Link to home
Start Free TrialLog in
Avatar of adrecal
adrecal

asked on

Office 365 Migrated User from Exch2010 can Send Email External but not receive and can't receive internal/external

Hello guys and girls :-)

I have:
01 ExchangeServer 2010
01 Postfix (blargh)
01 Office 365 subscription.

Everything was flowing well until some users who were created locally and later migrated to Exchange Online were able to send external emails but could not receive external emails (gmail, hotmail ...) or local exchange emails or Postfix emails.


The header:

The following organization has rejected your message: 10.61.1.5. (10.61.1.5 is my local exchange 2010)

Diagnostic information for administrators:
Generating server: mail.postfix.mydomain.com
affectedmail@mydomain.com.br

10.61.1.5 # <10.61.1.5 # 4.4.6 smtp; 554 5.4.6 Hop count exceeded - possible mail loop> # SMTP #

Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 7C30B1A8366   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:47:14 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:40:53 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 6D1BB1A83EC   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:32:12 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:25:52 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 57D211A83BC   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:17:11 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 18:10:48 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 4C7431A8557   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 18:02:07 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:55:43 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 47A6E1A8594   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:47:02 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:40:40 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3BB1D1A833F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:31:59 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:25:38 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3349B1A85B8   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:16:57 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 17:10:32 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 2F47D1A81A8   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 17:01:52 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:55:28 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 25A951A81E6   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:46:48 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:58 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 272DC1A8148   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:46:17 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:27 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 3AE821A8246   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:46 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id DAF701A850F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 8B3DC1A8246   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from mail.postfix.mydomain.com (10.71.1.5) by myexchange2010.mydomain
 (10.61.1.5) with Microsoft SMTP Server id 14.3.361.1; Mon, 29 Jan 2018
 16:54:26 -0200
Received: from myexchange2010.mydomain (correio.mydomain.com.br
 [10.61.1.5])  by mail.postfix.mydomain.com (Postfix) with ESMTP id 48DF91A850F   for
 <affectedmail@mydomain.com.br>; Mon, 29 Jan 2018 16:45:45 -0200 (BRST)
Received: from myexchange2010.mydomain ([10.61.1.5]) by
 myexchange2010.mydomain ([10.61.1.5]) with mapi id 14.03.0361.001; Mon,
 29 Jan 2018 16:54:25 -0200
From: teste <teste@mydomain.com.br>
To: regulacao.gns <affectedmail@mydomain.com.br>
Subject: teste
Thread-Topic: teste
Thread-Index: AdOZMpTxBVfKR/kYRrmLVFr9bHBzew==
Date: Mon, 29 Jan 2018 18:54:25 +0000
Message-ID: <CC265D296F020247BD3AB0373CDE924A717E347B@myexchange2010.mydomain>
Accept-Language: pt-BR, en-US
Content-Language: pt-BR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.7.194]
Content-Type: multipart/alternative;
        boundary="_000_CC265D296F020247BD3AB0373CDE924A717E347Bmyexchange2010"
MIME-Version: 1.0

I am getting crazy. :-(
Avatar of Mahesh
Mahesh
Flag of India image

How your mail flow is configured?
where is mx pointing?
have you whitelisted on premise exchange sending server ips to exo and vice versa?
if you copy original header to mxtoolbox header analyzer, how it goes,
or can you post complete header here?
Avatar of adrecal
adrecal

ASKER

Hello Mahesh:

How your mail flow is configured?
Internal > External:
All mails flow from Exchange to Postfix (or direct from Postfix), SMG Spam Filter and internet
External > Internal
Internet, SMG Spam Filter, Postfix, Exchange 2010

where is mx pointing?
- The MX is pointing to Office365 and Postfix;

have you whitelisted on premise exchange sending server ips to exo and vice versa?
- I think "yes". '-'

if you copy original header to mxtoolbox header analyzer, how it goes, or can you post complete header here?

The mxtoolbox printscreen was attached ^^
This happened to me when I migrated a user There were a few things that I needed to change to make sure that it all Flowed Right:
   
  • I needed to select the correct Target Domain.
The Target domain that Needed to select was the <tenant>.mail.onmicrosoft.com domain
If the Target Domain was not selected at the time of Migration, you can fix it by making sure the user has the <tenant>.mail.onmicrosoft.com email address and then under the Migrated user  on the On-Premise Recipient Configuration in EMC make sure the Migrated User's Routing Email Address is set to the <tenant>.mail.onmicrosoft.com address  
  • The user that was migrated didn't have the Office 365 Tenant Email address in it.
The Hybrid Configuration Wizard was supposed to modify the Address Policy to add in the <tenant>.mail.onmicrosoft.com email address, though since I have 13 Address Policies, it didn't add them to all of them, So I had to Manually Add <tenant>.mail.onmicrosoft.com to all of the policies.
  • The <tenant>.mail.onmicrosoft.com accepted domain needed to be setup as Internal Relay Domain
in the Hub Transport change the <tenant>.mail.onmicrosoft.com domain from Authoritative to Internal Relay

Of course all of the MX records need to be pointing to either the On-Premise or O365 servers. I have a Mix of both at the moment, so as long as its pointing to the Exchange 2010 or the O365 you should be okay.
Avatar of adrecal

ASKER

Scott, the TargetAddress <tenant>.mail.onmicrosoft.com did the trick to one Office365 mailbox. My Office365 user is OK with ProxyAddress and TargetAddress (it works a some days ago) but when a Exchange 2010 user (local, not migrated) send me a email the response is:

   BadPrimary; recipient primary SMTP address is missing or invalid ##

My account ProxyAddress:
SMTP:mymail@mydomain.com
smtp:mymail@<tenant>.mail.onmicrosoft.com

My account TargetAddress:
SMTP:mymail@<tenant>.mail.onmicrosoft.com

I think we're almost there '-'
In the On-Premise EMC - Organization Configuration - Hub Transport - Accepted Domains
Is <tenant>.mail.onmicrosoft.com listed as "Internal Relay Domain"

In the On-Premise EMC - Organization Configuration - Hub Transport - Send Connectors
Do you have a "Outbound to Office 365" connector?
Address space: <tenant>.mail.onmicrosoft.com
Network: Use DNS/MX -  If you query your Internal DNS fora MX record for <tenant>.mail.onmicrosoft.com do you get the right info? Something like:
C:\Windows\system32>nslookup
Default Server:  <AD-Domain>
Address:  10.0.0.10

> set type=MX
> <tenant>.mail.onmicrosoft.com
Server:  <AD-Domain>
Address:  10.0.0.10

Non-authoritative answer:
<tenant>.mail.onmicrosoft.com MX preference = 10, mail exchanger = <tenant>-mail-onmicrosoft-com.mail.protection.outlook.com

<tenant>-mail-onmicrosoft-com.mail.protection.outlook.com     internet address = 216.32.180.74
<tenant>-mail-onmicrosoft-com.mail.protection.outlook.com     internet address = 216.32.181.42
>

Open in new window

Avatar of adrecal

ASKER

Scott my domain is:

mydomain.com - my external domain
mydomain-intern.com - my internal domain

My tenant is linked to mydomain.com.

In the On-Premise EMC - Organization Configuration - Hub Transport - Accepted Domains Is <tenant>.mail.onmicrosoft.com listed as "Internal Relay Domain"

- No. There is the acceptedDomain:
mydomain.com - Internal Relay - Default True
mydomain-intern.com - Authoritative - Default False
Mytenant.......com - Authoritative - Default False


In the On-Premise EMC - Organization Configuration - Hub Transport - Send Connectors Do you have a "Outbound to Office 365" connector? Address space: <tenant>.mail.onmicrosoft.com

I have 3 send connectors:

mydomain.com (name) - SMTP - AddressSpace mydomain.com - Cost 1 / Network - route through smart host (IP from my Postfix)
internet (name) - SMTP - AddressSpace * - Cost 1 / Network - route through smart host (IP from my SMG Spam Filter)
SendToEXO (name) - SMTP - AddressSpace <mytenant> - Cost 1 / Network - Use MX / Source Server - my exchange local server


If you query your Internal DNS fora MX record for <tenant>.mail.onmicrosoft.com do you get the right info? Something like:

Yes!! The same otuput.
Mytenant.......com - Authoritative - Default False
the <tenant>.mail.onmicrosoft.com needs to be Internal Relay.

If its Authoritative then it won't let the mail leave.
Avatar of adrecal

ASKER

Scott today the flow is to forward the emails through Postfix to span filter. Changing this option will continue the flow of emails through Postfix?
Are you wanting to Filter the mail from On-Premise to O365?

Think about the Flow.   The mail to the O365 user needs to be delivered via the <tenant>.mail.onmicrosoft.com email.  So if your On-premise server is saying that mail to that domain is Authoritative, that means the mailbox should reside on that server. Since the O365 does not, it won't leave and cant get to the O365 server.

You would need to setup the MX records to make the mail go from On-Premise -> Postfix -> O365
You would need to tell the Outbound to O365 connector for <tenant>.mail.onmicrosoft.com to use a Smart Host of the Postfix server then the Postfix server would need to know its not Authoritative either and allow the mail to then proceed to the O365 server.

Does that make sense?
Avatar of adrecal

ASKER

Scott look at my nslookup:

C:\>nslookup
Servidor PadrÒo:  google-public-dns-a.google.com
Address:  8.8.8.8

> set q=mx
> mydomain.com
Servidor:  google-public-dns-a.google.com
Address:  8.8.8.8

Não é resposta autoritativa:
mydomain.com  MX preference = 1, mail exchanger = my-domain-com.mail.protection.outlook.com
mydomain.com  MX preference = 5, mail exchanger = mail.mydomain.com >>>>>> this is the postfix

Open in new window


Pointing to my internal dns:

C:\>nslookup
Servidor PadrÒo:  MyPDC
Address:  PDC IP

> set q=mx
> <tenant>.onmicrosoft.com
Servidor:  myPDC
Address:  PDC IP

Não é resposta autoritativa:
<tenant>.onmicrosoft.com      MX preference = 0, mail exchanger = mydomain.mail.protection.outlook.com

mydomain.mail.protection.outlook.com  internet address = externalIP
mydomain.mail.protection.outlook.com  internet address = externalIP

Open in new window


I still dont change anything on connectors
mydomain.com  MX preference = 1, mail exchanger = my-domain-com.mail.protection.outlook.com
mydomain.com  MX preference = 5, mail exchanger = mail.mydomain.com >>>>>> this is the postfix

In an Ideal world, the MX 5 Postfix record will never be used. Its only there in case MX 1 is not available.   So if it was meant to do front end filtering, then its never going to hit that server unless O365 server is down.

You still need to change the <tenant>.mail.onmicrosoft.com Accepted Domain to be Internal Relay.  If its not, the mail will never leave the On-Premise Server from the mailboxes that are on it that need to send email to O365 Mailbox users.
for exchange 2010 to o365 why you need postfix in between?
 U just need to change tenant.mail.onmicrosoft.com to internal relay as informed by Scott and then email from exchange to O365 should directly reach to O365 via OnPrem to O365 send connector provided that tenant.mail.onmicrosoft.com is stamped as targetaddress on migrated user properties with onpremise exchange (Mail enabled user - MEU)

Also you have mentioned that O365 user is unable to get emails from gmail, yahoo etc?
This should not be an problem as long as MX with higher precedence is pointing to O365 and user Primary SMTP address in cloud is
%user%@domain.com where domain.com is primary SMTP domain at cloud
Avatar of adrecal

ASKER

Mahesh i need postfix between Exch2010/Office365 temporally because another IT Analyst (he loves linux...) configures anti-spam/firewall this way. And license from anti-spam/firewall is over and don't have a way to change the flow.

Flow today:
Firewall/Antispam
postfix
exchange/office365

Flow someday (i hope)
Firewall/Antispam
exchange/office365
ASKER CERTIFIED SOLUTION
Avatar of Scott Townsend
Scott Townsend
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
O365 is already having built-in Microsoft protection gateway which takes care of antispaming or any other security aspects
When mail enter to O365 MX and if user is on-premise, the mail is internal for exchange and should reach directly to exchange through o365 backend firewall only
Postfix would be required only for outgoing communication from OnPrem exchange to internet domains (except onmicrosoft domain for which you already have another connector) so that you can utilize postfix functionality for outbound emails from exchange
I have several domains that are Mixed in terms of where the MX Points to.   Some are to O365 and some are to our On-Premise Filtering and Exchange server. So for External to Internal its not a issues of where the MX Points as long as it gets to one or the other exchange/office365 and they know how to get to each other.

If his IT Analyst wants the postfix in the mix and does not want to use the MS outlook Protection thats part of the Office 365 License thats fine, he just needs to be sure the domains are setup as Internal Relay and the systems know how to get the email to the server that is hosting the mailbox.
Avatar of adrecal

ASKER

My external DNS provider proceed with this resolution and accomplish the goal.