Forum Discussion
Eikehans
Oct 18, 2023Copper Contributor
2019 Hybrid mail flow failure from on prem to exchange online
Mail to my migrated user in hybrid deployment, gets hung in the on prem mail queue with error 454 4.7.5.
[{LED=451 4.4.395 target host responded with error. -> 454 4.7.5 Certificate validation failure, reason:untrustedroot};{MSG=};{FQDN=*-mail-onmicrosoft-com.mail.protection.outlook.com.
- LeonPavesicSilver Contributor
Hi ,
The error message "454 4.7.5 Certificate validation failure, reason:untrustedroot" indicates that the on-premises Exchange server is unable to verify the certificate of the Exchange Online server. This can happen for a few reasons:- The on-premises Exchange server does not have the root certificate of the Exchange Online server in its trusted root certificate store.
- The certificate of the Exchange Online server has expired or has been revoked.
- The certificate of the Exchange Online server is invalid for some other reason.
To resolve this issue, you can try the following:
- Make sure that the on-premises Exchange server has the root certificate of the Exchange Online server in its trusted root certificate store. You can download the root certificate from the Microsoft website.
- Make sure that the certificate of the Exchange Online server is valid. You can check the validity of the certificate by using the PowerShell command Get-ExchangeCertificate.If the certificate of the Exchange Online server is invalid, you can replace the certificate. For instructions on how to replace the certificate, see the article "Replace an Exchange Online certificate".
Make sure that the on-premises Exchange server can access the Exchange Online server. You can test this by using the PowerShell command
Get-SendConnector | Set-SendConnector -X509CertificateName <certificate name>
Useful links:- Troubleshoot hybrid mail flow issues in Exchange Online: https://techcommunity.microsoft.com/t5/exchange-team-blog/demystifying-and-troubleshooting-hybrid-mail-flow-when-is-a/ba-p/1420838
- Configure hybrid mail flow with a single on-premises Exchange server: https://learn.microsoft.com/en-us/exchange/exchange-hybrid
- Hybrid mail flow prerequisites: https://learn.microsoft.com/en-us/exchange/transport-routing
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- EikehansCopper Contributor
I've updated things and my mail from EOP to o365 just sits in the EOP mail queue.
[{LED=450 4.7.320 Certificate validation failed [Message=UntrustedRoot] [LastAttemptedServerName=*.mail.onmicrosoft.com]
[LastAttemptedIP=]};{MSG=UntrustedRoot};{FQDN=*.mail.onmicrosoft.com};{IP=*};{LRT=10/19/2023
12:44:59 PM}]I've installed the 365 bundle on the server, verified my connectors are valid.
- LeonPavesicSilver Contributor
Hi Eikehans,
thanks for your update.
The issue still revolves around a certificate validation failure with the FQDN *.mail.onmicrosoft.com.To address this issue, you can follow these steps for further troubleshooting:
Verify Certificate Installation: Make sure the root certificate for Exchange Online (Office 365) is correctly installed on your on-premises Exchange server. Ensure that you have downloaded and installed the most recent root certificates provided by Microsoft and that the root certificate is located in the Trusted Root Certification Authorities store.
Check Certificate Validity: Confirm that the certificate on the Exchange Online server is not expired. If it has expired, you should consider renewing or replacing it.
Review DNS Configuration: Check that your DNS settings are properly configured to resolve the Fully Qualified Domain Name (FQDN) of the Exchange Online server, which is indicated as *.mail.onmicrosoft.com in your error message. Ensure that the FQDN resolves to the correct IP address.
Examine Firewall and Network: Ensure there are no network or firewall issues blocking your on-premises server from establishing a secure connection with Exchange Online.
Update Send Connector: Double-check your send connector configuration to ensure it correctly uses the new certificate and that the FQDN matches the certificate.
Test Connectivity: Utilize the Test-Mailflow cmdlet to assess mail flow between your on-premises server and Exchange Online. This can help identify and address any connectivity issues.
Check Logs and Event Viewer: Inspect the event logs on your on-premises server for additional error information related to the certificate validation failure.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)