Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’


 Environment:

  • Mailbox hosted on the Exchange Online
  • Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online
  • Centralized Mailflow configured for Exchange 2013
  • Route all emails through on-premises configured for Exchange 2010
  • Accepted domain configured either Managed or Authoritative on the Exchange Online Side 
  • MX Record pointed to third party cloud Antispam or On-prem Antispam/Firewall

 Issue: When you send email from a mailbox hosted in Exchange Online to an internal recipient or an external recipient via on-premises server, you receive a NDR ‘550 5.7.1 Unable to relay’

Root Cause: There are customers who would like to utilize existing investment on the on-premises Antispam filter or use third part cloud based Antispam filter for compliance purpose. Hence these customers configured centralized mailflow on the hybrid configuration wizard which lead to “unable to relay” NDR when they change few configuration and introduce new domain on the Exchange Online. There are many possible reasons why you have been issued with a NDR ‘550 5.7.1 Unable to relay’.

  • You have added multiple federated domains (e..g @domain1.com, @domain2.com ) but these domains (e.g. @domain1.com, @domain2.com) are not in Hybrid Configuration
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) and domains (e.g. @domain1.com, @domain2.com ) have been setup as “Authoritative Domain” instead of “Internal Relay” on the Exchange Online side
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) but you have configured Office 365 Connectors to Send and Receive Email from only One Domain e.g. domain.com. Wild card “*” not configured within the Send Connector of Exchange Online.
  • Microsoft has changed EOP IP addresses and you did not add latest EOP IP Addresses on the Receive Connector of Edge Server
  • You configured an application to use Office 365 SMTP Relay but the Receive Connector of on-premises server has not been configured to accept email from any recipient

 To remediate the root cause, follow the steps.

  1. Copy the Message Header of Original NDR and Paste on the message analyser of https://testconnectivity.microsoft.com/ website. Analyse the message. Find out which IP address the message coming from e.g. EOP APAC IP Address is 104.47.64.0/18. Make sure these EOP IP Addresses are added on the receive connector of the on-premises server. List of EOP IP Addresses are subject to change without notice. Add all EOP IP addresses on the receive connector “Inbound from Office 365”. Refer to Microsoft KB 2750145
  2. Make sure Datacentre IP Addresses are added on the Receive Connector Properties. Refer to TechNet Blog.
  3. View Extended Rights of Receive Connectors of On-premises Server.

 Get-ReceiveConnector | Get-ADPermission | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights,accessrights

     4. Assign Extended Rights to accept email from any recipient.

Get-ReceiveConnector Inbound from Office 365 | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

     5. Open Office 365 Connector on the Office 365 Admin Center and make sure you have entered “*” wild card as the domain

    6. Rectify SPF Record with the following records. If you have DKIM Record and DMARC Record. Rectify those records as well. SPF Record of domain.com looks like this one

 v=spf1 ip4:<Public IP Address of domain.com>, ip4: :<Public IP Address of MX Record>, ip4: :<Public IP Address of Application/devices>, include:spf.protection.outlook.com ~all

   7. Download .NET Framework 4.5 and install .NET Framework. .NET is a Pre-req. Run Hybrid Configuration wizard select desired Federated Domains, Select all CAS Servers, Type the correct public IP addresses of Edge Server, select centralised mailflow, Select Correct certificate. Complete the Wizard.

 8. Open Send Connector on the On-premises Server, Remove all the Hub/CAS servers and add Edge Servers.

 Restart Transport Services from On-premises Server

 9. On a Hybrid Configuration, you must configure Accepted Domain as Authoritative Domain on the On-premises side and Office 365 side as Internal Relay. For Example, domain1.com should be configured as Authoritative Domain on the on-premises side and domain1.com should be configured as Internal Relay on the Exchange Online side.  

 10. Open On-premises Exchange Management Shell and run Start-EdgeSynchronization start syncing Edge Transport Server.

 11. Test mailflow from internal and external sender to internal recipient

 Relevant Articles

Fix email delivery issues for error code 5.7.1 in Office 365

Exchange Online Protection IP addresses

Hybrid Mailflow Best Practices

Set up connectors to route mail between Office 365 and your own email servers

Transport Options Hybrid Deployment

 Transport Routing Hybrid Deployment 

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
Gallery | This entry was posted in Office 365 and tagged , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

  1. ICICI Login says:

    Hey nice post! I hope it’s alright that I shared this on my Facebook,
    if not, no issues just let me know and I’ll remove
    it. Either way keep up the good work.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s