Link to home
Start Free TrialLog in
Avatar of Mike Broderick
Mike BroderickFlag for United States of America

asked on

Using Exchange Online Protection, sender getting 554 5.4.14 Hop count exceeded

I set up EOP to filter incoming email for my on-premise Exchange 2013 server. After changing my DNS (in GoDaddy, using the EOP wizard) to point to EOP, the on-premise Exch svr does not get mail. Senders get the following NDR:

Reported error: 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [BN7NAM10FT005.eop-nam10.prod.protection.outlook.com]  
DSN generated by: MN2PR02MB6608.namprd02.prod.outlook.com
Remote server: BN7NAM10FT005.mail.protection.outlook.com

The NDR is nice enough to provide a trace, which shows several Microsoft servers (see below). The servers are all unique (no apparent loop). Some other notes:

I signed up for only MS Exchange Online Protection. I do not have any other MS subscriptions (Office 365, etc.)

I defined our domain and 3 users in admin.microsoft,com. The 3 users exist on our on-premise Exchange Server. I sign onto a remote email service (AOL) and send an email message to one of 3 users. I get the NDR message. I send an email to a user on my on-premise that is not one of the 3 users. I get the NDR message.

The send connector wizard on admin.microsoft.com has a verify function. When I specify one of the 3 defined users, the verify fails. In the log the problem is "user not found". When I specify a user that is not defined to admin.ms.com, the verify function succeeds! I just don't get this...

Here are the hops in the NDR message:


Message Hops
HOP TIME (UTC) FROM TO WITH RELAY TIME
1 3/26/2020
4:11:58 PM sonic.gate.mail.ne1.yahoo.com sonic312.consmr.mail.bf2.yahoo.com HTTP 2 sec
2 3/26/2020
4:11:58 PM sonic312-21.consmr.mail.bf2.yahoo.com DM6NAM10FT064.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
3 3/26/2020
4:11:59 PM DM6NAM10FT064.eop-nam10.prod.protection.outlook.com DM5PR21CA0055.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.prod.outlook.com SN6PR02MB4158.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.protection.outlook.com MW2NAM10FT041.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 3 sec
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.prod.protection.outlook.com CO2PR04CA0204.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.prod.outlook.com CY4PR0201MB3412.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.protection.outlook.com DM6NAM10FT025.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.prod.protection.outlook.com DM6PR02CA0106.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.prod.outlook.com MN2PR02MB6608.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

It loos like there is a loop to me - they may be different servers, but they appear to be part of the same cluster.

4:11:59 PM DM6NAM10FT064.eop-nam10.prod.protection.outlook.com DM5PR21CA0055.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
4 3/26/2020
4:11:59 PM DM5PR21CA0055.namprd21.prod.outlook.com SN6PR02MB4158.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
5 3/26/2020
4:12:02 PM NAM10-BN7-obe.outbound.protection.outlook.com MW2NAM10FT041.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 3 sec
6 3/26/2020
4:12:03 PM MW2NAM10FT041.eop-nam10.prod.protection.outlook.com CO2PR04CA0204.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
7 3/26/2020
4:12:03 PM CO2PR04CA0204.namprd04.prod.outlook.com CY4PR0201MB3412.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
8 3/26/2020
4:12:04 PM NAM02-BL2-obe.outbound.protection.outlook.com DM6NAM10FT025.mail.protection.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
9 3/26/2020
4:12:05 PM DM6NAM10FT025.eop-nam10.prod.protection.outlook.com DM6PR02CA0106.outlook.office365.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) 1 sec
10 3/26/2020
4:12:05 PM DM6PR02CA0106.namprd02.prod.outlook.com MN2PR02MB6608.namprd02.prod.outlook.com Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) *
Avatar of Mike Broderick

ASKER

So is there something I need to change or is there something wrong that Microsoft needs to change?
what does your accepted domain list in EOP look like?

what is the source and destination domain of the email the is exceeding hop count ?
You need to configure the domain(s) as Internal Relay in EOP, and your MX must point to on-premises.
In the Exchange Online Center, I have 2 accepted domains. My domain is listed as the default, and it is Internal Relay. There is another domain defined as onmicrosofthubbiz292.onmicrosoft.com. This was the domain set up initially when I signed up for EOP. Per the setup's instructions I put in this domain (they said I could change it later). It is also defined as Internal Relay. I cant delete it.

I point the DNS MX records to my on-premise exchange server because I cannot have my mail down for days while this problem exists. I use the Office365 setup's wizard to change my GoDaddy DNS hosting records when I want to test, and change them back when I am done testing. Here are the DNS records EOP inserts/changes:

Type      Priority      Host name      Points to address or value      TTL      Actions      
MX      0      @      mydomain-com.mail.protection.outlook.com      1 Hour
TXT      -      @      v=spf1 include:spf.protection.outlook.com -all      1 Hour
CNAME      -      autodiscover      autodiscover.outlook.com            1 Hour

Thanks for your help.
Actually, I think I've misread the original question. If the idea is to use EOP as the hygiene solution, the MX should indeed point to Exchange Online, and routing will be taken care of by the connector. So how is the connector configured?

You can ignore the onmicrosoft.com domain, this one doesnt need to be set as Internal relay.
The connector has the following attributes:

Name: ToMyExchange
Turn it on: Yes
Retain internal Exch email headers: Yes

When to Use: For all email messages sent to all accepted domains

How do you want to route email messages (Smart hosts): MyDomain.com

How should Office 365 connect to your email server:
  Always use Transport Layer Security (TLS) to secure the connection: Checked
    Any digital certificate, including self-signed certs: Selected

Validate:  user1@mydomain.com   -  succeeds
                 user2@mydomain.com   -  succeeds


Please note that validate function is working differently that it was Friday. Note that for testing purposes, user1 is defined in as a user in the admin.ms.com users, and user2 is not. This is because last week, the verify would work for user2 (not defined) but would fail for user1 with an "smtp user user1@mydomain.com not found" message.
That's probably because you hadnt synchornized your users yet, or they werent synced back to the EOP backend. You do need to have a representation of those users in O365/EOP, either created manually or via dirsync.

Anyway, now that the sync process is complete and verification passes, do you still have issues with mail flow?
I apologize, I was not aware I need to do "synchronizing", and to a backend. I have a relatively small number of mailboxes, and have manually defined them on the O365 admin console (Home, Users, Active Users). Is that what you mean by synchronizing or is there something else I need to do?
Update: There are no users defined in  O365 EAC (recipients, contacts, add (+), new mail user). I tried to add user1 (which exists in admin, users, active users) and get the following error:

The proxy address "SMTP:user3@mydomain.com" is already being used by the proxy addresses or LegacyExchangeDN. Please choose another proxy address.

I try to add user2 (does not exist in active users) and it is successful. I then reset the DNS and try to send email from a remote email client (AOL). Same problem,
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, thank you. Please see my previous post, it describes the issues I received while performing the tasks you mentioned above. We may have gotten out of sync.

I set up a user (user2) in the EOP, the user that I didn't define in the active users display on the admin console. When I tried to send mail to user2, same problem.
On the O365 outbound connector I changed the smarthost from mydomain.com to the ip address and it worked. It appears the connector uses the MX records when it looks up the IP address of the smarthost, causing a loop.

Vasil, thank you for your help.