5.4.6 NDR Exchange 2003 in a Hybrid Configuration with Exchange 2010 and Office 365

We are currently performing a migration from a troubled Exchange 2003 infrastructure to Microsoft Office 365.  After some discussion we determined that it would be prudent to implement Exchange 2010 in a hybrid configuration with Office 365.  Overall the implementation went smooth and we were linked with Office 365 in no time.

I did run into one problem in the implementation.  When I went to test mailflow from an on-premise account to the cloud I got an NDR:

Cloud Email Test
A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.
Diagnostic information for administrators:
Generating server: exch.contoso.com
#< #5.4.6> #SMTP#

A 5.4.6 error on Exchange 2003 lets us know that the categorizer detected a message loop in delivery.  At first I started to dig into Exchange 2003 using tools like WinRoute to see what was wrong.  I could see the send connector for our cloud tenant domain and I just couldn’t easily identify the source of the problem.  Others have had issues with SMTP connectors that cause loops, but that was not the case in this organization.  And then I finally realized what the source of the problem was – Exchange 2010 is smarter than Exchange 2003.  There’s some common sense, eh?

When you migrate an account from on premise Exchange to Office 365, a mail-enabled user is left on premise and that mail enabled user object has a target address or external email address of alias@tenantID.mail.onmicrosoft.com.  When you run the Exchange 2010 SP2 hybrid configuration wizard, it adds your tenant mail-flow domain as authoritative for your organization.  By definition, an authoritative domain means that the domain name in question can only exist in this Exchange organization.  If it does not exist then a NDR should be generated.

So we have mail enabled users, with EXTERNAL email addresses that can only belong to this Exchange organization.  Sounds like a recipe for disaster, or at least NDRs, correct?

Well…not exactly.  Exchange 2010 is smarter than that.  When the categorizer on Exchange 2010 finds a target address on a user account, it will process that target address and it WILL send the message out of the organization as long as a send connector exists.  This is useful in split forest scenarios, consolidation scenarios and Office 365 Hybrid scenarios.

The problem here in this particular case is that Exchange 2003 is not so smart.  If a domain can only exist in this organization, then it will not use a send connector to route mail out of the organization.  As experienced in my case, it will provide a 5.4.6 NDR.  The fix is simple, set the tenantID.mail.onmicrosoft.com SMTP address space to Internal Relay instead of Authoritative.  Internal relay domains can exist in this Exchange organization, or in another exchange organization.  As such, Exchange 2003 will send the message via the path we prefer – through the Exchange 2010 server using the TLS secured connection.

This entry was posted in Exchange 2010, Office 365, Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.