Forum Discussion

Eikehans's avatar
Eikehans
Copper Contributor
Oct 18, 2023

2019 Hybrid mail flow failure from on prem to exchange online

Mail to my migrated user in hybrid deployment, gets hung in the on prem mail queue with error 454 4.7.5.

 

[{LED=451 4.4.395 target host responded with error. -> 454 4.7.5 Certificate validation failure, reason:untrustedroot};{MSG=};{FQDN=*-mail-onmicrosoft-com.mail.protection.outlook.com.

 

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi ,

    The error message "454 4.7.5 Certificate validation failure, reason:untrustedroot" indicates that the on-premises Exchange server is unable to verify the certificate of the Exchange Online server. This can happen for a few reasons:

    • The on-premises Exchange server does not have the root certificate of the Exchange Online server in its trusted root certificate store.
    • The certificate of the Exchange Online server has expired or has been revoked.
    • The certificate of the Exchange Online server is invalid for some other reason.

      To resolve this issue, you can try the following:

      1. Make sure that the on-premises Exchange server has the root certificate of the Exchange Online server in its trusted root certificate store. You can download the root certificate from the Microsoft website.
      2. Make sure that the certificate of the Exchange Online server is valid. You can check the validity of the certificate by using the PowerShell command Get-ExchangeCertificate.If the certificate of the Exchange Online server is invalid, you can replace the certificate. For instructions on how to replace the certificate, see the article "Replace an Exchange Online certificate".
      3. Make sure that the on-premises Exchange server can access the Exchange Online server. You can test this by using the PowerShell command 

     

    Get-SendConnector | Set-SendConnector -X509CertificateName <certificate name>

     


    Useful links:


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • Eikehans's avatar
      Eikehans
      Copper Contributor

      LeonPavesic 

       

      I've updated things and my mail from EOP to o365 just sits in the EOP mail queue.

      [{LED=450 4.7.320 Certificate validation failed [Message=UntrustedRoot] [LastAttemptedServerName=*.mail.onmicrosoft.com]
      [LastAttemptedIP=]};{MSG=UntrustedRoot};{FQDN=*.mail.onmicrosoft.com};{IP=*};{LRT=10/19/2023
      12:44:59 PM}]

       

      I've installed the 365 bundle on the server, verified my connectors are valid.

       

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor

        Hi Eikehans,

        thanks for your update.

        The issue still revolves around a certificate validation failure with the FQDN *.mail.onmicrosoft.com.

        To address this issue, you can follow these steps for further troubleshooting:

        1. Verify Certificate Installation: Make sure the root certificate for Exchange Online (Office 365) is correctly installed on your on-premises Exchange server. Ensure that you have downloaded and installed the most recent root certificates provided by Microsoft and that the root certificate is located in the Trusted Root Certification Authorities store.

        2. Check Certificate Validity: Confirm that the certificate on the Exchange Online server is not expired. If it has expired, you should consider renewing or replacing it.

        3. Review DNS Configuration: Check that your DNS settings are properly configured to resolve the Fully Qualified Domain Name (FQDN) of the Exchange Online server, which is indicated as *.mail.onmicrosoft.com in your error message. Ensure that the FQDN resolves to the correct IP address.

        4. Examine Firewall and Network: Ensure there are no network or firewall issues blocking your on-premises server from establishing a secure connection with Exchange Online.

        5. Update Send Connector: Double-check your send connector configuration to ensure it correctly uses the new certificate and that the FQDN matches the certificate.

        6. Test Connectivity: Utilize the Test-Mailflow cmdlet to assess mail flow between your on-premises server and Exchange Online. This can help identify and address any connectivity issues.

        7. Check Logs and Event Viewer: Inspect the event logs on your on-premises server for additional error information related to the certificate validation failure.


        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic
        (LinkedIn)

Resources