SMTP relay through Office 365 from on-prem to internet problem with internal users

%3CLINGO-SUB%20id%3D%22lingo-sub-289353%22%20slang%3D%22en-US%22%3ESMTP%20relay%20through%20Office%20365%20from%20on-prem%20to%20internet%20problem%20with%20internal%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289353%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20challenges%20understanding%20why%20e-mails%20won't%20relay%20between%20internal%20user%20mailboxes%20using%20xxx.mail.protection.outlook.com%20from%20an%20on-premises%20IIS%20SMTP%20server%20to%20O365.%20We%20have%20a%20connector%20setup%20to%20allow%20mail%20from%20the%20external%20IP%2C%20the%20smart%20host%20points%20to%20the%20%3CSPAN%3Exxx.mail.protection.outlook.com%20on%20port%2025%20and%20is%20set%20to%20anonymous%20authentication%26nbsp%3B%20and%20TLS%20encryption.%20I%20can%20submit%20e-mails%20through%20the%20relay%20from%20mailboxes%20on%20the%20domain%20to%20external%20recipients%2C%20and%20I%20can%20even%20submit%20e-mails%20through%20the%20relay%20on%20the%20domain%20from%20users%20without%20mailboxes%20to%20other%20users%20with%20mailboxes%20on%20the%20same%20domain.%20But%20what%20I%20cannot%20do%20is%20submit%20e-mails%20from%20a%20user%20with%20a%20mailbox%20to%20another%20user%20with%20a%20mailbox%20on%20the%20same%20domain.%20So%20for%20example%2C%20user1%40domain.com%20to%20user2%40domain.com%20assuming%20both%20users%20have%20mailboxes.%20This%20always%20goes%20to%20badmail%20with%20the%20following%20response%3A%26nbsp%3B%3CSTRONG%3Esmtp%3B554%205.2.0%20STOREDRV.Submission.Exception%3ASendAsDeniedException.MapiExceptionSendAsDenied%3B%20Failed%20to%20process%20message%20due%20to%20a%20permanent%20exception%20with%20message%20Cannot%20submit%20message%3C%2FSTRONG%3E.%20We%20need%20to%20allow%20messages%20to%20be%20routed%20between%20users%2C%20DL's%2C%20etc.%20on%20the%20same%20domain%20through%20the%20relay.%20Hopefully%20I'm%20just%20missing%20a%20piece%20of%20the%20puzzle%20here.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20in%20advance.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-289353%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-289435%22%20slang%3D%22en-US%22%3ERe%3A%20SMTP%20relay%20through%20Office%20365%20from%20on-prem%20to%20internet%20problem%20with%20internal%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289435%22%20slang%3D%22en-US%22%3ESorry%20if%20I%20wasn't%20clear%3A%20no%20the%20mailboxes%20only%20exist%20in%20Exchange%20Online.%20The%20internal%20SMTP%20server%20is%20nothing%20more%20than%20a%20relay%20for%20internal%20e-mail%20to%20Office%20365.%20The%20main%20reason%20for%20this%20is%20because%20there%20are%20internal%20applications%20that%20are%20configured%20to%20send%20through%20this%20SMTP%20server%20that%20cannot%20be%20changed.%20Formerly%20it%20was%20relaying%20through%20an%20internal%20Exchange%202010%20server.%20However%20a%20migration%20from%20Exchange%202010%20to%20Office%20365%20just%20occurred%20which%20prompted%20the%20update%20of%20the%20smart%20host%20on%20the%20internal%20server.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20I%20don't%20understand%20is%20why%20can%20I%20relay%20from%20a%20user%40domain.com%20e-mail%20address%20to%20say%20a%20user%40gmail.com%20address%2C%20but%20I%20can't%20relay%20from%20user%40domain.com%20to%20user1%40domain.com%3F%20This%20makes%20no%20sense%20to%20me.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20did%20test%20the%20RFC5322%20compliance%20and%20that%20did%20not%20make%20any%20difference%20in%20the%20way%20the%20message%20was%20processed.%20That%20is%20something%20I%20had%20experimented%20with%20before%20posting%20this%20up.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-289404%22%20slang%3D%22en-US%22%3ERe%3A%20SMTP%20relay%20through%20Office%20365%20from%20on-prem%20to%20internet%20problem%20with%20internal%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289404%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20if%20I%20got%20this%20right%2C%20you%20have%20mailboxes%20both%20in%20ExO%20and%20in%20some%20other%20system%20on-premises%3F%20IIS%20SMTP%20relay%20is%20hardly%20the%20best%20tool%20to%20use%20in%20such%20scenarios%2C%20but%20without%20knowing%20the%20specifics%20we%20cannot%20give%20you%20more%20detailed%20recommendations.%20In%20any%20case%2C%20you%20can%20resolve%20this%20issue%20by%20adding%20Send%20As%20permissions%20for%20any%20of%20the%20accounts%20that%20already%20have%20mailboxes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20a%20nutshell%2C%26nbsp%3Bthey%20recently%20introduced%20some%20changes%20recently%20that%20make%20SMTP%20submitted%20messages%20behave%20pretty%20much%20like%20any%20other%20messages%2C%20thus%20if%20the%20mailbox%20already%20exists%20you%20will%20need%20Send%20As%20permissions%20to%20use%20that%20address.%20As%20part%20of%20those%20changes%2C%20you%20should%20also%20ensure%20that%20the%20sender%20address%20complies%20with%20RFC5322.%20More%20details%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4458479%2Fimprovements-in-smtp-authenticated-submission-client-protocol%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4458479%2Fimprovements-in-smtp-authenticated-submission-client-protocol%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

 

I'm having challenges understanding why e-mails won't relay between internal user mailboxes using xxx.mail.protection.outlook.com from an on-premises IIS SMTP server to O365. We have a connector setup to allow mail from the external IP, the smart host points to the xxx.mail.protection.outlook.com on port 25 and is set to anonymous authentication  and TLS encryption. I can submit e-mails through the relay from mailboxes on the domain to external recipients, and I can even submit e-mails through the relay on the domain from users without mailboxes to other users with mailboxes on the same domain. But what I cannot do is submit e-mails from a user with a mailbox to another user with a mailbox on the same domain. So for example, user1@domain.com to user2@domain.com assuming both users have mailboxes. This always goes to badmail with the following response: smtp;554 5.2.0 STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message Cannot submit message. We need to allow messages to be routed between users, DL's, etc. on the same domain through the relay. Hopefully I'm just missing a piece of the puzzle here.

Thanks in advance. 

2 Replies
Highlighted

So if I got this right, you have mailboxes both in ExO and in some other system on-premises? IIS SMTP relay is hardly the best tool to use in such scenarios, but without knowing the specifics we cannot give you more detailed recommendations. In any case, you can resolve this issue by adding Send As permissions for any of the accounts that already have mailboxes.

 

In a nutshell, they recently introduced some changes recently that make SMTP submitted messages behave pretty much like any other messages, thus if the mailbox already exists you will need Send As permissions to use that address. As part of those changes, you should also ensure that the sender address complies with RFC5322. More details here: https://support.microsoft.com/en-us/help/4458479/improvements-in-smtp-authenticated-submission-clien...

Highlighted
Sorry if I wasn't clear: no the mailboxes only exist in Exchange Online. The internal SMTP server is nothing more than a relay for internal e-mail to Office 365. The main reason for this is because there are internal applications that are configured to send through this SMTP server that cannot be changed. Formerly it was relaying through an internal Exchange 2010 server. However a migration from Exchange 2010 to Office 365 just occurred which prompted the update of the smart host on the internal server.

What I don't understand is why can I relay from a user@domain.com e-mail address to say a user@gmail.com address, but I can't relay from user@domain.com to user1@domain.com? This makes no sense to me.

I did test the RFC5322 compliance and that did not make any difference in the way the message was processed. That is something I had experimented with before posting this up.