"Relay Access Denied" error when trying to use Office 365 as mail relay
12,052
This suggests that you've not got a proper certificate chain set up on your local MTA. Have you reviewed article 3212877 in the Microsoft Knowedgebase? If you're using TLS (and you should) then the Exchange/O365 server needs to be able to validate all the certificates in any incoming TLS connection back to a trusted root.
Related videos on Youtube
Author by
danny h.
Updated on September 18, 2022Comments
-
danny h. over 1 year
I redirect outgoing emails in my organization to my postfix MTA. from there, i'm redirecting the mails to office 365 for relaying to the original recipients.
For external recipients, I get the following error:
550 5.7.64 TenantAttribution; Relay Access Denied [....prod.protection.outlook.com] (in reply to RCPT TO command))
I have an inbound connector to 'Office 365' and still the mails are blocked with the error above.
-
joeqwerty over 5 years
I have an inbound connector to 'Office 365' and still the mails are blocked with the error above.
- Telling us that without telling us any of the configuration settings of said connector doesn't give us enough information to help. -
yair over 5 years@joeqwerty (I'm a colleague of danny) ConnectorType is from Partner to office 365. It verifies the message come from specific IP range (where we configured the postfix external IP). TLS required but without verifying specific subject. Emails are only rejected when recipient is form outside the org.
-
-
yair over 5 years(I'm a colleague of danny) The Connector is marked with
Reject messages if they aren’t encrypted using Transport Layer Security (TLS).
(without enforcing a specific subject). Note this access denied error only appears when recipient is not part of the organization, I think it means the TLS works OK, but we still see that error for external recipients. Or do you mean a fully trusted certificate chain (and not just self signed one) is specifically needed for relaying to external recipients? -
yair over 5 years(I'm a colleague of danny) Is it required to have a certificate by a trusted CA (and not just self signed one) even if the Inbound connector require TLS but without verifying the subject? Note that the connector does work when recipients are inside the org (report show emails pass through the connector and with TLS)
-
Shaw over 5 yearsHi, According this article: “Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid certification authority-signed (CA-signed) certificate.” docs.microsoft.com/en-us/exchange/mail-flow-best-practices/… Though it doesn’t say trusted third-party CA, but I think a self-signed certificate is not the case, and in my understanding Exchange online requires a public trusted certificate.
-
Rob Moir over 5 years@yair I would expect a fully trusted certificate chain is required.