contact. From the NDR message "Remote server returned not permitted to relay" and "Relay access denied", we know that O365 treats this process as the message relay. To meet your requirement, you have to configure your SPF record for gmail.com.

    Additionally, mail contact is usually used for internal organization users. If you send messages with external account, it's suggested to send to other external users directly instead of through another organization.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 12, 2020 4:46 AM
  • Yes, gmail can send to our internal emails without issue.

    So basically it's going gmail -> ESA -> Us (365) -> external (salesforce).  I don't know if they're on 365.

    We also had a vendor help us migrate over from on-prem to hybrid/365 and I feel a lot of these Contacts were broken in the process.  Now that the vendor isn't as responsive (job's done, right?) I'm trying to fix these.

    This was working before I believe when were were local exchange only, not 365.  If that's not something 365 can do, we'll have to figure out a more direct way.  I believe we have it set up this way so the email looks like we own it.  contact@ourdomain looks better than SMTP:contact@a-2cmxh6qzasgbrsmiy3d31d83vx8mpjyk5zhvc17fcj39794sa2.1a-z9gieas.na24.case.salesforce.com when contacting members with print material.


    Ben Rollman

    Monday, June 15, 2020 12:34 PM
  • The error was generated by our ESA.  Would I need to list that ESA as a remote domain so 365 knows it can send auto responses to it?

    Ben Rollman

    Tuesday, June 16, 2020 6:00 PM
  • Are outbound messages set to leave your O365 directly?

    If it's convenient, you can try to configure the mail flow don't have to go to ESA. If the issue persists, that it should be that O365 threats this process as message relay, and gmail.com is not allowed to relay messages through your organization. For external mailbox, it should send to another organization directly.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 17, 2020 9:48 AM
  • I'd have to set up a special connector for that, wouldn't I?  And I don't think I can be that granular to just turn it off if it's for certain contacts.  It looks like I have the option to from 365 to either a partner, an on-prem server or the internet.  So, I'd have to turn it OFF for our ESA completely just to test it.

    Ben Rollman

    Friday, June 19, 2020 12:09 PM
  • Is there any updates on this thread? Does the issue persists after turning off ESA?

    If you have solved your problem, could you share with us? Maybe it will help more people with similar problems. 

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 24, 2020 6:54 AM
  • I haven't solved the problem.  And I can't just turn off our ESA and flood our org with unwanted and potentially harmful email.

    I'm having the vendor that worked on our migration help us.  But it may just be that 365 doesn't like the routing.

    We're switching email security providers soon.  That may offer different results.


    Ben Rollman

    Wednesday, June 24, 2020 11:30 AM
  • Well, we can wait to see if there are any differences after switching the email security provider. Otherwise, we have to try to avoid using mail contacts for emails from another organization.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 26, 2020 7:38 AM