Update 11/13/2023: We added new information on how to know when this change is released to your organization.
Today, we are announcing an update to our requirements for SMTP relay through Exchange ...
Updated Feb 22, 2024
Version 19.0
Blog Post
Carolyn_Liu
Microsoft
Microsoft>
I have a query related to using unique certificate domain configuration during SMTP relay.
Our scenario is similar to this: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail...
I have created a wild card certificate in the email server with CN=*.emailservice.com
In the Exchange online account i have created an accepted domain as myorg.emailservice.com and created inbound connector with this domain.
But during email relay, email delivery fails with this error: "550 5.7.64 TenantAttribution; Relay Access Denied".
Is this a valid configuration? could you tell what is wrong here?
Answer:
The match in EXO is from the cert domain on the connection with your organization's config. In this case *.email.service.com will not match myorg.emailservice.com. So instead you have two options:
1. Use the cert domain myorg.emailservice.com and keep everything else already setup (accepted domain and connector). and this is recommended. You should always use a specific domain, if possible, to avoid ambiguity.
or
2. Add emaiservice.com as accepted domain, and change the connector name to be *.emailservice.com. But if you do this, you have to make sure no other cert has the root domain of emailservice.com, for example, you may use internet.emailservice.com as the cert to send email to other organizations in the world which they might be hosted in M365. If the latter is true, then #2 definitely is not a viable option.