Mike Broderick
asked on
Using Exchange Online Protection, sender getting 554 5.4.14 Hop count exceeded
I set up EOP to filter incoming email for my on-premise Exchange 2013 server. After changing my DNS (in GoDaddy, using the EOP wizard) to point to EOP, the on-premise Exch svr does not get mail. Senders get the following NDR:
Reported error: 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [BN7NAM10FT005.eop-nam10.p rod.protec tion.outlo ok.com]
DSN generated by: MN2PR02MB6608.namprd02.pro d.outlook. com
Remote server: BN7NAM10FT005.mail.protect ion.outloo k.com
The NDR is nice enough to provide a trace, which shows several Microsoft servers (see below). The servers are all unique (no apparent loop). Some other notes:
I signed up for only MS Exchange Online Protection. I do not have any other MS subscriptions (Office 365, etc.)
I defined our domain and 3 users in admin.microsoft,com. The 3 users exist on our on-premise Exchange Server. I sign onto a remote email service (AOL) and send an email message to one of 3 users. I get the NDR message. I send an email to a user on my on-premise that is not one of the 3 users. I get the NDR message.
The send connector wizard on admin.microsoft.com has a verify function. When I specify one of the 3 defined users, the verify fails. In the log the problem is "user not found". When I specify a user that is not defined to admin.ms.com, the verify function succeeds! I just don't get this...
Here are the hops in the NDR message:
Message Hops
HOP TIME (UTC) FROM TO WITH RELAY TIME
1 3/26/2020
4:11:58 PM sonic.gate.mail.ne1.yahoo. com sonic312.consmr.mail.bf2.y ahoo.com HTTP 2 sec
2 3/26/2020
4:11:58 PM sonic312-21.consmr.mail.bf 2.yahoo.co m DM6NAM10FT064.mail.protect ion.outloo k.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) *
3 3/26/2020
4:11:59 PM DM6NAM10FT064.eop-nam10.pr od.protect ion.outloo k.com DM5PR21CA0055.outlook.offi ce365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 1 sec
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.pro d.outlook. com SN6PR02MB4158.namprd02.pro d.outlook. com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) *
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.pro tection.ou tlook.com MW2NAM10FT041.mail.protect ion.outloo k.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 3 sec
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.pr od.protect ion.outloo k.com CO2PR04CA0204.outlook.offi ce365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 1 sec
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.pro d.outlook. com CY4PR0201MB3412.namprd02.p rod.outloo k.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) *
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.pro tection.ou tlook.com DM6NAM10FT025.mail.protect ion.outloo k.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 1 sec
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.pr od.protect ion.outloo k.com DM6PR02CA0106.outlook.offi ce365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) 1 sec
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.pro d.outlook. com MN2PR02MB6608.namprd02.pro d.outlook. com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) *
Reported error: 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [BN7NAM10FT005.eop-nam10.p
DSN generated by: MN2PR02MB6608.namprd02.pro
Remote server: BN7NAM10FT005.mail.protect
The NDR is nice enough to provide a trace, which shows several Microsoft servers (see below). The servers are all unique (no apparent loop). Some other notes:
I signed up for only MS Exchange Online Protection. I do not have any other MS subscriptions (Office 365, etc.)
I defined our domain and 3 users in admin.microsoft,com. The 3 users exist on our on-premise Exchange Server. I sign onto a remote email service (AOL) and send an email message to one of 3 users. I get the NDR message. I send an email to a user on my on-premise that is not one of the 3 users. I get the NDR message.
The send connector wizard on admin.microsoft.com has a verify function. When I specify one of the 3 defined users, the verify fails. In the log the problem is "user not found". When I specify a user that is not defined to admin.ms.com, the verify function succeeds! I just don't get this...
Here are the hops in the NDR message:
Message Hops
HOP TIME (UTC) FROM TO WITH RELAY TIME
1 3/26/2020
4:11:58 PM sonic.gate.mail.ne1.yahoo.
2 3/26/2020
4:11:58 PM sonic312-21.consmr.mail.bf
3 3/26/2020
4:11:59 PM DM6NAM10FT064.eop-nam10.pr
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.pro
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.pro
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.pr
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.pro
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.pro
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.pr
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.pro
It loos like there is a loop to me - they may be different servers, but they appear to be part of the same cluster.
ASKER
So is there something I need to change or is there something wrong that Microsoft needs to change?
what does your accepted domain list in EOP look like?
what is the source and destination domain of the email the is exceeding hop count ?
what is the source and destination domain of the email the is exceeding hop count ?
You need to configure the domain(s) as Internal Relay in EOP, and your MX must point to on-premises.
ASKER
In the Exchange Online Center, I have 2 accepted domains. My domain is listed as the default, and it is Internal Relay. There is another domain defined as onmicrosofthubbiz292.onmic rosoft.com . This was the domain set up initially when I signed up for EOP. Per the setup's instructions I put in this domain (they said I could change it later). It is also defined as Internal Relay. I cant delete it.
I point the DNS MX records to my on-premise exchange server because I cannot have my mail down for days while this problem exists. I use the Office365 setup's wizard to change my GoDaddy DNS hosting records when I want to test, and change them back when I am done testing. Here are the DNS records EOP inserts/changes:
Type Priority Host name Points to address or value TTL Actions
MX 0 @ mydomain-com.mail.protecti on.outlook .com 1 Hour
TXT - @ v=spf1 include:spf.protection.out look.com -all 1 Hour
CNAME - autodiscover autodiscover.outlook.com 1 Hour
Thanks for your help.
I point the DNS MX records to my on-premise exchange server because I cannot have my mail down for days while this problem exists. I use the Office365 setup's wizard to change my GoDaddy DNS hosting records when I want to test, and change them back when I am done testing. Here are the DNS records EOP inserts/changes:
Type Priority Host name Points to address or value TTL Actions
MX 0 @ mydomain-com.mail.protecti
TXT - @ v=spf1 include:spf.protection.out
CNAME - autodiscover autodiscover.outlook.com 1 Hour
Thanks for your help.
Actually, I think I've misread the original question. If the idea is to use EOP as the hygiene solution, the MX should indeed point to Exchange Online, and routing will be taken care of by the connector. So how is the connector configured?
You can ignore the onmicrosoft.com domain, this one doesnt need to be set as Internal relay.
You can ignore the onmicrosoft.com domain, this one doesnt need to be set as Internal relay.
ASKER
The connector has the following attributes:
Name: ToMyExchange
Turn it on: Yes
Retain internal Exch email headers: Yes
When to Use: For all email messages sent to all accepted domains
How do you want to route email messages (Smart hosts): MyDomain.com
How should Office 365 connect to your email server:
Always use Transport Layer Security (TLS) to secure the connection: Checked
Any digital certificate, including self-signed certs: Selected
Validate: user1@mydomain.com - succeeds
user2@mydomain.com - succeeds
Please note that validate function is working differently that it was Friday. Note that for testing purposes, user1 is defined in as a user in the admin.ms.com users, and user2 is not. This is because last week, the verify would work for user2 (not defined) but would fail for user1 with an "smtp user user1@mydomain.com not found" message.
Name: ToMyExchange
Turn it on: Yes
Retain internal Exch email headers: Yes
When to Use: For all email messages sent to all accepted domains
How do you want to route email messages (Smart hosts): MyDomain.com
How should Office 365 connect to your email server:
Always use Transport Layer Security (TLS) to secure the connection: Checked
Any digital certificate, including self-signed certs: Selected
Validate: user1@mydomain.com - succeeds
user2@mydomain.com - succeeds
Please note that validate function is working differently that it was Friday. Note that for testing purposes, user1 is defined in as a user in the admin.ms.com users, and user2 is not. This is because last week, the verify would work for user2 (not defined) but would fail for user1 with an "smtp user user1@mydomain.com not found" message.
That's probably because you hadnt synchornized your users yet, or they werent synced back to the EOP backend. You do need to have a representation of those users in O365/EOP, either created manually or via dirsync.
Anyway, now that the sync process is complete and verification passes, do you still have issues with mail flow?
Anyway, now that the sync process is complete and verification passes, do you still have issues with mail flow?
ASKER
I apologize, I was not aware I need to do "synchronizing", and to a backend. I have a relatively small number of mailboxes, and have manually defined them on the O365 admin console (Home, Users, Active Users). Is that what you mean by synchronizing or is there something else I need to do?
ASKER
Update: There are no users defined in O365 EAC (recipients, contacts, add (+), new mail user). I tried to add user1 (which exists in admin, users, active users) and get the following error:
The proxy address "SMTP:user3@mydomain.com" is already being used by the proxy addresses or LegacyExchangeDN. Please choose another proxy address.
I try to add user2 (does not exist in active users) and it is successful. I then reset the DNS and try to send email from a remote email client (AOL). Same problem,
The proxy address "SMTP:user3@mydomain.com" is already being used by the proxy addresses or LegacyExchangeDN. Please choose another proxy address.
I try to add user2 (does not exist in active users) and it is successful. I then reset the DNS and try to send email from a remote email client (AOL). Same problem,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, thank you. Please see my previous post, it describes the issues I received while performing the tasks you mentioned above. We may have gotten out of sync.
I set up a user (user2) in the EOP, the user that I didn't define in the active users display on the admin console. When I tried to send mail to user2, same problem.
I set up a user (user2) in the EOP, the user that I didn't define in the active users display on the admin console. When I tried to send mail to user2, same problem.
ASKER
On the O365 outbound connector I changed the smarthost from mydomain.com to the ip address and it worked. It appears the connector uses the MX records when it looks up the IP address of the smarthost, causing a loop.
Vasil, thank you for your help.
Vasil, thank you for your help.