This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
We use a Cloud service for security scanning with our mailflow, we are using a smtp-call-ahead with it to identify existing addresses in Exchange online, this stopped working some weeks ago, because Exchange Online is handling those delivery attempts to non-existent addresses differently. The mails are often accepted for delivery and Exchange online creates the NDR, sometimes we can still see the old behaviour with a rejected delivery, I was able to reproduce the issue with telnet, I'm hoping to gather some information about when Exchange Online answers with 2.1.5 and when with 5.4.1 for addresses not existing...
telnet 104.47.9.36 25
Trying 104.47.9.36...
Connected to mail-ve1eur030036.inbound.protection.outlook.com.
Escape character is '^]'.
220 VE1EUR03FT006.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 10 Nov 2020 21:24:33 +0000
ehlo -deleted-
250-VE1EUR03FT006.mail.protection.outlook.com Hello -deleted-
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from: -deleted-
250 2.1.0 Sender OK
rcpt to: -deleted-
550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [VE1EUR03FT006.eop-EUR03.prod.protection.outlook.com]
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.
telnet 104.47.10.36 25
Trying 104.47.10.36...
Connected to mail-db5eur030036.inbound.protection.outlook.com.
Escape character is '^]'.
220 DB5EUR03FT054.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 10 Nov 2020 21:25:06 +0000
ehlo -deleted-
250-DB5EUR03FT054.mail.protection.outlook.com Hello -deleted-
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from: -deleted-
250 2.1.0 Sender OK
rcpt to: -deleted-
250 2.1.5 Recipient OK
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.
Hi,
the issue is about deliveries to addresses that don't exist only, like saldkjfalsdk@Company portal .com, all domains are authoritative and I would see different results with 2.1.5 or 5.4.1 for delivery attempts to saldkjfalsdk@Company portal .com .
Thank you for your help!
stephan
Correct. thats what I was referring to. Invalid recepients :)
Where do see the 2.15 ? thats an event usually reserved for messages that are dropped.
If thats in a NDR, can you post the exact and full NDR here? ( minus any personal info)
With 2.1.5 I was referring to the acceptance of the delivery only,
250 2.1.0 Sender OK
rcpt to: -deleted-
250 2.1.5 Recipient OK
quit
Why is the delivery accepted sometimes and sometimes not? If it is accepted, the NDR is created in my tenant and sent to the sender with the below failure:
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient lasdfjlsdkf@Company portal .com not found by SMTP address lookup
ah ok, gotcha. - I assumed an event or NDR ...
Thats a real good question. If you are seeing this with the same invalid ( non existent) recipient, that indicates some issues on the 365 side.
If that accepted domain is authoritative, it should always reject during the SMTP conversation with Directory Edge Blocking
Do you see this often? Can it be reproduced at will?
Now, Having said that, the official doc gives them an out on this :)
https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-directory-based-edge-blocking
There might be infrequent instances where recipient addresses that do not exist in your Microsoft 365 or Office 365 organization are allowed to relay through the service.
Thank you very much for your help @Andy David - MVP ! That's exactly what I was looking for...
Cool. Glad to have helped. If you don't mind, please mark any accepted answer and we close this up. Thanks!
Alot of that depends if the accepted domain in Exchange Online is set to authoritative or not.
If set to authoritative, then it will reject the message to an invalid recipient at the gateway:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [
If not and the accepted domain is set to internal relay, it will accept the message and attempt to route it to another system ( such as hybrid archictecture with an on-prem component) and NDR it later if not found.
So, I guess the question is are you seeing different results sending to the same user or to the same domain?