This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Hi,
We have a Hybrid Exchange Server on prem, solely used to relay SMTP messages from on premise devices and applications to Office365.
This works perfectly well, however I just attempted to change our WAN link over to a new public IP/subnet, and it broke the relay.
I re-ran the HCW which did not help, and I also added the new IP/range to our SPF record (which I don't think is explicitly required for internal relaying anyway).
The message makes it to the Exchange server, but never to 365 from what I can see.
I don't see why a change of public IP would cause the relay to break?
Can anyone offer be any guidance?
Many thanks
James
Could you tell use how do you configure SMTP relay on your Exchange on-premises?
Does your application relay mail from inside or outside your on-premises organization?
If you only use Exchange on-premises for relay emails for application. A hybrid isn't needed.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
We have a receive connector set to accept anonymous connections from whitelisted internal IPs for devices and serers that need to relay.
The send connectors are the configured by the HCW to route messages to Office365.
We also have a secondary send connector with a scope of *, to allow for external relaying via 365.
This is all fine and works for our scenario, so am happy with the config. I just need to understand where the IP change may be coming into play.
Thanks
James
If you relay emails from internal of organization, the change of public IP should not effect the using of relay emails (You will could relay emails even without publish your Exchange server).
I would suggest you try to use Telnet to check whether the connector configuration is correctly. If you could relay emails to internal recipient but the external recipient cannot receive this emails, this issue may related with SPF record.
We had a dig through the on prem message tracking logs, and found this error:
{[{LED=550 5.7.606 Access denied, banned sending IP [x.x.x.x]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more
information please go to http://go.microsoft.com/fwlink/?LinkID=526655
AS(1430)};{MSG=};{FQDN=aspallcouk-mail-onmicrosoft-com.mail.protection.outlook.com};{IP=104.47.20.36};{LRT=16/08/2022 10:11:11}]}
Looks like this IP for some reason is blacklisted in Exchange online, so we are trying to contact Microsoft to have it removed.
Okay, waiting for your good news for this one.
Hi, in your send connector in o365 make sure your new IP is there. The O365 should be set to only relay when the email come from your IP, to not be open to relay to the entire internet.
Hi, our inbound connector in Exchange online is configured to verify based on certificate identity (as configured by the HCW):
Should this not be sufficient?
Given the server itself is not changing, it will be using the same cert, so again don't see why the IP would impact this setting?
Unless I am missing a PTR record or something in DNS?
Cheers
James
We had a dig through the on prem message tracking logs, and found this error:
{[{LED=550 5.7.606 Access denied, banned sending IP [x.x.x.x]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more
information please go to http://go.microsoft.com/fwlink/?LinkID=526655
AS(1430)};{MSG=};{FQDN=aspallcouk-mail-onmicrosoft-com.mail.protection.outlook.com};{IP=104.47.20.36};{LRT=16/08/2022 10:11:11}]}
Looks like this IP for some reason was blacklisted (must have been by previous owner of IP, as it is a new, unused IP for us).
We have requested Microsoft remove the blacklist, which they have done, and now all working as expected.