Email not being delivered to M365 and being forwarded back on-prem
Hi All
Hopefully I can explain the issue given it is a bit puzzling and a complex setup.
We have 2 environments/tenants. contosedev.com for dev work and contoso.com for production. We have an on-prem Exchange 2019 infrastructure for contosodev.com and a on-prem Exchange 2016 infrastructure for contoso.com.
Between the on-prem environment we have an Exchange 2019 edge server (not AD Sync’d) for each environment (dev and production) that takes email from on-prem and sends to M365. The on-prem Exchange server has a send connector that routes email destined for contosodev.mail.onmicrosoft.com (dev) or contoso.mail.onmicrosoft.com (production) via these edge servers. The edge servers have a receive connector to take this email and a send connector to then send on to M365. The connectors use certificate validation in each case.
The M365 tenants have an inbound connector to receive this email also with certificate validation. All connectors are setup the same apart from the obvious difference in domains. The tenants are authoritative for their respective domains. For dev contosodev.com & contosodev.mail.onmicrosoft.com (and also the default contosodev.onmicrosoft.com). For production contoso.com & contoso.mail.onmicrosoft.com (and also the default contoso.onmicrosoft.com).
The tenants have outbound connectors to route all email via on-premise Exchange servers. So any email in M365 for say contosodev.com (dev) and contoso.com (production) get routed to the outbound connector and hence on-prem Exchange where they can either be delivered locally or if it an external address they are routed out via our gateway infrastructure.
Each tenant has a test mailbox (shared). The mailbox has been migrated from the on-prem infrastructure to M365. Each has email addresses of contosodev.mail.onmicrosoft.com & contosodev.com for the dev environment and contoso.mail.onmicrosoft.com & contoso.com for production.
Now the puzzling bit.
In the dev environment, if I send an email from an on-prem mailbox to email address removed for privacy reasons, Exchange on-prem sees this as a remote mailbox and sends the email via the edge servers. It arrives in M365, sees it has a mail.onmicrosoft.com address and is delivered successfully to the test mailbox.
In the production environment, If I send an email from an on-prem mailbox to email address removed for privacy reasons, Exchange on-prem sees this as a remote mailbox and sends the email via the edge servers. It arrives in M365, sees it has a mail.onmicrosoft.com address, but instead of delivering it to the mailbox, it then routes it back to on-prem using the contoso.com address, which then causes a mail loop that eventually fails.
The message trace seems to indicate the email is being forwarded, however there are no forward rules or inbox rules. I’ve even tried another completely blank mailbox that I migrated to M365 with the same result.
Now I’ve been over the config of both environments, looked at various articles in regards to attribution, but cannot see any difference between what I’ve setup in the dev environments vs the production one.
I just can’t work out why, when the mailbox obviously exists in M365 with all the correct email addresses, it just doesn’t get delivered. M365 seems to ignore that and decide to send it out via the outbound connector. The other weird part is if I disable that outbound connector in M365, the email is delivered to the mailbox correctly!
Anyway, lengthy I know and hopefully have explained the infrastructure, so if anyone has any ideas where I might check next it would be greatly appreciated.
Cheers
Peter
Hi AllHopefully I can explain the issue given it is a bit puzzling and a complex setup.We have 2 environments/tenants. contosedev.com for dev work and contoso.com for production. We have an on-prem Exchange 2019 infrastructure for contosodev.com and a on-prem Exchange 2016 infrastructure for contoso.com.Between the on-prem environment we have an Exchange 2019 edge server (not AD Sync’d) for each environment (dev and production) that takes email from on-prem and sends to M365. The on-prem Exchange server has a send connector that routes email destined for contosodev.mail.onmicrosoft.com (dev) or contoso.mail.onmicrosoft.com (production) via these edge servers. The edge servers have a receive connector to take this email and a send connector to then send on to M365. The connectors use certificate validation in each case.The M365 tenants have an inbound connector to receive this email also with certificate validation. All connectors are setup the same apart from the obvious difference in domains. The tenants are authoritative for their respective domains. For dev contosodev.com & contosodev.mail.onmicrosoft.com (and also the default contosodev.onmicrosoft.com). For production contoso.com & contoso.mail.onmicrosoft.com (and also the default contoso.onmicrosoft.com).The tenants have outbound connectors to route all email via on-premise Exchange servers. So any email in M365 for say contosodev.com (dev) and contoso.com (production) get routed to the outbound connector and hence on-prem Exchange where they can either be delivered locally or if it an external address they are routed out via our gateway infrastructure.Each tenant has a test mailbox (shared). The mailbox has been migrated from the on-prem infrastructure to M365. Each has email addresses of contosodev.mail.onmicrosoft.com & contosodev.com for the dev environment and contoso.mail.onmicrosoft.com & contoso.com for production.Now the puzzling bit.In the dev environment, if I send an email from an on-prem mailbox to email address removed for privacy reasons, Exchange on-prem sees this as a remote mailbox and sends the email via the edge servers. It arrives in M365, sees it has a mail.onmicrosoft.com address and is delivered successfully to the test mailbox.In the production environment, If I send an email from an on-prem mailbox to email address removed for privacy reasons, Exchange on-prem sees this as a remote mailbox and sends the email via the edge servers. It arrives in M365, sees it has a mail.onmicrosoft.com address, but instead of delivering it to the mailbox, it then routes it back to on-prem using the contoso.com address, which then causes a mail loop that eventually fails.The message trace seems to indicate the email is being forwarded, however there are no forward rules or inbox rules. I’ve even tried another completely blank mailbox that I migrated to M365 with the same result.Now I’ve been over the config of both environments, looked at various articles in regards to attribution, but cannot see any difference between what I’ve setup in the dev environments vs the production one.I just can’t work out why, when the mailbox obviously exists in M365 with all the correct email addresses, it just doesn’t get delivered. M365 seems to ignore that and decide to send it out via the outbound connector. The other weird part is if I disable that outbound connector in M365, the email is delivered to the mailbox correctly!Anyway, lengthy I know and hopefully have explained the infrastructure, so if anyone has any ideas where I might check next it would be greatly appreciated.CheersPeter Read More
