When you run Microsoft Exchange Hybrid Configuration Wizard and when mail flow connectors are being created, you may experience a warning message. If this warning is ignored, the Hybrid Configuration Wizard allows you to continue by using the value that's obtained from on-premises. However, your on-premises environment cannot send mails on behalf of any domain that’s not validated as an accepted domain in your Office 365 tenant. Also, you receive the following non-delivery report (NDR):
550 5.7.64 Relay Access Denied ATTR36. For more details please refer to: https://support.microsoft.com/kb/3169958
This warning occurs if one of the following conditions is true:
- The certificate that you are using on-premises has a subject name (that is, the certificate value for host name) which does not match any accepted domain in your Office 365 tenant.
For example, the certificate subject is <S>CN=contoso.com. However, the contoso.com domain isn't verified in your Office 365 tenant.
- The certificate that you are using on-premises has a subject name where the host name does not belong to an immediate accepted domain name which is verified in your Office 365 tenant.
For example, the certificate subject is <S>CN=hostname.contoso.com. However, the contoso.com domain isn't verified in your Office 365 tenant. As another example, the certificate subject name is <S>CN=hostname.subdomain.contoso.com. However, only contoso.com is registered as an accepted domain for your tenant.
To enable your on-premises environment to send mails, you can take one of the following actions:
- (Preferred) Add the domain that’s used on the certificate to the Office 365 tenant. If you own the domain, sign in to Office 365 with administrator permissions, locate Settings -> Domains, and then follow the instructions. If the certificate subject name is hostname.subdomain.contoso.com, you only have to add subdomain.contoso.com.
- Have the certificate reissued with a different name which matches an accepted domain in the Office 365 tenant. You can still specify subject alternative names that you want. Wildcard certificates are enabled, but not required. If you do this, you have to install the newly issued certificate on the Exchange Server that's used for hybrid mail flow. You may also have to make sure that the fully qualified domain name (FQDN) is set correctly on the Exchange Server connector.
After you complete either option, rerun the Hybrid Configuration Wizard so that the Exchange Online connector can be set correctly.
Make sure that the client certificate that's provided when you establish Transport Layer Security (TLS) matches the value of the TlsSenderCertificateName parameter on the (inbound) connector, and then authenticate the certificate as a validated accepted domain. You can use this manner to validate that mails that are submitted during an SMTP conversation belong to your Office 365 tenant. In this manner, you can verify that the mails are only on the tenant.
For more information, refer to identifying email from your email server using certificates.
Article ID: 4019940 - Last Review: 21 Apr 2017 - Revision: 11