Users in your Exchange 2013-based hybrid deployment experience mail issues after April 15, 2016
Original KB number: 3156771
Problem
Consider the following scenario:
- You have a Microsoft Exchange Server 2013-based hybrid deployment.
- You run the Hybrid Configuration wizard on a server that's running Exchange 2013 Cumulative Update 8 (CU8) or an earlier version.
- You haven't run the Hybrid Configuration wizard on a server that's running Exchange 2013 Cumulative Update 9 (CU9) or a later version.
In this scenario, you experience one or more of the following symptoms after April 15, 2016:
Email messages from Exchange Online users to on-premises users are missing Skype for Business presence information.
Email messages from Exchange Online users to on-premises users display the sender name as <FirstName> <LastName> <SMTPaddress> instead of as <FirstName> <LastName>.
If you disabled any receive connectors other than the Default FrontEnd connector, and you enabled domain validation on the Default Frontend connector in your environment, the following error message is shown when Exchange Online users send mail to on-premises users. This message is displayed in the deferral message in the Message Tracking dialog box in the Exchange admin center.
451 4.7.0 Temporary server error. Please try again later. PRX5
On-premises users are unable to send email messages to Exchange Online users. The on-premises mail queue shows the following error message:
454 4.7.5 The certificate specified in the tlscertificatename of the send connector could not be found.
If you have a centralized mail transport configuration, Exchange Online users who send email messages to external recipients receive a nondelivery report (NDR) that contains the following error message:
Your message to <recipient> couldn't be delivered.
Security or policy settings at <recipient domain> have rejected your message.
If you view the details of the NDR, you see info that resembles the following:
Error Details:
Reported error: 550 5.7.1 Unable to relay
DSN generated by: CY1PR0601MB1642.namprd06.prod.outlook.com
Remote server: <Server>.Contoso.com
To verify that you're experiencing this issue, open the Exchange Management Shell, and then run the following command:
Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}
Examine the output. If the command returns a connector in which the value of the TlsDomainCapabilities parameter is the following, the connector is affected.
<I>CN=MSIT Machine Auth CA 2, DC=Redmond, DC=corp, DC=microsoft, DC=com...
Cause
This problem occurs because a change was made to the Transport Layer Security (TLS) certificate in Exchange Online on April 15, 2016.
Resolution
To resolve this problem, use one of the following methods.
Method 1 - Run the Microsoft 365 Hybrid Configuration Wizard
Use the Microsoft 365 Hybrid Configuration Wizard (HCW) to configure the Exchange 2013 servers to work by using the new TLS certificate. To do this, follow these steps:
If the servers that are running Exchange Server 2013 and that are handling hybrid mail flow are running Exchange Server 2013 CU8 or an earlier version, follow the instructions at Updates for Exchange 2013 to install the latest cumulative update on at least one server.
After you install the latest cumulative update, download the Microsoft 365 Hybrid Configuration Wizard from https://aka.ms/HybridWizard, and then run it by following the instructions at Introducing the Microsoft 365 Hybrid Configuration Wizard.
For information about the releases of Exchange Server that are supported in Microsoft 365, see Hybrid deployment prerequisites.
Method 2 - Manually configure the servers
If you can't upgrade Exchange Server 2013 to the latest cumulative update now, you can manually configure the servers to work together with the new TLS certificate.
To do this, open the Exchange Management Shell on each server that's running Exchange Server 2013 and is used for hybrid mail flow. Then, run the following commands:
$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}
$rc | foreach {Set-ReceiveConnector -Identity $_.identity -TlsDomainCapabilities "mail.protection.outlook.com:AcceptCloudServicesMail"}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for