Share via

Need Advice: Exchange Hybrid - O365 Outbound Connector Validation

Yang Yu 126 Reputation points
2021-07-30T03:19:29.11+00:00

After running HCW (Full Classic Hybrid + Centralized Mail Transport), the outbound communication between EXO to Exchange Server 2013 didn't work. Found the validation failed if we specified subject name (the wildcard certificate *.ourdomain.com) under "Always use TLS to secure the connection".

If we changed it to "Any digital Certificate", validation passed and mail started flowing.

The validation error is "450.4.4.317 cannot connect to remote server [Message=SubjectMismatch]"

Has verified the same wildcard cert is bind to Default Frontend Receive Connector too and installed on Exchange 2013 (single server farm) too. Fortigate firewall forwards the traffic on port 25 directly to Exchange Server.

Also it is really odd not much relevant information has been logged in the receive connector log.

Any advice will be highly appreciated.

Exchange | Hybrid management
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,396 Reputation points
    2021-08-02T03:01:32.37+00:00

    @

    I keep the default configuration, it could send email successfully:
    119713-qa-kyle-10-36-08.png

    119597-qa-kyle-10-47-36.png

    So, this issue is related with the configuration on your Exchange on-premises receive connector, please have a check about it(It is a wildcard certificate from a public CA):

    119617-qa-kyle-10-55-31.png

    If all the above configurations are correct, I would suggest you try to disable firewall temporarily to check whether is this issue related with your firewall. If you cannot disable firewall temporarily, please make sure the all those IP address in the white list on your firewall.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Yang Yu 126 Reputation points
    2021-08-02T05:39:00.367+00:00

    Hi Kyle,

    Thanks for your response.

    I double checked that our receive connector has the wildcard certificate information/configurations showing similar to your screenshot.

    We cannot disable the firewall temporarily.

    We have firewall rule (fortigate firewall) to allow smtp traffic from EOP IP range forwarded straight without any inspection and we could see the traffic coming through the firewall from IP in that range and forwarded to Exchange Server.

    And there is nothing related logged actually in the default frontend smtp receive log too.

    Could you please advise anything else I should check? Thanks again.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.