Office 365 Relay access denied (in reply to RCPT TO command)

I've configured a postfix as open relay to shove mails to an Office 365 SMTP Connector. The connector is configured for static IP address authentication, which works fine.

When I try to send mail using telnet, Office365 bounces: host smtp.office365.com[40.101.125.210] said: 550 Relay access denied (in reply to RCPT TO command)

Do I need to set special permissions in O365 to allow mailing from the connector? Could there be rules which disallow that? I'm not exactly an expert on O365/Exchange...

I've also tested other recipients on the same domain (mydomain.com) and different FROM addresses. The domain is listed under "Accepted Domain" (mydomain.com - authorative) in O365 Online Exchange Interface, and there's only one entry in remote domains (default * = all remote domains allowed).

EDIT: main.cf now has the correct relay address (relayhost option). Problem still persists.

Here is more detailed information from my SMTP relay:

/var/log/mail.log:

Jul 20 10:31:11 smtp postfix[4704]: Postfix is running with backwards-compatible default settings
Jul 20 10:31:11 smtp postfix[4704]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Jul 20 10:31:11 smtp postfix[4704]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Jul 20 10:31:12 smtp postfix/master[4741]: daemon started -- version 3.1.0, configuration /etc/postfix
Jul 20 10:31:18 smtp postfix/smtpd[4745]: connect from unknown[192.168.1.25]
Jul 20 10:31:49 smtp postfix/smtpd[4745]: 04D8E2E061E: client=unknown[192.168.1.25]
Jul 20 10:32:05 smtp postfix/cleanup[4749]: 04D8E2E061E: message-id=<20170720083149.04D8E2E061E@smtp>
Jul 20 10:32:05 smtp postfix/qmgr[4743]: 04D8E2E061E: from=<[email protected]>, size=328, nrcpt=1 (queue active)
Jul 20 10:32:05 smtp postfix/smtp[4750]: 04D8E2E061E: to=<[email protected]>, relay=smtp.office365.com[40.101.125.210]:25, delay=29, delays=29/0.01/0.12/0.01, dsn=5.0.0, status=bounced (host smtp.office365.com[40.101.125.210] said: 550 Relay access denied (in reply to RCPT TO command))
Jul 20 10:32:05 smtp postfix/cleanup[4749]: 641272E0635: message-id=<20170720083205.641272E0635@smtp>
Jul 20 10:32:05 smtp postfix/qmgr[4743]: 641272E0635: from=<>, size=2145, nrcpt=1 (queue active)
Jul 20 10:32:05 smtp postfix/bounce[4751]: 04D8E2E061E: sender non-delivery notification: 641272E0635
Jul 20 10:32:05 smtp postfix/qmgr[4743]: 04D8E2E061E: removed
Jul 20 10:32:05 smtp postfix/smtp[4750]: 641272E0635: to=<[email protected]>, relay=smtp.office365.com[40.101.61.114]:25, delay=0.01, delays=0/0/0/0, dsn=5.0.0, status=bounced (host smtp.office365.com[40.101.61.114] said: 550 Relay access denied (in reply to RCPT TO command))
Jul 20 10:32:05 smtp postfix/qmgr[4743]: 641272E0635: removed
Jul 20 10:32:09 smtp postfix/smtpd[4745]: disconnect from unknown[192.168.1.25] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

My telnet input:

root@smtp:/etc/postfix# telnet 192.168.1.25 25
Trying 192.168.1.25...
Connected to 192.168.1.25.
Escape character is '^]'.
220 smtp ESMTP Postfix (Ubuntu)
EHLO localhost
250-smtp
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Testmail
Test

.
250 2.0.0 Ok: queued as 921452E061E
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
inet_interfaces = 192.168.1.25
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = www.mydomain.com, $myhostname, smtp, localhost.localdomain, localhost
myhostname = smtp
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
myorigin = /etc/mailname    #mydomain.com
readme_directory = no
recipient_delimiter = +
relay_domains = static:ALL
relay_transport = relay
relayhost = smtp.office365.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

That's correct. But after fixing, I still get the same error (at least from the right host this time). I followed the link you posted to configure the Connector in Exchange Online Admin earlier. I still have SASL configured, that isn't needed for Static IP auth, right?

I'm actually not sure what you are referring to for SASL. I've done this quite a few times with Office 365 accounts. You just add the connector specifying which IP address you will be sending from and then connect to the same server specified for your MX record. You also need to setup the SPF records, but that won't cause the error you are seeing. You should be using Option 3 in those instructions. You did put the PUBLIC ip address of your server in the connector configuration right?

SASL is only for username+password auth on SMTP, as far as I knnow. I Followed step 3 only in the tutorial. The connector has the server's current public IP (which isn't static, but "unknown user" error disappeared after the connector was added). SPF isn't set up yet. relayhost on my Postfix is now === MX-Record.

You can't use authentication with Office 365 relay. Looks like you might need to change this option to no: smtp_sasl_auth_enable = yes

It seems like Office isn't happy with the dynamic IP. I'm running a vanilla config that I know works, yet I still get the error. Only difference from my test setup are domain names and the public IP. However I also tested on another dynamic DSL line and there Office365 relay provided a human-readable error message that the IP is blacklisted.

I'm not surprised about the dynamic IP, but unless that is the error you are getting when trying to relay, I don't think that is the problem. But, you are certainly not going to reliably relay e-mail if you continue to use a dynamic IP. Did you turn off authentication? You need to connect to Port 25, TLS enabled, no authentication. Also, dynamic IP services (i.e. residential) are also usually blocking port 25 outbound.

Hey, thanks for your great help. I've now tested against a known-to-work setup, the postfix is configured 100% correct now. I've also went ahead and configured a DynDNS domain, CNAME'd it as a subdomain of the main domain name for exchange, got a valid cert fom LetsEncrypt, which is correctly delivered by postfix. But using the TLS Auth for the connector still yields the 550 Relay Access Denied. Ports are tested to work. Now I'm out of ideas, I still think it's some obscure O365 setting.

Unless something has been changed from default in your O365 tenant, there isn't a setting that will impact this. I just confirmed again that the basic setup is to enable the connector and use Port 25, TLS Enabled, and no authentication. Seems to work fine. I can appreciate everything you just did to complete the setup of this, but you should understand that SPAM is a big issue these days. You cannot reliably send mail from a dynamic IP, as no legitimate mail server sits behind a dynamic IP. It's a common a spam filtering technique. Your dynamic IP is in the e-mail headers still.

Apparently, it was a rogue Sophos XG Firewall. All of a sudden all connections to o365 timed out, then my relay host couldn't reach Internet anymore. After Sophos reboot, everything works fine. I am astonished, never experienced such a glitch in a network firewall...

As to dynamic IPs: Microsoft's servers reply withi a verbose error message containing a link where you can request unblocking. I saw that when testing on another host, but that didn't appear on the affected relay host... I'm not sure as to why I got a reply from supposedly the office365 host (IP shown in log) due to a network problem... Perhaps the firewall does some advanced SMTP filtering? I didn't change any settings, after the reboot it just worked #JustSophosThings