"Relay Access Denied" error when trying to use Office 365 as mail relay

I redirect outgoing emails in my organization to my postfix MTA. from there, i'm redirecting the mails to office 365 for relaying to the original recipients.

For external recipients, I get the following error:

550 5.7.64 TenantAttribution; Relay Access Denied 
[....prod.protection.outlook.com] (in reply to RCPT TO command))

I have an inbound connector to 'Office 365' and still the mails are blocked with the error above.

(I'm a colleague of danny) The Connector is marked with Reject messages if they aren’t encrypted using Transport Layer Security ‎(TLS)‎. (without enforcing a specific subject). Note this access denied error only appears when recipient is not part of the organization, I think it means the TLS works OK, but we still see that error for external recipients. Or do you mean a fully trusted certificate chain (and not just self signed one) is specifically needed for relaying to external recipients?

(I'm a colleague of danny) Is it required to have a certificate by a trusted CA (and not just self signed one) even if the Inbound connector require TLS but without verifying the subject? Note that the connector does work when recipients are inside the org (report show emails pass through the connector and with TLS)

Hi, According this article: “Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid certification authority-signed (CA-signed) certificate.” docs.microsoft.com/en-us/exchange/mail-flow-best-practices/… Though it doesn’t say trusted third-party CA, but I think a self-signed certificate is not the case, and in my understanding Exchange online requires a public trusted certificate.

@yair I would expect a fully trusted certificate chain is required.