Why is my Address Rewriting not working as expected?

Address Rewriting is a feature of the Transport Agent that runs on the Edge Server role. It enables the modification of addresses for both senders and recipients on messages that enter and leave your Exchange organization. First introduced in Exchange 2007, customers are using Address rewriting to present a consistent appearance of E-mail Address for messages sent to external recipients. Two TechNet Articles published here and here document both Address Rewrite inbound and outbound agents, various situations where it's applicable, and commands that can be used to configure and control these agents. However, based on my experience in the Support Team, I have seen scenarios where Address Rewrite is not working as expected, and wanted to work through these. A potential scenario with Address Rewrite would be Exchange treating certain messages as inbound whereas your expectation is the Address Rewrite outbound agent should work on that particular message. In other words, you were expecting the “From” address to change, but it is not happening. I have also seen cases where the Inbound agent is working fine but not the Outbound, or vice versa. Then there are situations when it works for MAPI submitted messages but not when an application is relaying mail thorough your Exchange environment. In this post, we will discuss how Exchange decides when the Address Rewrite Inbound agent should work and when Address Rewrite Outbound agent should work. We will also try to simplify the scenarios with various examples so that we understand it better. There are two Address Rewrite agents:

1. Address Rewrite Inbound Agent – works on inbound messages and changes the RCPT TO/TO
2. Address Rewrite Outbound Agent – works on outbound messages and changes the MAIL FROM/FROM

How does your Edge Server decide which Address Rewrite Agent will work on a particular message? This is based on combination of below three rules:

1. If the sender domain (Mail From address) is part of the Accepted Domain (Authoritative or Internal Relay, External Relay domain will be treated as external).
2. If the mail is submitted Anonymously or with Authentication.
3. If recipient's address is part of Accepted domain or not.

If the “Mail From” is part of the Accepted Domain, and the session is also authenticated, the mail will be treated as Outbound mail and the “Address Rewrite Outbound Agent” will work. If the “Mail From” is not part of the Accepted Domain or the session is not authenticated, the mail will be treated as Inbound and the “Address Rewrite Inbound Agent” will work. We also have to remember the Address Rewrite Inbound Agent (Priority 2) works before the Address Rewrite Outbound Agent (Priority 10). Let’s discuss various scenarios and which of the Address Rewrite Agents will work on each of these situations. These scenarios are true for both on-premises and Hybrid environments:

Scenario	Result
Message is submitted from one of the internal addresses (sender’s address is part of the Accepted Domains) to another internal address (recipient’s address is also part of Accepted Domain)	Neither Address Rewrite Inbound or Address Rewrite Outbound will work on this message. As the sender address is internal, the Address Rewrite Inbound Agent will be skipped. As the recipient has an internal address, Address Rewrite Outbound will be skipped also.
Message is submitted from one of the internal users to an external recipient. But the sender’s primary SMTP address is not part of the Accepted Domains, something which can happen in a company merger/takeover scenario.	Message is treated as sent by an external sender as the sender’s SMTP address is not part of the Accepted Domain. So, the mail will be treated as inbound mail and Inbound Address Rewrite will work although the recipient is external.
Message is submitted from an internal address to an external recipient, but the session was not authenticated. For example, mail is anonymously sent from an application through a relay allowed Receive Connector to the Internet.	Message is treated as sent by external sender as the session was not authenticated. So, the mail will be treated as Inbound and Inbound Address Rewrite will work.
Message is submitted from an external address (sender’s address is not part of Accepted Domain), to an internal address (recipient’s address is part of Accepted Domain)	The Address Rewrite Inbound agent will work as Exchange will treat this mail as originating from an external source, Address Rewrite Outbound will not work as the sender is treated as external.
Message is sent from an external address (not part of Accepted Domain), and recipient’s address is also an external address (not part of Accepted Domain)	The message will be treated as inbound as the sender is external address and Inbound Address Rewrite will work. As the mail is sent from external address, Exchange will not treat the mail as outbound and the Outbound Address Rewrite would not work in this scenario.
Message is submitted from authentication source (from Outlook/Outlook on the web or through SMTP with authentication or to an Externally Secured Connector) and sender’s address is internal (part of Accepted Domain), and the recipient’s address is also an internal address (recipient's address is part of Accepted Domain)	Neither Rewrite Agent will trigger. Address Rewrite Inbound will not work as the sender is Internal. Also, Address Rewrite Outbound will not work as the recipient is internal.
Message is submitted from an authenticated source (from Outlook/Outlook on the web or through SMTP with authentication or to an Externally Secured Connector) and sender’s address is internal (part of Accepted Domain), and sent to an external address (recipient’s address not part of Accepted Domain)	Mail is sent from an internal address and from an authenticated source, so the sender will be treated as Internal and mail will be treated as Outbound. Address Rewrite Inbound agent will not work in this case. Address Rewrite outbound agent will work, and the Mail From/From address would change.

  Based on the above scenarios, it is clear the Address Rewrite Outbound agent will work only when the sender’s SMTP address is internal, and the session is authenticated. There might be situations where mail is submitted from an application or third-party source using an internal address, but it can’t authenticate against Exchange, and you want the Address Rewrite Outbound agent to work on these messages. You can force Exchange to treat the message as submitted from an authenticated source by creating a Receive Connector with the “ExternalAuthoritative” Authentication mechanism. Make sure you only have the IP address of the application or third-party source under the remote IP Address range in this receive connector. This is important, since when you select ExternalAuthoritative for authentication, you’re telling Exchange to completely trust the IP address(es) or subnets specified in the RemoteIPRanges parameter of that connector, allowing those IP addresses to relay through your server. You can run the below commands to create a connector with ExternalAuthoritative Authentication enabled:

New-ReceiveConnector -Name “Application relay” -RemoteIPRanges 192.168.0.1 -Usage custom -AuthMechanism Tls -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers -Bindings 0.0.0.0:25
Set-ReceiveConnector -Name “Application relay” -AuthMechanism ExternalAuthoritative

After running the above commands, mail received from IP Address 192.168.0.1 will be treated as Authenticated and trusted and if the sender address is part of the accepted domain, the Outbound Address Rewrite agent will work on them. In this post, I tried to cover as many scenarios as possible. However, if you have something which does not match any of those scenarios and you are facing an issue setting up the Address Rewrite, please leave details in the comment section. Arindam Thokder