I recently had a curious behavior in my customers Exchange 2010 SP3 hybrid environment with centralized mail transport for Exchange 2010 SP3 Edge servers enabled.
Before I describe the topic in more detail I would like to say thank you to the guys from Microsoft: Timothy Heeney, Scott Landry and Tom Kern helped me with my ‘little’ mail flow problem . Appreciate your help.
My customer is using a smtp gateway for external mail flow as usual. Some of the mailboxes have configured smtp forwarding like ForwardingAddress (mail contact) and ForwardingSMTPAddress (external smtp address directly set on the mailbox).
As we all know, Exchange hybrid mailbox move will not migrate the ForwardingAddress configuration for mailboxes. For this and some other migration limitations my colleague Andreas from atwork developed an ‘Exchange Online Migration Tool’ which is used by my customer. This tool checks, amongst other things, if the forwarding recipient is synced to Azure Active Directory and will set the smtp forwarding again after migration, let’s say it’s one component of many hybrid pre and post-migration tasks.
However, not all smtp domains which are used for smtp forwarding are created in the on-premises environment nor in Exchange Online. Also, some of these smtp domains don’t have any mx records populated in external DNS configuration. Mail flow for these domains is handled by the internal smtp gateway with some special configuration and different connectors.
After the pilot migration of some Exchange 2010 users to Exchange Online, I saw a couple of ‘450 DNS socket error’ messages during mail flow checks. As I said not every smtp domain has its own MX record published.
The first thing I checked was the CMC connector which looked like this:
- RecipientDomains *
- SmartHosts [x.x.x.x],[x.x.x.x]
- TlsDomain contoso.com
- TlsSettings DomainValidation
- IsTransportRuleScoped False
- RouteAllMessagesViaOnPremises True
It seems that everything looks good.
Next, I was looking for the X-MS-Exchange-Organization-AuthAs mail header which had the value ‘Internal’ and centralized mail transport is used.
All mail flow tests from different Exchange Online tenants and external mail provider were routed through the on-premises environment correctly – except for those who have smtp forwarding configured.
This behavior for users with smtp forwarding configured is by design and EOP will route these emails directly to the Internet.
Tom provided me the official support link: https://support.microsoft.com/en-us/help/3194415/some-messages-aren-t-routed-through-the-on-premises-organization-when-you-use-centralized-mail-transport
‘This behavior is by design. To forward the message, an exact copy of the original message is created and sent to the external recipient. Mail routing logic sees that this new message originated in the on-premises environment and therefore doesn't send the message back to the on-premises environment. Instead, it's routed directly to the external recipient domain through Exchange Online Protection.’
Nevertheless, if you are in the same situation, you can use the following tasks to get centralized mail transport working:
- Configure your domains properly and create it as an internal relay domain for both on-premises and Exchange Online
- Don’t migrate these recipients to Exchange Online, set the domain to internal relay and let do your on-premises environment the resolving
- Rewrite it to something which is routable if you don’t want to use centralized mail transport for the on-premises organization
- Remove the external smtp forwarding