Office 365 Relay access denied (in reply to RCPT TO command)
You're connecting to the wrong host to try to deliver e-mail.
The host you connect to is the same one listed in your MX record for your domain. It usually looks like: your-domain.mail.protection.outlook.com
Here's information on how you setup to relay through Office 365: https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4
Related videos on Youtube
NoMad
German blogger about IT in general, ITsec, Programming, RasPi, Electronics, etc.
Updated on September 18, 2022Comments
-
NoMad almost 2 years
I've configured a postfix as open relay to shove mails to an Office 365 SMTP Connector. The connector is configured for static IP address authentication, which works fine.
When I try to send mail using telnet, Office365 bounces:
host smtp.office365.com[40.101.125.210] said: 550 Relay access denied (in reply to RCPT TO command)
Do I need to set special permissions in O365 to allow mailing from the connector? Could there be rules which disallow that? I'm not exactly an expert on O365/Exchange...
I've also tested other recipients on the same domain (mydomain.com) and different FROM addresses. The domain is listed under "Accepted Domain" (mydomain.com - authorative) in O365 Online Exchange Interface, and there's only one entry in remote domains (default * = all remote domains allowed).
EDIT: main.cf now has the correct relay address (relayhost option). Problem still persists.
Here is more detailed information from my SMTP relay:
/var/log/mail.log:
Jul 20 10:31:11 smtp postfix[4704]: Postfix is running with backwards-compatible default settings Jul 20 10:31:11 smtp postfix[4704]: See http://www.postfix.org/COMPATIBILITY_README.html for details Jul 20 10:31:11 smtp postfix[4704]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" Jul 20 10:31:12 smtp postfix/master[4741]: daemon started -- version 3.1.0, configuration /etc/postfix Jul 20 10:31:18 smtp postfix/smtpd[4745]: connect from unknown[192.168.1.25] Jul 20 10:31:49 smtp postfix/smtpd[4745]: 04D8E2E061E: client=unknown[192.168.1.25] Jul 20 10:32:05 smtp postfix/cleanup[4749]: 04D8E2E061E: message-id=<20170720083149.04D8E2E061E@smtp> Jul 20 10:32:05 smtp postfix/qmgr[4743]: 04D8E2E061E: from=<[email protected]>, size=328, nrcpt=1 (queue active) Jul 20 10:32:05 smtp postfix/smtp[4750]: 04D8E2E061E: to=<[email protected]>, relay=smtp.office365.com[40.101.125.210]:25, delay=29, delays=29/0.01/0.12/0.01, dsn=5.0.0, status=bounced (host smtp.office365.com[40.101.125.210] said: 550 Relay access denied (in reply to RCPT TO command)) Jul 20 10:32:05 smtp postfix/cleanup[4749]: 641272E0635: message-id=<20170720083205.641272E0635@smtp> Jul 20 10:32:05 smtp postfix/qmgr[4743]: 641272E0635: from=<>, size=2145, nrcpt=1 (queue active) Jul 20 10:32:05 smtp postfix/bounce[4751]: 04D8E2E061E: sender non-delivery notification: 641272E0635 Jul 20 10:32:05 smtp postfix/qmgr[4743]: 04D8E2E061E: removed Jul 20 10:32:05 smtp postfix/smtp[4750]: 641272E0635: to=<[email protected]>, relay=smtp.office365.com[40.101.61.114]:25, delay=0.01, delays=0/0/0/0, dsn=5.0.0, status=bounced (host smtp.office365.com[40.101.61.114] said: 550 Relay access denied (in reply to RCPT TO command)) Jul 20 10:32:05 smtp postfix/qmgr[4743]: 641272E0635: removed Jul 20 10:32:09 smtp postfix/smtpd[4745]: disconnect from unknown[192.168.1.25] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
My telnet input:
root@smtp:/etc/postfix# telnet 192.168.1.25 25 Trying 192.168.1.25... Connected to 192.168.1.25. Escape character is '^]'. 220 smtp ESMTP Postfix (Ubuntu) EHLO localhost 250-smtp 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> Subject: Testmail Test . 250 2.0.0 Ok: queued as 921452E061E QUIT 221 2.0.0 Bye Connection closed by foreign host.
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no inet_interfaces = 192.168.1.25 inet_protocols = ipv4 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 mydestination = www.mydomain.com, $myhostname, smtp, localhost.localdomain, localhost myhostname = smtp mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 myorigin = /etc/mailname #mydomain.com readme_directory = no recipient_delimiter = + relay_domains = static:ALL relay_transport = relay relayhost = smtp.office365.com smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes
-
NoMad almost 7 yearsThat's correct. But after fixing, I still get the same error (at least from the right host this time). I followed the link you posted to configure the Connector in Exchange Online Admin earlier. I still have SASL configured, that isn't needed for Static IP auth, right?
-
Appleoddity almost 7 yearsI'm actually not sure what you are referring to for SASL. I've done this quite a few times with Office 365 accounts. You just add the connector specifying which IP address you will be sending from and then connect to the same server specified for your MX record. You also need to setup the SPF records, but that won't cause the error you are seeing. You should be using Option 3 in those instructions. You did put the PUBLIC ip address of your server in the connector configuration right?
-
NoMad almost 7 yearsSASL is only for username+password auth on SMTP, as far as I knnow. I Followed step 3 only in the tutorial. The connector has the server's current public IP (which isn't static, but "unknown user" error disappeared after the connector was added). SPF isn't set up yet. relayhost on my Postfix is now === MX-Record.
-
Appleoddity almost 7 yearsYou can't use authentication with Office 365 relay. Looks like you might need to change this option to
no
:smtp_sasl_auth_enable = yes
-
NoMad almost 7 yearsIt seems like Office isn't happy with the dynamic IP. I'm running a vanilla config that I know works, yet I still get the error. Only difference from my test setup are domain names and the public IP. However I also tested on another dynamic DSL line and there Office365 relay provided a human-readable error message that the IP is blacklisted.
-
Appleoddity almost 7 yearsI'm not surprised about the dynamic IP, but unless that is the error you are getting when trying to relay, I don't think that is the problem. But, you are certainly not going to reliably relay e-mail if you continue to use a dynamic IP. Did you turn off authentication? You need to connect to Port 25, TLS enabled, no authentication. Also, dynamic IP services (i.e. residential) are also usually blocking port 25 outbound.
-
NoMad almost 7 yearsHey, thanks for your great help. I've now tested against a known-to-work setup, the postfix is configured 100% correct now. I've also went ahead and configured a DynDNS domain, CNAME'd it as a subdomain of the main domain name for exchange, got a valid cert fom LetsEncrypt, which is correctly delivered by postfix. But using the TLS Auth for the connector still yields the 550 Relay Access Denied. Ports are tested to work. Now I'm out of ideas, I still think it's some obscure O365 setting.
-
Appleoddity almost 7 yearsUnless something has been changed from default in your O365 tenant, there isn't a setting that will impact this. I just confirmed again that the basic setup is to enable the connector and use Port 25, TLS Enabled, and no authentication. Seems to work fine. I can appreciate everything you just did to complete the setup of this, but you should understand that SPAM is a big issue these days. You cannot reliably send mail from a dynamic IP, as no legitimate mail server sits behind a dynamic IP. It's a common a spam filtering technique. Your dynamic IP is in the e-mail headers still.
-
NoMad almost 7 yearsApparently, it was a rogue Sophos XG Firewall. All of a sudden all connections to o365 timed out, then my relay host couldn't reach Internet anymore. After Sophos reboot, everything works fine. I am astonished, never experienced such a glitch in a network firewall...
-
NoMad almost 7 yearsAs to dynamic IPs: Microsoft's servers reply withi a verbose error message containing a link where you can request unblocking. I saw that when testing on another host, but that didn't appear on the affected relay host... I'm not sure as to why I got a reply from supposedly the office365 host (IP shown in log) due to a network problem... Perhaps the firewall does some advanced SMTP filtering? I didn't change any settings, after the reboot it just worked #JustSophosThings