Saturday, August 19, 2017

Exchange - External Forward 550 5.7.54 Unable To Relay In Non-Accepted Domain

I recently had this problem where an Accepted Domain in my Exchange environment would get a bounce when mailing a Shared Mailbox that was set with an external forward. In case you have the same setup as me, I've found a fix.

Consider this scenario: you have two Exchange Resource Forest us.domain.com and eu.domain.com.
The eu.domain.com is set as an Internal Relay Accepted Domain in the us.domain.com Exchange environment.
The us.domain.com has a Shared Mailbox, which forwards to an external email address with the ForwardingSmtpAddress switch like so:
Get-Mailbox "Shared Mailbox Name" |fl *forw*
DeliverToMailboxAndForward : True
ForwardingAddress          :
ForwardingSmtpAddress      : smtp:externalemailaddress@externaldomain.net

When users from the eu.domain.com Resource Forest send a message to the Shared Mailbox in the US, they get the following error:
The email to the following recipient(s) could not be delivered:
The remote mail server told: 550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain

All other external senders (people from outside the company) can send and messages get forwarded successfully.
Setting the forward by using the ForwardingAddress switch and creating a MailContact causes all senders from both the other forest and external to fail; so you must keep the ForwardingSmtpAddress set.
A brief overview of ForwardingSmtpAddress vs ForwardingAddress:
This is a RecipientIdParameter value which has a higher priority than ForwardingSmtpAddress; meaning if you set the parameter ForwardingAddress, other forwarding settings will be overritten. This setting does not require the Set-RemoteDomain -AutoForwardEnabled, it does require an external MailContact in Exchange.
ForwardingSmtpAddress :
This is a msExchGenericForwardingAddress AD attribute. It has lower a priority than ForwardingAddress and is not accessible in in the EAC; you must use PowerShell to set it. You must also use the Set-RemoteDomain -AutoForwardEnabled $True cmdlet to allow forwarding, but it does not require a MailContact in Exchange.

The Fix:

We'll need to create a dedicated Send Connector to the domain for our external forward.

In the EAC, navigate to Mail Flow, Send Connectors, +

In the New Send Connector window, give it a name like "External Forward" and click Next

Create Send Connector

Leave MX record selected and click Next

Send Connector to MX

Click the + and under the FQDN type the domain name for the external contact, click Save, and Next

Send Connector Domain

For the Source Server, click the + and select your Edge server if you have one, or your Mailbox servers (all of them) and click Ok, then Finish

Send Connector Source Server

Enable Verbose Logging on the Connector:

You'll want full logging on the connector so you can check the SMTPSend protocol logs later to verify successful sending.

In the Exchange Management Shell (EMS), run the following:

Set-SendConnector "External Forward" -ProtocolLoggingLevel Verbose


If the external domain requires it, you'll need to enable forced TLS, else messages will be dropped.

In the EMS run the following:

Get-SendConnector "External Forward" | Set-SendConnector -RequireTLS $true

Now test! Have someone from the other Resource Forest send to the Shared Mailbox and have an external sender send a message the Shared Mailbox and verify that it forwards by using the protocol logs.

**Note** Depending on what source server you used (Edge or Mailbox) that's where you'd check the SMTPSend protocol logs.

1 comment:

  1. What an exquisite post you have got written! It would come back to nice facilitate of the beginners like me! this can be terribly clear, precise and descriptive really! thanks most Mr.Author. Keep writing for us like this.:)