We help IT Professionals succeed at work.

Using Exchange Online Protection, sender getting 554 5.4.14 Hop count exceeded

MikeBroderick
on
302 Views
Last Modified: 2020-04-06
I set up EOP to filter incoming email for my on-premise Exchange 2013 server. After changing my DNS (in GoDaddy, using the EOP wizard) to point to EOP, the on-premise Exch svr does not get mail. Senders get the following NDR:

Reported error: 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [BN7NAM10FT005.eop-nam10.prod.protection.outlook.com]  
DSN generated by: MN2PR02MB6608.namprd02.prod.outlook.com
Remote server: BN7NAM10FT005.mail.protection.outlook.com

The NDR is nice enough to provide a trace, which shows several Microsoft servers (see below). The servers are all unique (no apparent loop). Some other notes:

I signed up for only MS Exchange Online Protection. I do not have any other MS subscriptions (Office 365, etc.)

I defined our domain and 3 users in admin.microsoft,com. The 3 users exist on our on-premise Exchange Server. I sign onto a remote email service (AOL) and send an email message to one of 3 users. I get the NDR message. I send an email to a user on my on-premise that is not one of the 3 users. I get the NDR message.

The send connector wizard on admin.microsoft.com has a verify function. When I specify one of the 3 defined users, the verify fails. In the log the problem is "user not found". When I specify a user that is not defined to admin.ms.com, the verify function succeeds! I just don't get this...

Here are the hops in the NDR message:


Message Hops
HOP TIME (UTC) FROM TO WITH RELAY TIME
1 3/26/2020
4:11:58 PM sonic.gate.mail.ne1.yahoo.com sonic312.consmr.mail.bf2.yahoo.com HTTP 2 sec
2 3/26/2020
4:11:58 PM sonic312-21.consmr.mail.bf2.yahoo.com DM6NAM10FT064.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
3 3/26/2020
4:11:59 PM DM6NAM10FT064.eop-nam10.prod.protection.outlook.com DM5PR21CA0055.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.prod.outlook.com SN6PR02MB4158.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.protection.outlook.com MW2NAM10FT041.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 3 sec
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.prod.protection.outlook.com CO2PR04CA0204.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.prod.outlook.com CY4PR0201MB3412.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.protection.outlook.com DM6NAM10FT025.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.prod.protection.outlook.com DM6PR02CA0106.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.prod.outlook.com MN2PR02MB6608.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
Comment
Watch Question

Hayes JupeIT Director
CERTIFIED EXPERT

Commented:
It loos like there is a loop to me - they may be different servers, but they appear to be part of the same cluster.

4:11:59 PM DM6NAM10FT064.eop-nam10.prod.protection.outlook.com DM5PR21CA0055.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.prod.outlook.com SN6PR02MB4158.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.protection.outlook.com MW2NAM10FT041.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 3 sec
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.prod.protection.outlook.com CO2PR04CA0204.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.prod.outlook.com CY4PR0201MB3412.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.protection.outlook.com DM6NAM10FT025.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.prod.protection.outlook.com DM6PR02CA0106.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.prod.outlook.com MN2PR02MB6608.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *

Author

Commented:
So is there something I need to change or is there something wrong that Microsoft needs to change?
Hayes JupeIT Director
CERTIFIED EXPERT

Commented:
what does your accepted domain list in EOP look like?

what is the source and destination domain of the email the is exceeding hop count ?
CERTIFIED EXPERT
Most Valuable Expert 2015
Distinguished Expert 2019

Commented:
You need to configure the domain(s) as Internal Relay in EOP, and your MX must point to on-premises.

Author

Commented:
In the Exchange Online Center, I have 2 accepted domains. My domain is listed as the default, and it is Internal Relay. There is another domain defined as onmicrosofthubbiz292.onmicrosoft.com. This was the domain set up initially when I signed up for EOP. Per the setup's instructions I put in this domain (they said I could change it later). It is also defined as Internal Relay. I cant delete it.

I point the DNS MX records to my on-premise exchange server because I cannot have my mail down for days while this problem exists. I use the Office365 setup's wizard to change my GoDaddy DNS hosting records when I want to test, and change them back when I am done testing. Here are the DNS records EOP inserts/changes:

Type      Priority      Host name      Points to address or value      TTL      Actions      
MX      0      @      mydomain-com.mail.protection.outlook.com      1 Hour
TXT      -      @      v=spf1 include:spf.protection.outlook.com -all      1 Hour
CNAME      -      autodiscover      autodiscover.outlook.com            1 Hour

Thanks for your help.
CERTIFIED EXPERT
Most Valuable Expert 2015
Distinguished Expert 2019

Commented:
Actually, I think I've misread the original question. If the idea is to use EOP as the hygiene solution, the MX should indeed point to Exchange Online, and routing will be taken care of by the connector. So how is the connector configured?

You can ignore the onmicrosoft.com domain, this one doesnt need to be set as Internal relay.

Author

Commented:
The connector has the following attributes:

Name: ToMyExchange
Turn it on: Yes
Retain internal Exch email headers: Yes

When to Use: For all email messages sent to all accepted domains

How do you want to route email messages (Smart hosts): MyDomain.com

How should Office 365 connect to your email server:
  Always use Transport Layer Security (TLS) to secure the connection: Checked
    Any digital certificate, including self-signed certs: Selected

Validate:  user1@mydomain.com   -  succeeds
                 user2@mydomain.com   -  succeeds


Please note that validate function is working differently that it was Friday. Note that for testing purposes, user1 is defined in as a user in the admin.ms.com users, and user2 is not. This is because last week, the verify would work for user2 (not defined) but would fail for user1 with an "smtp user user1@mydomain.com not found" message.
CERTIFIED EXPERT
Most Valuable Expert 2015
Distinguished Expert 2019

Commented:
That's probably because you hadnt synchornized your users yet, or they werent synced back to the EOP backend. You do need to have a representation of those users in O365/EOP, either created manually or via dirsync.

Anyway, now that the sync process is complete and verification passes, do you still have issues with mail flow?

Author

Commented:
I apologize, I was not aware I need to do "synchronizing", and to a backend. I have a relatively small number of mailboxes, and have manually defined them on the O365 admin console (Home, Users, Active Users). Is that what you mean by synchronizing or is there something else I need to do?

Author

Commented:
Update: There are no users defined in  O365 EAC (recipients, contacts, add (+), new mail user). I tried to add user1 (which exists in admin, users, active users) and get the following error:

The proxy address "SMTP:user3@mydomain.com" is already being used by the proxy addresses or LegacyExchangeDN. Please choose another proxy address.

I try to add user2 (does not exist in active users) and it is successful. I then reset the DNS and try to send email from a remote email client (AOL). Same problem,
CERTIFIED EXPERT
Most Valuable Expert 2015
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Yes, thank you. Please see my previous post, it describes the issues I received while performing the tasks you mentioned above. We may have gotten out of sync.

I set up a user (user2) in the EOP, the user that I didn't define in the active users display on the admin console. When I tried to send mail to user2, same problem.

Author

Commented:
On the O365 outbound connector I changed the smarthost from mydomain.com to the ip address and it worked. It appears the connector uses the MX records when it looks up the IP address of the smarthost, causing a loop.

Vasil, thank you for your help.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.