SMTP relay to EXO internal relay domain recipients fails with 550+5.4.1+Recipient+address+rejected

%3CLINGO-SUB%20id%3D%22lingo-sub-1613596%22%20slang%3D%22en-US%22%3ESMTP%20relay%20to%20EXO%20internal%20relay%20domain%20recipients%20fails%20with%20550%2B5.4.1%2BRecipient%2Baddress%2Brejected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1613596%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20we%20have%20all%20mailboxes%20in%20Office%20365%20and%20decomissioned%20our%20Hybrid%20Setup.%20We%20did%20setup%20an%20IIS%20SMTP%20relay%20to%20relay%20mails%20to%20(through)%20Office%20365%20from%20our%20internal%20applications.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20we%20needed%20to%20add%20a%20new%20domain%20to%20our%20tenant%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20of%20the%20mailboxes%20from%20this%20domain%20are%20located%20in%20another%20email%20system%20outside%20of%20the%20tenant%20so%20we%20did%20setup%20the%20domain%20to%20internal%20relay%20and%20did%20setup%20a%20send%20connector%20which%20uses%20MX%20to%20determine%20the%20connection%20endpoint%20for%20mails%20to%20this%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMails%20from%20Office%20365%20senders%20to%20recipients%20in%20this%20domain%20work%20fine.%20But%20mails%20from%20our%20on%20premises%20applications%20relaying%20through%20our%20IIS%20SMTP%20relay%20to%20recipients%20in%20the%20new%20domain%20fail%20with%20message%3A%20550%2B5.4.1%2BRecipient%2Baddress%2Brejected%3A%2BAccess%2Bdenied.%20Only%20if%20i%20add%20the%20target%20email%20address%20from%20the%20new%20domain%20as%20mail%20contacts%20mail%20will%20be%20delivered%20outside%20of%20the%20tenant%20to%20the%20recipients.%20We%20do%20not%20want%20to%20create%20contacts%20for%20all%20recipients%20of%20the%20new%20domain.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20how%20to%20solve%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1613596%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680592%22%20slang%3D%22en-US%22%3ERe%3A%20SMTP%20relay%20to%20EXO%20internal%20relay%20domain%20recipients%20fails%20with%20550%2B5.4.1%2BRecipient%2Baddress%2Breject%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680592%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20assuming%20your%20on%20prem%20relay%20is%20generating%20ndr.%26nbsp%3B%20How%20is%20your%20on%20prem%20smtp%20relay%20authenticating%20to%20O365%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello, we have all mailboxes in Office 365 and decomissioned our Hybrid Setup. We did setup an IIS SMTP relay to relay mails to (through) Office 365 from our internal applications.

 

Recently we needed to add a new domain to our tenant .

 

All of the mailboxes from this domain are located in another email system outside of the tenant so we did setup the domain to internal relay and did setup a send connector which uses MX to determine the connection endpoint for mails to this domain.

 

Mails from Office 365 senders to recipients in this domain work fine. But mails from our on premises applications relaying through our IIS SMTP relay to recipients in the new domain fail with message: 550+5.4.1+Recipient+address+rejected:+Access+denied. Only if i add the target email address from the new domain as mail contacts mail will be delivered outside of the tenant to the recipients. We do not want to create contacts for all recipients of the new domain. 

 

Any ideas how to solve this?

1 Reply

I'm assuming your on prem relay is generating ndr.  How is your on prem smtp relay authenticating to O365?