"550 5.7.64 TenantAttribution; Relay Access Denied SMTP" error when sending mail through Exchange Online Protection

Applies to: Exchange OnlineExchange Server 2016 Enterprise EditionExchange Server 2016 Standard Edition


Consider the following scenario:

  • You relay email through Exchange Online Protection from your on-premises Exchange environment or from your Internet Information Services (IIS) SMTP server.
  • You have an inbound connector that's set to on-premises and has certificate validation enabled.
In this scenario, mail isn't relayed through Exchange Online Protection. Additionally, you receive the following error message:
550 5.7.64 TenantAttribution; Relay Access Denied SMTP
Senders receive a non-delivery report (NDR) that contains this error code. Or, you see the error logged in IIS SMTP logs or in Send connector logs.

Additionally, if you enabled CAPI2 operational logging in Event Viewer, the following entry is logged:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<TimeCreated SystemTime="2016-12-01T03:09:55.456180600Z" />
<Correlation />
<Execution ProcessID="544" ThreadID="1996" />
<Security UserID="S-1-5-18" />
<Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
<Certificate fileRef="EC53EBC94A796C42E5B4E5851F961874F013D94C.cer" subjectName="*.ServerName.com" />
<CertificateChain chainRef="{8729A893-3D34-49D1-8030-8513DE8E8897}" />
<Flags value="0" />
<SSLAdditionalPolicyInfo authType="server">
<Status chainIndex="0" elementIndex="-1" />
<EventAuxInfo ProcessName="lsass.exe" impersonateToken="S-1-5-18" />
<CorrelationAuxInfo TaskId="{AD28C3AB-7CFE-4CF0-A623-F6CAC805A73C}" SeqNumber="1" />
<Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>


This problem occurs if the on-premises server is not sending the required certificate chain during the Transport Layer Security (TLS) handshake to Exchange Online.


To resolve this problem, follow these steps:

  1. Get the list of intermediate certificates from the issuer of the third-party certificate.
  2. Export the intermediate certificates from the affected server.

    1. Open the Certificates snap-in on the affected server.
    2. Select Computer account, and then click Local Computer.
    3. In the console tree, expand Personal, and then click Certificates.
    4. Double-click the third-party certificate that's associated with the SMTP service, and then click the Certification Path tab.
    5. Select the intermediate certificate in the certificate path that's listed, click View Certificate, and then click Copy to File on the Details tab.
    6. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.
    7. On the File to Export page, select the file name and path, click Next, and then click Finish.
    8. If there's more than one intermediate certificate in the certificate path, repeat step 2C tthrough step 2F for every intermediate certificate in the path.
  3. Import the intermediate certificates that you exported in step 2 to the intermediate certification authorities (CAs) on the sending server. To do this, run the following command in an elevated Windows PowerShell session:
    Get-ChildItem –Path c:\import\intermediateca.cer | Import-Certificate –CertStoreLocation cert:\LocalMachine\CA 


Still need help? Go to Microsoft Community.