2019 Hybrid mail flow failure from on prem to exchange online

Hi ,

The error message "454 4.7.5 Certificate validation failure, reason:untrustedroot" indicates that the on-premises Exchange server is unable to verify the certificate of the Exchange Online server. This can happen for a few reasons:

• The on-premises Exchange server does not have the root certificate of the Exchange Online server in its trusted root certificate store.
• The certificate of the Exchange Online server has expired or has been revoked.
• The certificate of the Exchange Online server is invalid for some other reason.
  
  

  To resolve this issue, you can try the following:

  1. Make sure that the on-premises Exchange server has the root certificate of the Exchange Online server in its trusted root certificate store. You can download the root certificate from the Microsoft website.
  2. Make sure that the certificate of the Exchange Online server is valid. You can check the validity of the certificate by using the PowerShell command Get-ExchangeCertificate.If the certificate of the Exchange Online server is invalid, you can replace the certificate. For instructions on how to replace the certificate, see the article "Replace an Exchange Online certificate".

  3. Make sure that the on-premises Exchange server can access the Exchange Online server. You can test this by using the PowerShell command 

Get-SendConnector | Set-SendConnector -X509CertificateName <certificate name>

Useful links:

• Troubleshoot hybrid mail flow issues in Exchange Online: https://techcommunity.microsoft.com/t5/exchange-team-blog/demystifying-and-troubleshooting-hybrid-mail-flow-when-is-a/ba-p/1420838
• Configure hybrid mail flow with a single on-premises Exchange server: https://learn.microsoft.com/en-us/exchange/exchange-hybrid
• Hybrid mail flow prerequisites: https://learn.microsoft.com/en-us/exchange/transport-routing