Office 365 Migrated User from Exch2010 can Send Email External but not receive and can't receive internal/external

Hello guys and girls :-)

I have:
01 ExchangeServer 2010
01 Postfix (blargh)
01 Office 365 subscription.

Everything was flowing well until some users who were created locally and later migrated to Exchange Online were able to send external emails but could not receive external emails (gmail, hotmail ...) or local exchange emails or Postfix emails.


The header:

The following organization has rejected your message: 10.61.1.5. (10.61.1.5 is my local exchange 2010)

Diagnostic information for administrators:
Generating server: mail.postfix.mydomain.com
affectedmail@mydomain.com.br

10.61.1.5 # <10.61.1.5 # 4.4.6 smtp; 554 5.4.6 Hop count exceeded - possible mail loop> # SMTP #

Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 7C30B1A8366   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:47:14 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:40:53 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 6D1BB1A83EC   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:32:12 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:25:52 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 57D211A83BC   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:17:11 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:10:48 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 4C7431A8557   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:02:07 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:55:43 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 47A6E1A8594   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:47:02 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:40:40 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3BB1D1A833F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:31:59 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:25:38 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3349B1A85B8   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:16:57 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:10:32 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 2F47D1A81A8   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:01:52 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:55:28 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 25A951A81E6   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:46:48 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:58 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 272DC1A8148   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:46:17 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:27 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3AE821A8246   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:46 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id DAF701A850F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 8B3DC1A8246   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 48DF91A850F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from myexchange2010.mydomain ([10.61.1.5]) by
 myexchange2010.mydomain ([10.61.1.5]) with mapi id 14.03.0361.001; Mon,
 29 Jan 2018 16:54:25 -0200
From: teste <teste@mydomain.com.br>
To: regulacao.gns <affectedmail@mydomain.com.br>
Subject: teste
Thread-Topic: teste
Thread-Index: AdOZMpTxBVfKR/kYRrmLVFr9bHBzew==
Date: Mon, 29 Jan 2018 18:54:25 +0000
Message-ID: <CC265D296F020247BD3AB0373CDE924A717E347B@myexchange2010.mydomain>
Accept-Language: pt-BR, en-US
Content-Language: pt-BR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.7.194]
Content-Type: multipart/alternative;
        boundary="_000_CC265D296F020247BD3AB0373CDE924A717E347Bmyexchange2010"
MIME-Version: 1.0

I am getting crazy. :-(
LVL 1
adrecalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
How your mail flow is configured?
where is mx pointing?
have you whitelisted on premise exchange sending server ips to exo and vice versa?
if you copy original header to mxtoolbox header analyzer, how it goes,
or can you post complete header here?
0
adrecalAuthor Commented:
Hello Mahesh:

How your mail flow is configured?
Internal > External:
All mails flow from Exchange to Postfix (or direct from Postfix), SMG Spam Filter and internet
External > Internal
Internet, SMG Spam Filter, Postfix, Exchange 2010

where is mx pointing?
- The MX is pointing to Office365 and Postfix;

have you whitelisted on premise exchange sending server ips to exo and vice versa?
- I think "yes". '-'

if you copy original header to mxtoolbox header analyzer, how it goes, or can you post complete header here?

The mxtoolbox printscreen was attached ^^
0
Scott TownsendIT DirectorCommented:
This happened to me when I migrated a user There were a few things that I needed to change to make sure that it all Flowed Right:
   
  • I needed to select the correct Target Domain.
The Target domain that Needed to select was the <tenant>.mail.onmicrosoft.com domain
If the Target Domain was not selected at the time of Migration, you can fix it by making sure the user has the <tenant>.mail.onmicrosoft.com email address and then under the Migrated user  on the On-Premise Recipient Configuration in EMC make sure the Migrated User's Routing Email Address is set to the <tenant>.mail.onmicrosoft.com address  
  • The user that was migrated didn't have the Office 365 Tenant Email address in it.
The Hybrid Configuration Wizard was supposed to modify the Address Policy to add in the <tenant>.mail.onmicrosoft.com email address, though since I have 13 Address Policies, it didn't add them to all of them, So I had to Manually Add <tenant>.mail.onmicrosoft.com to all of the policies.
  • The <tenant>.mail.onmicrosoft.com accepted domain needed to be setup as Internal Relay Domain
in the Hub Transport change the <tenant>.mail.onmicrosoft.com domain from Authoritative to Internal Relay

Of course all of the MX records need to be pointing to either the On-Premise or O365 servers. I have a Mix of both at the moment, so as long as its pointing to the Exchange 2010 or the O365 you should be okay.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

adrecalAuthor Commented:
Scott, the TargetAddress <tenant>.mail.onmicrosoft.com did the trick to one Office365 mailbox. My Office365 user is OK with ProxyAddress and TargetAddress (it works a some days ago) but when a Exchange 2010 user (local, not migrated) send me a email the response is:

   BadPrimary; recipient primary SMTP address is missing or invalid ##

My account ProxyAddress:
SMTP:mymail@mydomain.com
smtp:mymail@<tenant>.mail.onmicrosoft.com

My account TargetAddress:
SMTP:mymail@<tenant>.mail.onmicrosoft.com

I think we're almost there '-'
0
Scott TownsendIT DirectorCommented:
In the On-Premise EMC - Organization Configuration - Hub Transport - Accepted Domains
Is <tenant>.mail.onmicrosoft.com listed as "Internal Relay Domain"

In the On-Premise EMC - Organization Configuration - Hub Transport - Send Connectors
Do you have a "Outbound to Office 365" connector?
Address space: <tenant>.mail.onmicrosoft.com
Network: Use DNS/MX -  If you query your Internal DNS fora MX record for <tenant>.mail.onmicrosoft.com do you get the right info? Something like:
C:\Windows\system32>nslookup
Default Server:  <AD-Domain>
Address:  10.0.0.10

> set type=MX
> <tenant>.mail.onmicrosoft.com
Server:  <AD-Domain>
Address:  10.0.0.10

Non-authoritative answer:
<tenant>.mail.onmicrosoft.com MX preference = 10, mail exchanger = <tenant>-mail-onmicrosoft-com.mail.protection.outlook.com

<tenant>-mail-onmicrosoft-com.mail.protection.outlook.com     internet address = 216.32.180.74
<tenant>-mail-onmicrosoft-com.mail.protection.outlook.com     internet address = 216.32.181.42
>

Open in new window

0
adrecalAuthor Commented:
Scott my domain is:

mydomain.com - my external domain
mydomain-intern.com - my internal domain

My tenant is linked to mydomain.com.

In the On-Premise EMC - Organization Configuration - Hub Transport - Accepted Domains Is <tenant>.mail.onmicrosoft.com listed as "Internal Relay Domain"

- No. There is the acceptedDomain:
mydomain.com - Internal Relay - Default True
mydomain-intern.com - Authoritative - Default False
Mytenant.......com - Authoritative - Default False


In the On-Premise EMC - Organization Configuration - Hub Transport - Send Connectors Do you have a "Outbound to Office 365" connector? Address space: <tenant>.mail.onmicrosoft.com

I have 3 send connectors:

mydomain.com (name) - SMTP - AddressSpace mydomain.com - Cost 1 / Network - route through smart host (IP from my Postfix)
internet (name) - SMTP - AddressSpace * - Cost 1 / Network - route through smart host (IP from my SMG Spam Filter)
SendToEXO (name) - SMTP - AddressSpace <mytenant> - Cost 1 / Network - Use MX / Source Server - my exchange local server


If you query your Internal DNS fora MX record for <tenant>.mail.onmicrosoft.com do you get the right info? Something like:

Yes!! The same otuput.
0
Scott TownsendIT DirectorCommented:
Mytenant.......com - Authoritative - Default False
the <tenant>.mail.onmicrosoft.com needs to be Internal Relay.

If its Authoritative then it won't let the mail leave.
0
adrecalAuthor Commented:
Scott today the flow is to forward the emails through Postfix to span filter. Changing this option will continue the flow of emails through Postfix?
0
Scott TownsendIT DirectorCommented:
Are you wanting to Filter the mail from On-Premise to O365?

Think about the Flow.   The mail to the O365 user needs to be delivered via the <tenant>.mail.onmicrosoft.com email.  So if your On-premise server is saying that mail to that domain is Authoritative, that means the mailbox should reside on that server. Since the O365 does not, it won't leave and cant get to the O365 server.

You would need to setup the MX records to make the mail go from On-Premise -> Postfix -> O365
You would need to tell the Outbound to O365 connector for <tenant>.mail.onmicrosoft.com to use a Smart Host of the Postfix server then the Postfix server would need to know its not Authoritative either and allow the mail to then proceed to the O365 server.

Does that make sense?
0
adrecalAuthor Commented:
Scott look at my nslookup:

C:\>nslookup
Servidor PadrÒo:  google-public-dns-a.google.com
Address:  8.8.8.8

> set q=mx
> mydomain.com
Servidor:  google-public-dns-a.google.com
Address:  8.8.8.8

Não é resposta autoritativa:
mydomain.com  MX preference = 1, mail exchanger = my-domain-com.mail.protection.outlook.com
mydomain.com  MX preference = 5, mail exchanger = mail.mydomain.com >>>>>> this is the postfix

Open in new window


Pointing to my internal dns:

C:\>nslookup
Servidor PadrÒo:  MyPDC
Address:  PDC IP

> set q=mx
> <tenant>.onmicrosoft.com
Servidor:  myPDC
Address:  PDC IP

Não é resposta autoritativa:
<tenant>.onmicrosoft.com      MX preference = 0, mail exchanger = mydomain.mail.protection.outlook.com

mydomain.mail.protection.outlook.com  internet address = externalIP
mydomain.mail.protection.outlook.com  internet address = externalIP

Open in new window


I still dont change anything on connectors
0
Scott TownsendIT DirectorCommented:
mydomain.com  MX preference = 1, mail exchanger = my-domain-com.mail.protection.outlook.com
mydomain.com  MX preference = 5, mail exchanger = mail.mydomain.com >>>>>> this is the postfix

In an Ideal world, the MX 5 Postfix record will never be used. Its only there in case MX 1 is not available.   So if it was meant to do front end filtering, then its never going to hit that server unless O365 server is down.

You still need to change the <tenant>.mail.onmicrosoft.com Accepted Domain to be Internal Relay.  If its not, the mail will never leave the On-Premise Server from the mailboxes that are on it that need to send email to O365 Mailbox users.
0
MaheshArchitectCommented:
for exchange 2010 to o365 why you need postfix in between?
 U just need to change tenant.mail.onmicrosoft.com to internal relay as informed by Scott and then email from exchange to O365 should directly reach to O365 via OnPrem to O365 send connector provided that tenant.mail.onmicrosoft.com is stamped as targetaddress on migrated user properties with onpremise exchange (Mail enabled user - MEU)

Also you have mentioned that O365 user is unable to get emails from gmail, yahoo etc?
This should not be an problem as long as MX with higher precedence is pointing to O365 and user Primary SMTP address in cloud is
%user%@domain.com where domain.com is primary SMTP domain at cloud
0
adrecalAuthor Commented:
Mahesh i need postfix between Exch2010/Office365 temporally because another IT Analyst (he loves linux...) configures anti-spam/firewall this way. And license from anti-spam/firewall is over and don't have a way to change the flow.

Flow today:
Firewall/Antispam
postfix
exchange/office365

Flow someday (i hope)
Firewall/Antispam
exchange/office365
0
Scott TownsendIT DirectorCommented:
As was mentioned before, what are you trying to Check for SPAM/Malware?

External to exchange/office365
exchange/office365 to External

Or  exchange to/from office365 (Internal Only)

Having the Postfix as the Primary MX for the Domain is fine, as long as there is a Path to get to the exchange or office365 servers.

Having the Send Connector go to PostFix for the tenant.mail.onmicrosoft.com addresses is fine if you are wanting to Filter the internal emails from Exchange to O365, the Postfix would just need to setup as Internal Relay for tenant.mail.onmicrosoft.com too and know to sent to O365.

Though you still need to set the Accepted Domain of tenant.mail.onmicrosoft.com as Internal Relay so the mail can leave the On-Premise to Postfix or to O365.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
O365 is already having built-in Microsoft protection gateway which takes care of antispaming or any other security aspects
When mail enter to O365 MX and if user is on-premise, the mail is internal for exchange and should reach directly to exchange through o365 backend firewall only
Postfix would be required only for outgoing communication from OnPrem exchange to internet domains (except onmicrosoft domain for which you already have another connector) so that you can utilize postfix functionality for outbound emails from exchange
0
Scott TownsendIT DirectorCommented:
I have several domains that are Mixed in terms of where the MX Points to.   Some are to O365 and some are to our On-Premise Filtering and Exchange server. So for External to Internal its not a issues of where the MX Points as long as it gets to one or the other exchange/office365 and they know how to get to each other.

If his IT Analyst wants the postfix in the mix and does not want to use the MS outlook Protection thats part of the Office 365 License thats fine, he just needs to be sure the domains are setup as Internal Relay and the systems know how to get the email to the server that is hosting the mailbox.
0
adrecalAuthor Commented:
My external DNS provider proceed with this resolution and accomplish the goal.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.