Mail could not be sent to the recipients because of the mail server failure. SQL Server smtp relay O365 Exchange Online

Question

Mail could not be sent to the recipients because of the mail server failure. SQL Server smtp relay O365 Exchange Online

Lucas Igbins 0

Please can you help with the configuration you used that resolved your the issue. Error is he mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2024-01-12T22:30:04). Exception Message: Cannot send mails to mail server. (Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail [HBNBB2PR11CA0024.namprd46.prod.outlook.com 2024-01-12T22:30:04.588Z 08DC1349D89C1DDD]).
) TLS 1.2 is enabled on the server. Office 365 mailbox has smtp auth enabled My application owner is using similar setup on the SQL server. I am using this setup User's image

1 answer

Your answer

Answer 1

Andy David - MVP 155.4K MVP

Ensure:

Security Defaults aren't enabled ( You really shouldnt disable the security defaults if you arent enforcing MFA with a CA policy) https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults
Exclude the user from any Conditional Access policy that blocks Legacy Authentication
Disable any per users MFA on the account.

Lucas Igbins 0 Reputation points

2024-02-04T23:38:24.6666667+00:00

@Andy David - MVP Thanks for the reply. Our Security default is enforced via a CA policy and we have Okat MFA enforce.
Kael Yao 37,721 Reputation points

2024-02-05T01:56:14.9366667+00:00

Hi @Lucas Igbins

To use basic auth to relay emails, you may need follow Andy's advice to disable these settings (MFA and conational access policy) on the mailbox.

If that is not possible, you can also try the other two options (direct send or using a connector for SMTP relay) in this documentation:

How to set up a multifunction device or application to send emails using Microsoft 365 or Office 365
Lucas Igbins 0 Reputation points

2024-02-05T11:48:47.59+00:00

Thank Kael Yao-MSFT. I will check with my security team if that can be done but I am doubtful because we might get exposed if account not using MFA. However, I tried Option 3 "**using TLS certificate-based connector"**and got this error message below. Configure a TLS certificate-based connector to relay email through Microsoft 365 or Office 365 The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2024-01-30T20:48:11). Exception Message: Cannot send mails to mail server. (Mailbox unavailable. The server response was: 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set
Andy David - MVP 155.4K Reputation points MVP

2024-02-05T12:26:19.4733333+00:00

that means you have a connector already configured on port 25 for your domain to ExO most likely. As far as MFA, you can not use Basic auth and also require MFA on the account so you will need to make a decision :)

Either exclude this account from MFA as I mention above or us a different way to send it. Either via an existing connector and not submit on port 587 or use OAuth

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#option-1-authenticate-your-device-or-application-directly-with-a-microsoft-365-or-office-365-mailbox-and-send-mail-using-smtp-auth-client-submission
Kael Yao 37,721 Reputation points

2024-02-08T06:48:01.8233333+00:00

Hi @Lucas Igbins It has been a while. I am writing here to confirm with you how thing going now?
Lucas Igbins 0 Reputation points

2024-02-08T18:35:11.03+00:00

@Kael Yao I am looking at testing with the TLS base connector
Lucas Igbins 0 Reputation points

2024-02-12T11:45:59.2566667+00:00

Followed this steps and getting error below Configure a TLS certificate-based connector to relay email through Microsoft 365 or Office 365 First, configure your device or application by entering the settings as described in the following table: Expand table |Device or application setting|Value| | -------- | -------- | |Server/smart host|Your MX endpoint, for example, yourdomain- com.mail.protection.outlook.com| |Server/smart host|Your MX endpoint, for example, yourdomain- com.mail.protection.outlook.com| |Port|Port 25| |TLS/StartTLS|Must be enabled and only TLS 1.2 is supported| |TLS Certificate CN (Common Name) or SAN (Subject Alternative Name)|The certificate which has CN or SAN that contains a domain name you've registered with your Office 365 organization.| |Email address|This can be any email address.|

If you already have a connector that's configured to deliver messages from your on-premises organization to Microsoft 365 or Office 365 (for example, a hybrid environment), you probably don't need to create a dedicated connector for Microsoft 365 or Office 365 SMTP relay. To create or change a certificate-based connector, perform the following steps: Sign in to Exchange admin center. For more information, see Exchange admin center in Exchange Online. On the left navigation pane, select mail flow, select Connectors, and then do the following: If there are no connectors, select + Add a connector. If a connector already exists, select the connector, and then select the edit icon. On the Select your mail flow scenario page, select the Your organization's email server radio button under Connection from. Once you choose Your organization's email server from the Connection from drop-down, Office 365 is automatically chosen from the Connection to drop-down. Enter the connector name and other information, and then select Next. On the Authenticating sent email page, select the first option to use the subject name on the certificate of the sending server to authenticate with Office 365. The domain name in the option should match the CN or SAN in the certificate used by your server, device, or application. Note This domain must be the one that belongs to your organization, that is, this domain should be the one you've registered with Microsoft 365. For more information, see Add a domain to Microsoft 365. For example, Contoso.com belongs to your organization, and it's part of the CN or SAN in the certificate that your service, device, or application uses to communicate with Microsoft 365. If there are multiple domains in the certificate (such as mail1.contoso.com, mail2.contoso.com, and so on), we recommend that the domain in the connector UI be *.contoso.com. Existing hybrid customers who used the Hybrid Configuration Wizard to configure their connectors should check their existing connector to ensure that it uses *.contoso.com instead of mail.contoso.com or hostname.contoso.com. This domain verification is because mail.contoso.com and hostname.contoso.com may not be registered domains in Microsoft 365.

Error The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2024-01-30T20:48:11). Exception Message: Cannot send mails to mail server. (Mailbox unavailable. The server response was: 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set
Kael Yao 37,721 Reputation points

2024-02-13T06:27:35.2066667+00:00

If you are using the certificate authentication, you may need to make sure that:

The domain name in the option should match the CN or SAN in the certificate used by your server, device, or application.

If this is not possible, please try using ip-based authentication instead if your SQL server is sending emails from a static public ip address.

Share via

Mail could not be sent to the recipients because of the mail server failure. SQL Server smtp relay O365 Exchange Online

1 answer

Your answer