Forum Discussion
Solved
Exchange Online now blocking whitelisted domain
We have an external linux server that has been able to email logs and script output files to admin email addresses on Exchange 365 without problems for many years. Note: The domain name for the server has been whitelisted in Exchange Admin Center > Mail Flow > Rules.
Unfortunately, over the last few days we are now receiving NDRs for some of the emails originating from the server. For example:
This is the mail system at host ip-x.x.x.x.us-east-2.compute.internal.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
<email address removed for privacy reasons>: host
companyname-com.mail.protection.outlook.com[z.z.z.z] said: 550
5.7.1 Unfortunately, messages from [n.n.n.n] weren't sent. For more
information, please go to http://go.microsoft.com/fwlink/?LinkID=526655
AS(900) [DM6PR18MB3555.namprd18.prod.outlook.com 2024-06-17T23:44:01.329Z
08DC8F1D3280898A] [PH8PR15CA0013.namprd15.prod.outlook.com
2024-06-17T23:44:01.398Z 08DC8E6A7387EBAE]
[CY4PEPF0000E9D6.namprd05.prod.outlook.com 2024-06-17T23:44:01.398Z
08DC8E2D0D0B4FEE] (in reply to end of DATA command)
The article suggested by the NDR report (http://go.microsoft.com/fwlink/?LinkID=526655) recommends using the Microsoft delist portal to fix the problem. However, when I use the portal to attempt to delist the server's IP address, I don't get any confirmation email. Also, the NDR email doesn't exactly match the conditions noted in the video found in the article - there isn't any message in the NDR stating "Access denied - banned sending IP."
Has anything changed in the Exchange Online environment recently that could cause this problem?
Thanks,
Don
PS Here is the log entry from the mail log on the linux server:
Jun 16 04:05:02 ip-172-31-1-188 postfix/smtp[417020]: 2F1A7103ECA3: to=<email address removed for privacy reasons>, orig_to=<root>, relay=companyname-com.mail.protection.outlook.com[z.z.z.z]:25, delay=2.1, delays=0.01/0/0.32/1.8, dsn=5.7.1, status=bounced (host companyname-com.mail.protection.outlook.com[z.z.z.z] said: 550 5.7.1 Unfortunately, messages from [n.n.n.n] weren't sent. For more information, please go to http://go.microsoft.com/fwlink/?LinkID=526655 AS(900) [CO1PR18MB4810.namprd18.prod.outlook.com 2024-06-16T08:05:02.211Z 08DC8D95079D7987] [CH0PR03CA0236.namprd03.prod.outlook.com 2024-06-16T08:05:02.272Z 08DC8C31791B17CC] [DS3PEPF0000C37B.namprd04.prod.outlook.com 2024-06-16T08:05:02.264Z 08DC881BD5FEF961] (in reply to end of DATA command))
From what you've written I think you are in the wrong place. If you look at my post, while I'm talking about the anti-spam policy page, I was not talking about editing the Anti-spam inbound policy" !
Here again with additional clarification where that is:
Email & collaboration ⇒ Policies & Rules ⇒ Threat policies ⇒ Policies: Anti-spam ⇒ click "Connection filter policy (Default)" ⇒ Add IPs or IP Ranges in CIDR format in "IP Allow list"
In my screenshot there are way more IPs allow-listed than I need but I can't be bothered to clean up the list until things work again. Since my change was done no additional mails were rejected but I can't be sure since my change was done roughly at the end of the business day and mail volume in the evening is lower than during the day.
- I have the same issue. E-mails sent from my IP which is whitelisted in Exchange Admin Center (Set the spam confidence level (SCL) to '-1') are suddenly sometimes rejected since June 14th. Problem seems to get worse, that is the percentage of rejects seems to increase.
According to https://sender.office.com/ the IP is not currently blocked.
According to https://sendersupport.olc.protection.outlook.com/ all is fine with the IP.
According to MXToolbox blacklist check the IP reputation is mostly fine, just some generic blocks just because it's hosted with DigitalOcean (result has been this way for years). Not listed on any of the "real" blocklists.
The weird thing is: Why did it start on June 14th after working for many many years. And why are mails getting rejected RANDOMLY. Most still go through.
When researching the problem I found a single thing I had not configured correctly, on security.microsoft.com in ⇒ Policies & Rules ⇒ Threat policies ⇒ Anti-spam policies ⇒ Edit connection filter policy you can set a "connection filter policy" where IPs can be whitelisted. On this configuration I did not have the relevant IP entered. Which probably wasn't correct but it had been fine for years. I've now done this but am unsure if this will solve the delivery issue.
The error message:
550 5.7.1 Unfortunately, messages from [IP] weren't sent. For more information, please go to http://go.microsoft.com/fwlink/?LinkID=526655 AS(900)
unfortunately isn't really helpful, since the linked page refers to the blocked senders list which the IP is not on.UPDATED: Thanks for the additional info. Please post if your updates to the Microsoft Defender policies fix the problem. According to my notes, I've been to the MS security page in the past (security.microsoft.com in ⇒ Policies & Rules ⇒ Threat policies ⇒ Anti-spam policies), and set the "Anti-spam inbound policy (Default)” to allow blocked senders and domains”. However, when I now click on the Security option from the Exchange 365 admin menu, the page that opens doesn't seem to have a "Policies & Rules" option. Am I missing something obvious?
Also, over the last day ALL messages from our Linux server are now being blocked. I hope Microsoft eventually sheds some light on what's going on...- Ok, I found the "Policies & Rules" under the "Email & collaboration" menu. The bad news is that my "Anti-spam inbound policy (default)" rule was modified years ago with the correct domain name and has been working for years.
I am having the same issue. I have been in contact with Microsoft and they are currently investigating.
