Exchange Hybrid SMTP relay not working after change of public IP

James Edmonds 811 Reputation points


We have a Hybrid Exchange Server on prem, solely used to relay SMTP messages from on premise devices and applications to Office365.
This works perfectly well, however I just attempted to change our WAN link over to a new public IP/subnet, and it broke the relay.

I re-ran the HCW which did not help, and I also added the new IP/range to our SPF record (which I don't think is explicitly required for internal relaying anyway).
The message makes it to the Exchange server, but never to 365 from what I can see.

I don't see why a change of public IP would cause the relay to break?
Can anyone offer be any guidance?

Many thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,390 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,914 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Philippe Levesque 5,701 Reputation points MVP

    Hi, in your send connector in o365 make sure your new IP is there. The O365 should be set to only relay when the email come from your IP, to not be open to relay to the entire internet.


  2. James Edmonds 811 Reputation points

    We had a dig through the on prem message tracking logs, and found this error:
    {[{LED=550 5.7.606 Access denied, banned sending IP [x.x.x.x]. To request removal from this list please visit and follow the directions. For more
    information please go to
    AS(1430)};{MSG=};{};{IP=};{LRT=16/08/2022 10:11:11}]}

    Looks like this IP for some reason was blacklisted (must have been by previous owner of IP, as it is a new, unused IP for us).
    We have requested Microsoft remove the blacklist, which they have done, and now all working as expected.

    0 comments No comments