When you have configured two Exchange organizations for a shared SMTP namespace you may encounter a problem with non-delivery reports (NDRs) being generated for a domain name that is configured as an Internal Relay.
In the following scenario there are two organizations. Company A is configured with both an Authoritative domain and an Internal Relay domain for Company B.
Your expectation of this configuration is that if Company A receives an email for a recipient in the companyb.com namespace that does not exist in the Company A organization, that the email will be relayed to Company B instead.
However, under certain conditions you may receive an unexpected NDR instead that contains the error “550 5.1.1 User unknown“.
The cause of this issue is the Recipient Filtering feature of Exchange’s anti-spam functionality, which is an optional component for Hub Transport servers but is available by default on Edge Transport servers.
Recipient Filtering will block messages that are addressed to a recipient that does not exist in the organization.
This is undesirable behavior in an Internal Relay scenario because the assumption in that scenario is that the SMTP namespace is shared and therefore many of the recipients will not exist in the first organization that processes the email.
This is normally not a problem though because a domain that is added to the Accepted Domains list as an Internal Relay domain is exempt from recipient filtering. This setting is configured in the AddressBookEnabled attribute of an Accepted Domain.
1 2 3 4 5 6 | [PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled Name DomainType AddressBookEnabled ---- ---------- ------------------ companya.com Authoritative True companyb.com InternalRelay False |
However, if a domain is added as Authoritative at first, and then later changed to Internal Relay, the AddressBookEnabled attribute remains set to True, which creates the NDR situation if the recipients have not already been created within the organization (eg as contacts).
1 2 3 4 5 6 7 8 9 | [PS] C:\>Set-AcceptedDomain companya.com -DomainType InternalRelay [PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled Name DomainType AddressBookEnabled ---- ---------- ------------------ companya.com InternalRelay True companyb.com InternalRelay False |
The solution is to use Set-AcceptedDomain to set AddressBookEnabled to False after converting the domain from Authoritative to Internal Relay.
1 2 3 4 5 6 7 8 | [PS] C:\>Set-AcceptedDomain companya.com -AddressBookEnabled $false [PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled Name DomainType AddressBookEnabled ---- ---------- ------------------ companya.com InternalRelay False companyb.com InternalRelay False |
When Edge Transport servers are involved this change will take some time to synchronize before it takes full effect.
I have the “too many hops” NDR for a few emails , I have a hybrid configuration, the internet inbound and outbound on prem passes thru a smart host, most of the mailboxes are in O365, I have a transport rule to say all that comes to a specific domain goes to a mailbox living in O365, then I created a connector from on prem pointing to a MX record on O365. Any ideas?
Hi Paul
We r having a same kind of a problem only for a shared mailbox that we we created in Cloud .
other migrated users from onprem receives mails both cloud and onprem but that shared mailbox only accepting mails form other cloud user . (No external emails and Onprem user emails)
Onprem connector is sending NDR 550 5.1.1 User unknown (in reply to RCPT TO command)
Regards
I assume this is a hybrid environment. The correct process is to create the shared mailbox on-premises, then move it to Exchange Online after directory synchronization has synced the object to Azure AD.
Hi, we are getting this scenario with our Exchange 2013 on premise server, which is rejecting messages intermittently to users on Office 365 that use the same namespace. Can you show me where to look?
Thanks.
Do you have a Hybrid configuration?
Well, this is still in a test lab so I created the mailboxes myself a few days ago and did not set any forwarding rules.
There are a few more things I’m not yet sure about:
1. my mx record points to mail.accepteddomain.com but the diagnostic header I am getting in the bounce back message shows that it’s coming from the internal server name (i.e. the hostname.internaldomain.mycompany.com – is it because postmaster is automatically defined like that ? How should I define the postmaster ?
2. when I ping smtp.accepteddomain.com I still get the previous ip being resolved (but no replies) – should this be modified in the DNS as well ?
3. what’s the best practice for creating mailboxes ? I thought that it’s better to first have an AD account for the user, then create the mailbox (which makes sense when going live), but there is a way to create the mailbox for a new user and it will be added to AD.
4. When having more than one accepted domains – what needs to be defined and where for the 2nd accepted domain ?
I of course will continue researching online, but so far I got quite a few conflicting pieces of information, so still confused.
Thanks a lot !
Shimon.
Hi Paul,
I actually ran the Microsoft connectivity analyzer for inbound mail, found a problem and fixed it, then ran it again and it was successful, but I am getting a different bounce back error now:
Hostname.MYdomain.mycompany.com rejected your message to the following email addresses:
Jon Doe (jon.doe@accepteddomain.com)
Hostname.MYdomain.mycompany.com gave this error:
Hop count exceeded – possible mail loop
A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.
Here are the configuration details:
Hostname.MYdomain.mycompany.com is the internal fqdn of the exchange server.
mail.accepteddomain.com and Hostname.mycompany.com have the same ip address and A record is defined for them.
MX record is defined for mail.accepteddomain.com
I have a feeling that something is messed up in defining the DNS or domains, but not sure what exactly, and I can’t find any log file that shows the details of the hops…
Thanks !
Shimon.
Just that one recipient?
Right now yes – one recipient out of 3 has this problem (still in testing environment).
Check for auto-forwarding rules. Sometimes people set up a rule to forward from Mailbox1 to Mailbox2, but then Mailbox2 also has a rule to forward back to Mailbox1.
Hi Paul,
I actually figured out how to modify the MX record and it is pointing correctly now.
I have set the PTR (SPF) record as well.
The issue now is that external emails are still not received but the sender has no bounce back error, which is hard to troubleshoot…
My feeling is it’s because of the PTR record not resolving yet, but is there a good way to troubleshoot such a scenario ?
Sure, you can run the inbound SMTP test at exrca.com
Looks like mycompany.com mx record is still pointing to the previous hosting…
So for now I will have to see how to modify the MX record to point to my own exchange server…
Can you please help me with this process ?
Your MX records are managed through your DNS control panel for whoever hosts your public DNS.
When I check the MX record (according to the command described in your MX record article) I get the following
C:\>nslookup
Default Server: UnKnown
Address: 192.168.1.17
> set type=mx
> mycompany.com
Server: UnKnown
Address: 192.168.1.17
Non-authoritative answer:
mycompany.com MX preference = 10, mail exchanger = mailstore1.secureserver.net
mycompany.com MX preference = 0, mail exchanger = smtp.secureserver.net
mailstore1.secureserver.net internet address = xx.xxx.xxx.32
smtp.secureserver.net internet address = xx.xxx.xxx.29
>
These last two ips are different than the exchange server public ip.
Also when I ping the mailstore1 I get a different ip than the one showing.
When I ping the smtp it resolves to the correct ip as shown in the MX record but doesn’t respond…
I hope this additional info will lead to the resolution.
What I’d like to know is what needs to be defined in the global DNS.
Right now the mail.mycompany.com is pointing to the public ip address of the echange server, which I’m now guessing is not the correct one.
Thanks again for looking into it !
Shimon.
Hi,
Thanks for responding quickly !
I tried both to reply and to send new.
Verified that mail.mycompany.com is pointing to the public ip of the exchange server.
Is there any need to create a DNS record in the DC AD which the Exchange works with ?
Also – is there any detailed log anywhere that shows that the server rejected this email ?
Thanks !
Hi,
I just finished installing a brand new Exchange server and AD on a separate domain controller.
I have set two mailboxes (using existing AD users) and I was able to send emails out successfully.
When I try to send an email from an external address to any of these new mailboxes I get NDR 550 5.1.1 recipient not found.
I verified that the receive connectors are all enabled (they were by default) and I have not set any restrictions on any user.
I’m sure I am missing some essential setting, but couldn’t find anything in log files.
Any idea ?
Are you replying to the emails you sent outbound?
Dear Paul,
I followed your instruction, It worked and my problem resolved. Thanks a lot.
But there is a question for me that why this happened suddenly for new users? Old users don’t have any problems.
Yes i would like to ask same thing.
Why this happened to new users and not old?
Evening Paul,
I have Exchange 2013 and it is not generating NDRs when email is sent to some Dummy email address e.g cvt@mail.com
Can you point me in the right direction please?
Maybe that is a valid email address?
I am having an issue for just one user. (A new user). This mailbox is set up just like any mailbox. (No restrictions). You can find the user’s mailbox on the exchange server. The issue is that this mailbox is not receiving email from external senders. (The box is NOT check to “Require Authentication” in the mailbox properties.
Does the sender get an NDR? If so, what does it say? If not, have you tried using message tracking to trace the missing emails?
Great solution, couldn’t figure out what went wrong and nog it’s fixed. Thx.
I am creating an email msg programatically and sending to the exchange server (only one company configuration).
When all the recipient addresses are correct, the mail is sent successfully.
But if one of the addresses is incorrect, the server gives a “550 5.1.1 User unknown” error and the email msg is not being sent to the correct addresses as well.
When this is tested via Outlook, the mail is sent to the correct addresses and there is an error mail from the server stating that the mail was not sent to the incorrect address, this is the expected behaviour.
What needs to be done to get the expected behaviour? There must be some alternative setting being used by outlook.
My guess is that you’ll need to modify your code to handle the error better and not terminate the session when a bad address is encountered.
If CompanyA and CompanyB both are internal Relay Domains then what will happen to any internal email for non-existing recipient. Will it stuck in loop or generate NDR?
May be i am wrong, but have a doubt. Why are we making companya.com as internal relay? By keeping companya.com as Authoritative and making AddressBookEnabled to False is enough right?
The problem occurs when switching a domain from Authoritative to Internal Relay. If you left the domain as Authoritative you wouldn’t run into the problem at all.
Thanks Paul