• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / NDR 550 5.5.1 User Unknown for Internal Relay Domain

NDR 550 5.5.1 User Unknown for Internal Relay Domain

October 19, 2012 by Paul Cunningham 32 Comments

When you have configured two Exchange organizations for a shared SMTP namespace you may encounter a problem with non-delivery reports (NDRs) being generated for a domain name that is configured as an Internal Relay.

In the following scenario there are two organizations. Company A is configured with both an Authoritative domain and an Internal Relay domain for Company B.

Your expectation of this configuration is that if Company A receives an email for a recipient in the companyb.com namespace that does not exist in the Company A organization, that the email will be relayed to Company B instead.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

However, under certain conditions you may receive an unexpected NDR instead that contains the error “550 5.1.1 User unknown“.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

The cause of this issue is the Recipient Filtering feature of Exchange’s anti-spam functionality, which is an optional component for Hub Transport servers but is available by default on Edge Transport servers.

NDR 550 5.5.1 User Unknown for Internal Relay Domain

Recipient Filtering will block messages that are addressed to a recipient that does not exist in the organization.

This is undesirable behavior in an Internal Relay scenario because the assumption in that scenario is that the SMTP namespace is shared and therefore many of the recipients will not exist in the first organization that processes the email.

This is normally not a problem though because a domain that is added to the Accepted Domains list as an Internal Relay domain is exempt from recipient filtering. This setting is configured in the AddressBookEnabled attribute of an Accepted Domain.

1
2
3
4
5
6
[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled
 
Name                     DomainType AddressBookEnabled
----                     ---------- ------------------
companya.com          Authoritative               True
companyb.com          InternalRelay              False


However, if a domain is added as Authoritative at first, and then later changed to Internal Relay, the AddressBookEnabled attribute remains set to True, which creates the NDR situation if the recipients have not already been created within the organization (eg as contacts).

1
2
3
4
5
6
7
8
9
[PS] C:\>Set-AcceptedDomain companya.com -DomainType InternalRelay
 
[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled
 
Name                     DomainType AddressBookEnabled
----                     ---------- ------------------
 
companya.com          InternalRelay               True
companyb.com          InternalRelay              False


The solution is to use Set-AcceptedDomain to set AddressBookEnabled to False after converting the domain from Authoritative to Internal Relay.

1
2
3
4
5
6
7
8
[PS] C:\>Set-AcceptedDomain companya.com -AddressBookEnabled $false
 
[PS] C:\>Get-AcceptedDomain | select name,domaintype,addressbookenabled
 
Name                     DomainType AddressBookEnabled
----                     ---------- ------------------
companya.com          InternalRelay              False
companyb.com          InternalRelay              False


When Edge Transport servers are involved this change will take some time to synchronize before it takes full effect.

Exchange Server Accepted Domains, Exchange 2007, Exchange 2010, Exchange 2013, Internal Relay, NDR

Comments

  1. Jesus Marin says

    August 28, 2019 at 7:59 am

    I have the “too many hops” NDR for a few emails , I have a hybrid configuration, the internet inbound and outbound on prem passes thru a smart host, most of the mailboxes are in O365, I have a transport rule to say all that comes to a specific domain goes to a mailbox living in O365, then I created a connector from on prem pointing to a MX record on O365. Any ideas?

    Reply
  2. Oshada says

    August 26, 2016 at 11:18 pm

    Hi Paul
    We r having a same kind of a problem only for a shared mailbox that we we created in Cloud .
    other migrated users from onprem receives mails both cloud and onprem but that shared mailbox only accepting mails form other cloud user . (No external emails and Onprem user emails)

    Onprem connector is sending NDR 550 5.1.1 User unknown (in reply to RCPT TO command)

    Regards

    Reply
    • Paul Cunningham says

      August 27, 2016 at 10:48 pm

      I assume this is a hybrid environment. The correct process is to create the shared mailbox on-premises, then move it to Exchange Online after directory synchronization has synced the object to Azure AD.

      Reply
  3. SMallett says

    March 2, 2016 at 4:24 pm

    Hi, we are getting this scenario with our Exchange 2013 on premise server, which is rejecting messages intermittently to users on Office 365 that use the same namespace. Can you show me where to look?
    Thanks.

    Reply
    • Paul Cunningham says

      March 2, 2016 at 8:16 pm

      Do you have a Hybrid configuration?

      Reply
  4. Shimon Adimor says

    October 3, 2015 at 8:28 am

    Well, this is still in a test lab so I created the mailboxes myself a few days ago and did not set any forwarding rules.
    There are a few more things I’m not yet sure about:
    1. my mx record points to mail.accepteddomain.com but the diagnostic header I am getting in the bounce back message shows that it’s coming from the internal server name (i.e. the hostname.internaldomain.mycompany.com – is it because postmaster is automatically defined like that ? How should I define the postmaster ?
    2. when I ping smtp.accepteddomain.com I still get the previous ip being resolved (but no replies) – should this be modified in the DNS as well ?
    3. what’s the best practice for creating mailboxes ? I thought that it’s better to first have an AD account for the user, then create the mailbox (which makes sense when going live), but there is a way to create the mailbox for a new user and it will be added to AD.
    4. When having more than one accepted domains – what needs to be defined and where for the 2nd accepted domain ?

    I of course will continue researching online, but so far I got quite a few conflicting pieces of information, so still confused.
    Thanks a lot !
    Shimon.

    Reply
  5. Shimon Adimor says

    October 2, 2015 at 7:25 am

    Hi Paul,
    I actually ran the Microsoft connectivity analyzer for inbound mail, found a problem and fixed it, then ran it again and it was successful, but I am getting a different bounce back error now:
    Hostname.MYdomain.mycompany.com rejected your message to the following email addresses:

    Jon Doe (jon.doe@accepteddomain.com)

    Hostname.MYdomain.mycompany.com gave this error:
    Hop count exceeded – possible mail loop
    A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.

    Here are the configuration details:
    Hostname.MYdomain.mycompany.com is the internal fqdn of the exchange server.
    mail.accepteddomain.com and Hostname.mycompany.com have the same ip address and A record is defined for them.
    MX record is defined for mail.accepteddomain.com

    I have a feeling that something is messed up in defining the DNS or domains, but not sure what exactly, and I can’t find any log file that shows the details of the hops…
    Thanks !
    Shimon.

    Reply
    • Paul Cunningham says

      October 2, 2015 at 9:18 am

      Just that one recipient?

      Reply
      • Shimon Adimor says

        October 2, 2015 at 11:56 am

        Right now yes – one recipient out of 3 has this problem (still in testing environment).

        Reply
        • Paul Cunningham says

          October 2, 2015 at 12:13 pm

          Check for auto-forwarding rules. Sometimes people set up a rule to forward from Mailbox1 to Mailbox2, but then Mailbox2 also has a rule to forward back to Mailbox1.

          Reply
  6. Shimon Adimor says

    October 1, 2015 at 10:13 am

    Hi Paul,
    I actually figured out how to modify the MX record and it is pointing correctly now.
    I have set the PTR (SPF) record as well.
    The issue now is that external emails are still not received but the sender has no bounce back error, which is hard to troubleshoot…
    My feeling is it’s because of the PTR record not resolving yet, but is there a good way to troubleshoot such a scenario ?

    Reply
    • Paul Cunningham says

      October 1, 2015 at 11:18 am

      Sure, you can run the inbound SMTP test at exrca.com

      Reply
  7. Shimon Adimor says

    September 30, 2015 at 3:43 am

    Looks like mycompany.com mx record is still pointing to the previous hosting…
    So for now I will have to see how to modify the MX record to point to my own exchange server…
    Can you please help me with this process ?

    Reply
    • Paul Cunningham says

      September 30, 2015 at 9:29 am

      Your MX records are managed through your DNS control panel for whoever hosts your public DNS.

      Reply
  8. Shimon Adimor says

    September 30, 2015 at 3:31 am

    When I check the MX record (according to the command described in your MX record article) I get the following
    C:\>nslookup
    Default Server: UnKnown
    Address: 192.168.1.17

    > set type=mx
    > mycompany.com
    Server: UnKnown
    Address: 192.168.1.17

    Non-authoritative answer:
    mycompany.com MX preference = 10, mail exchanger = mailstore1.secureserver.net

    mycompany.com MX preference = 0, mail exchanger = smtp.secureserver.net

    mailstore1.secureserver.net internet address = xx.xxx.xxx.32
    smtp.secureserver.net internet address = xx.xxx.xxx.29
    >

    These last two ips are different than the exchange server public ip.
    Also when I ping the mailstore1 I get a different ip than the one showing.
    When I ping the smtp it resolves to the correct ip as shown in the MX record but doesn’t respond…
    I hope this additional info will lead to the resolution.
    What I’d like to know is what needs to be defined in the global DNS.
    Right now the mail.mycompany.com is pointing to the public ip address of the echange server, which I’m now guessing is not the correct one.
    Thanks again for looking into it !
    Shimon.

    Reply
  9. Shimon Adimor says

    September 30, 2015 at 2:59 am

    Hi,
    Thanks for responding quickly !
    I tried both to reply and to send new.
    Verified that mail.mycompany.com is pointing to the public ip of the exchange server.
    Is there any need to create a DNS record in the DC AD which the Exchange works with ?
    Also – is there any detailed log anywhere that shows that the server rejected this email ?
    Thanks !

    Reply
  10. Shimon Adimor says

    September 29, 2015 at 10:08 am

    Hi,
    I just finished installing a brand new Exchange server and AD on a separate domain controller.
    I have set two mailboxes (using existing AD users) and I was able to send emails out successfully.
    When I try to send an email from an external address to any of these new mailboxes I get NDR 550 5.1.1 recipient not found.
    I verified that the receive connectors are all enabled (they were by default) and I have not set any restrictions on any user.
    I’m sure I am missing some essential setting, but couldn’t find anything in log files.
    Any idea ?

    Reply
    • Paul Cunningham says

      September 29, 2015 at 10:32 am

      Are you replying to the emails you sent outbound?

      Reply
  11. A.A. says

    May 24, 2015 at 3:38 pm

    Dear Paul,

    I followed your instruction, It worked and my problem resolved. Thanks a lot.
    But there is a question for me that why this happened suddenly for new users? Old users don’t have any problems.

    Reply
    • Alex says

      August 21, 2015 at 4:20 pm

      Yes i would like to ask same thing.
      Why this happened to new users and not old?

      Reply
  12. Ahmad says

    January 2, 2015 at 10:46 pm

    Evening Paul,

    I have Exchange 2013 and it is not generating NDRs when email is sent to some Dummy email address e.g cvt@mail.com

    Can you point me in the right direction please?

    Reply
    • Paul Cunningham says

      January 3, 2015 at 8:28 pm

      Maybe that is a valid email address?

      Reply
  13. Tamara Felton says

    April 18, 2014 at 8:36 am

    I am having an issue for just one user. (A new user). This mailbox is set up just like any mailbox. (No restrictions). You can find the user’s mailbox on the exchange server. The issue is that this mailbox is not receiving email from external senders. (The box is NOT check to “Require Authentication” in the mailbox properties.

    Reply
    • Paul Cunningham says

      April 20, 2014 at 11:56 pm

      Does the sender get an NDR? If so, what does it say? If not, have you tried using message tracking to trace the missing emails?

      Reply
  14. PvdK says

    April 10, 2014 at 5:08 pm

    Great solution, couldn’t figure out what went wrong and nog it’s fixed. Thx.

    Reply
  15. Arul Jose says

    April 3, 2014 at 6:36 pm

    I am creating an email msg programatically and sending to the exchange server (only one company configuration).

    When all the recipient addresses are correct, the mail is sent successfully.

    But if one of the addresses is incorrect, the server gives a “550 5.1.1 User unknown” error and the email msg is not being sent to the correct addresses as well.

    When this is tested via Outlook, the mail is sent to the correct addresses and there is an error mail from the server stating that the mail was not sent to the incorrect address, this is the expected behaviour.

    What needs to be done to get the expected behaviour? There must be some alternative setting being used by outlook.

    Reply
    • Paul Cunningham says

      April 5, 2014 at 1:58 pm

      My guess is that you’ll need to modify your code to handle the error better and not terminate the session when a bad address is encountered.

      Reply
  16. Farrukh says

    November 12, 2013 at 7:11 pm

    If CompanyA and CompanyB both are internal Relay Domains then what will happen to any internal email for non-existing recipient. Will it stuck in loop or generate NDR?

    Reply
  17. rejith says

    February 2, 2013 at 6:35 pm

    May be i am wrong, but have a doubt. Why are we making companya.com as internal relay? By keeping companya.com as Authoritative and making AddressBookEnabled to False is enough right?

    Reply
    • Paul Cunningham says

      February 4, 2013 at 9:49 pm

      The problem occurs when switching a domain from Authoritative to Internal Relay. If you left the domain as Authoritative you wouldn’t run into the problem at all.

      Reply
      • rejith says

        May 5, 2013 at 12:41 am

        Thanks Paul

        Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland