M365 Outbound Connector Error
Mayo, Bill
We are making progress with the M365 configuration, but the latest issue is that the Outbound Connector on M365 is failing validation. The initial error is: 450 4.4.317 Cannot establish session with remote server [Message=451 5.7.3 STARTTLS is required to send mail]
Our normal mail flow is through a security appliance, but our partner has us pointing M365 directly at our Exchange servers (we had to set something special up to allow this). When we tested using the security appliance, it failed with a certificate error because it was expecting the certificate of our Exchange servers and was instead getting the certificate from our security appliance.
To make sure the issue was not related to the certificate on the Exchange Servers, I tried telling it to accept any certificate with no change in the output. I then told it to not use encryption at all and the initial tests passed. However, it then failed when sending a test message. As far as I can tell from the output, the problem is that the source email address is in our domain (O365Connect...@contoso.com) but can’t authenticate, which would make sense as we don’t have any internal account for that. I can’t tell for sure because I can’t find it in the SMTP logs (settings on all the seemingly relevant receive connectors are set to verbose, but I’m not getting anything).
This makes me think there should be some special receive connector in play here, but there is not one. The setup process did create a send connector, but no receive connectors. I do note that MBS previously indicated that the setup does change the default receive connector settings, but it doesn’t seem to account for this.
Is it correct that the M365 connector needs to talk directly to the Exchange Servers? Should there be some special Receive Connector for this traffic? Any pointers or information is appreciated.
Bill Mayo
Michael B. Smith
It does not need to talk directly to the Exchange servers, but whatever it talks to needs to use the same certificate. That’s the certificate you used when configuring the HCW.
It shouldn’t need to authenticate. It should simply be targeting a valid address in your on-prem organization. I don’t currently have a migration in process with a client, so I don’t have a way to verify the specific configuration for you. Did YOU run the validation? Or did your consultant?
The Exchange Deployment Assistant can walk you through all the requirements and required configurations:
--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntexchange+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntexchange/158e351da5d34daa87f7750cbcfaa7fd%40pittcountync.gov.
Mayo, Bill
I am running the validation. I have made a little progress since the last email. First, I figured out I was looking in the wrong directory for the SMTP logs (duh). This hasn’t help me a lot yet, but I just re-ran the test a few minutes ago and something interesting happened. The validation still failed. However, I actually received the “Test email for connector validation” email.
I went to the link you indicated, but I don’t see a guide there for an M365 migration. There are 2 guides there, 1 for on-premises exchange deployments and 1 for update exchange. Neither seem applicable to the situation.
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/9b5cb48b054b44eab7533e5ff3691c2d%40smithcons.com.
Michael B. Smith
Good lord. They’ve separated it. Sorry about that. It’s quite recent.
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/5ecb1a3e6a094da7b9e0321231785078%40pittcountync.gov.
Mayo, Bill
So, I continue to see a failed validation coupled with a successfully received email. From the SMTP logs, it looks like there are 2 connections attempts. The first one doesn’t seem to do anything, the second one succeeds. I assume that the validation fails due to the first message, but I am not entirely sure.
First connection in SMTP logs (sanitized):
2025-12-15T16:17:12.589Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,0,192.168.1.1:25,40.93.12.53:43087,+,,
2025-12-15T16:17:12.606Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,1,192.168.1.1:25,40.93.12.53:43087,>,"220 MYEXCHSERVER.internal.contoso.com Microsoft ESMTP MAIL Service ready at Mon, 15 Dec 2025 11:17:12 -0500",
2025-12-15T16:17:12.631Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,2,192.168.1.1:25,40.93.12.53:43087,<,EHLO BN8PR09CU001.outbound.protection.outlook.com,
2025-12-15T16:17:12.632Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,3,192.168.1.1:25,40.93.12.53:43087,>,250 MYEXCHSERVER.internal.contoso.com Hello [40.93.12.53] SIZE 20971520 PIPELINING DSN ENHANCEDSTATUSCODES X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
2025-12-15T16:17:12.655Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,4,192.168.1.1:25,40.93.12.53:43087,<,QUIT,
2025-12-15T16:17:12.655Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,5,192.168.1.1:25,40.93.12.53:43087,>,221 2.0.0 Service closing transmission channel,
2025-12-15T16:17:12.655Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,6,192.168.1.1:25,40.93.12.53:43087,-,,Local
Successful connection in SMTP logs (sanitized):
2025-12-15T16:18:29.227Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,0,192.168.1.1:25,40.93.1.14:45114,+,,
2025-12-15T16:18:29.232Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,1,192.168.1.1:25,40.93.1.14:45114,>,"220 MYEXCHSERVER.internal.contoso.com Microsoft ESMTP MAIL Service ready at Mon, 15 Dec 2025 11:18:28 -0500",
2025-12-15T16:18:29.303Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,2,192.168.1.1:25,40.93.1.14:45114,<,EHLO BY5PR09CU001.outbound.protection.outlook.com,
2025-12-15T16:18:29.303Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,3,192.168.1.1:25,40.93.1.14:45114,>,250 MYEXCHSERVER.internal.contoso.com Hello [40.93.1.14] SIZE 20971520 PIPELINING DSN ENHANCEDSTATUSCODES X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
2025-12-15T16:18:29.413Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,4,192.168.1.1:25,40.93.1.14:45114,<,MAIL FROM:<> SIZE=22245,
2025-12-15T16:18:29.414Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,5,192.168.1.1:25,40.93.1.14:45114,*,08DE2795F578XXXX;2025-12-15T16:18:29.227Z;1,receiving message
2025-12-15T16:18:29.414Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,6,192.168.1.1:25,40.93.1.14:45114,<,RCPT TO:<interna...@contoso.com>,
2025-12-15T16:18:29.415Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,7,192.168.1.1:25,40.93.1.14:45114,>,250 2.1.0 Sender OK,
2025-12-15T16:18:29.415Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,8,192.168.1.1:25,40.93.1.14:45114,>,250 2.1.5 Recipient OK,
2025-12-15T16:18:29.524Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,9,192.168.1.1:25,40.93.1.14:45114,<,BDAT 4826 LAST,
2025-12-15T16:18:29.525Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,10,192.168.1.1:25,40.93.1.14:45114,*,,Ignored X-OriginatorOrg header value 'pittcountync.gov' because session capabilities do not allow it
2025-12-15T16:18:29.577Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,11,192.168.1.1:25,40.93.1.14:45114,*,,Proxy destination(s) obtained from OnProxyInboundMessage event. Correlation Id:c1a02504-a620-490a-857e-5be93bc3b58c
2025-12-15T16:18:29.748Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,12,192.168.1.1:25,40.93.1.14:45114,>,"250 2.6.0 <114d3feb-421f-4e98...@substrate-int.office.com> [InternalId=245667834364515, Hostname=MYEXCHSERVER.internal.contoso.com] 5778 bytes in 0.134, 42.084 KB/sec Queued mail for delivery",
2025-12-15T16:18:29.872Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,13,192.168.1.1:25,40.93.1.14:45114,<,QUIT,
2025-12-15T16:18:29.872Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,14,192.168.1.1:25,40.93.1.14:45114,>,221 2.0.0 Service closing transmission channel,
2025-12-15T16:18:29.872Z,MYEXCHSERVER\Default Frontend MYEXCHSERVER,08DE2795F578XXXX,15,192.168.1.1:25,40.93.1.14:45114,-,,Local
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/964111e734434d628f527fda294d9ef2%40smithcons.com.
Mayo, Bill
I got this working. The resolution was updating the certificate via Set-HybridConfiguration. Thank you again for your help, Michael. Although, I never could find the correct guide, even at the updated link.
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Mayo, Bill
Sent: Monday, December 15, 2025 12:13 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: M365 Outbound Connector Error
|
EXTERNAL EMAIL: This email originated from outside of Pitt County Government. Do not click any links or open any attachments unless you trust the sender and know the content is safe. |
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/5d7cb4d31831446692bfad9801cd7712%40pittcountync.gov.
Michael B. Smith
The first one is just testing the connection. The second one is sending the email. It’s a little odd that the second one doesn’t seem to show a TLS handshake.
Regardless, I’m glad you got it to work!
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/9359d80f04db45af84157bb1b5bef974%40pittcountync.gov.