Exchange Online Protection 550 5.4.1 Recipient address rejected: Access Denied. AS(201806281)

Exchange Online Protection 550 5.4.1 Recipient address rejected: Access Denied. AS(201806281)

5/5 - (5 votes)

Today, I found myself working with a customer that was experiencing delivery failures to some Office 365 recipients from all external senders.

As problems go, this one definitely finds itself in the “interesting” category.  No, it’s never good to have “interesting” problems (just ask a doctor).

Background

These are the conditions that we determined that either made this customer situation unique:

  • MX record points to on-premises spam gateway, which delivers to on-premises Exchange 2013 environment
  • All mailboxes were hybrid migrated to Office 365
  • Azure AD Connect is synchronizing identity
  • Inbound mail from external senders was not being delivered to some cloud recipients, though the same cloud recipients could send external mail and could send/receive with internal users.

Armed with that information, off we go to …

Troubleshooting

During the course of determining the source of the issue, I ran through the normal troubleshooting and data gathering steps:

  • Ensure on-premises Exchange receive connector is listening on port 25
  • Check the on-premises mail gateway log; log reports ‘delivered’ to Exchange server
  • Verify that Exchange server has valid 3rd-party certificates bound
  • Verify recipients have the correct type, depending on if they are new or migrated mailboxes
  • Verified recipients in Exchange have tenant.mail.onmicrosoft.com proxy address
  • Verified recipients in Exchange have valid target address pointing to the correct tenant.mail.onmicrosoft.com proxy
  • Verified on-premises Exchange server can contact tenant-onmicrosoft-com.mail.protection.outlook.com on port 25
  • Verify that Hybrid Configuration Wizard was run successfully

So, digging further in, I enabled protocol logging, restarted the transport service, and decided to start investigating more deeply.

I discovered this snippet in the Send log:

MAIL FROM:<sender@domain.com> SIZE=264118
RCPT TO:<recipient@tenant.mail.onmicrosoft.com> ORCPT=rfc822;recipient@domain.com
250 2.1.0 Sender OK
550 4.3.1 Recipient address rejected: Access denied. AS(201806281) [XXXXXXXXXXX.eop.prod.protection.outlook.com]

The message is getting to Exchange Online, but it is being rejected. 550 is generally a “mailbox not found,” but the status code is … interesting, as we know the mailbox exists and can successfully conduct internal transactions.

Resolution

In this case, the temporary solution was disabling Directory-Based Edge Blocking (DBEB) by changing the customer domains (not the onmicrosoft.com ones) in Exchange Online to InternalRelay.

The larger problem was caused by some on-premises Active Directory data quality issues that were synchronized via AAD Connect. Each affected object needed to be updated (in essence, removing and re-adding SMTP addresses) to ultimately resolve the issue.

 

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.