Email messages sent from Office 365 users in a hybrid deployment are rejected, and nondelivery reports are received

Note The Hybrid Configuration wizard that's included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Office 365 Hybrid Configuration wizard that's available at http://aka.ms/HybridWizard. For more information, see Office 365 Hybrid Configuration wizard for Exchange 2010.
PROBLEM
You run the Hybrid Configuration Wizard in Exchange Server 2010 to set up a shared namespace and centralized mail control configuration between your on-premises Exchange Server environment and Exchange Online in Office 365. However, eventually, you notice that email messages that are sent from cloud-based mailboxes are rejected, and senders receive nondelivery reports (NDRs). Over time, the frequency of the NDRs increase.
CAUSE
This issue can occur if the IP addresses that are associated with Exchange Online Protection changed. These IP addresses aren't automatically updated in the on-premises environment. Therefore, the IP addresses that are set in the on-premises Exchange Online Protection receive connector may become invalid. When this occurs, mail that's routed from Office 365 users through Exchange Online Protection to the on-premises environment may be rejected.
SOLUTION
To fix this issue, do one of the following:
  • Rerun the Hybrid Configuration Wizard. Rerunning the wizard configures the on-premises Exchange Online Protection receive connector to use the correct IP addresses.

    Note This step applies only to the Hybrid Configuration Wizard in Exchange Server 2010. When you run the Hybrid Configuration Wizard in Exchange Server 2013, no receive connectors are created or are necessary.
  • Manually update the IP addresses that are listed under Receive mail from remote servers that have these IP addresses for the on-premises Exchange Online Protection receive connector. For a list of Exchange Online Protection data center IP addresses, see Exchange Online Protection IP addresses.
MORE INFORMATION
In a shared namespace and centralized mail control scenario, an Exchange Online Protection receive connector must be created on the hybrid Exchange 2010 hub transport server to make sure that the on-premises environment receives mail from Office 365 users. The Hybrid Configuration Wizard creates the receive connector on the appropriate Exchange 2010 server. Then, the wizard configures the connector with the IP addresses to enable incoming Exchange Online Protection traffic from Office 365 users to be routed to the on-premises environment.

The following screen shot shows an example of an Exchange Online Protection receive connector that the Hybrid Configuration Wizard creates.

Screen shot of an Exchange Online Protection receive connector

For more information about the Hybrid Configuration Wizard in Exchange 2010, see Hybrid Deployments with the Hybrid Configuration Wizard.

Still need help? Go to the Office 365 Community website or the Exchange TechNet Forums.
Properties

Article ID: 2750145 - Last Review: 04/25/2016 11:06:00 - Revision: 9.0

Microsoft Exchange Online, Microsoft Exchange Online Protection, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard

  • o365 hybrid kbgraphxlink kbgraphic o365022013 eop KB2750145
Feedback