Working at a client whom are approx 75% of the way through their migration to exchange online – and there are some odd things im running into – so here’s one of them.
The scenario and issue
- Exchange hybrid setup, with servers on prem and EXO active. Active mailboxes in both.
- Mail flow from on prem to EXO shows the following:
- Outbound SMTP logs shows the message being handed off correctly to EXO
- Message tracking in EXO shows 3 copies of the message, all of which, when looking into the details are bounces
- When looking in security.microsoft.com, the messages have been flagged as phishing attempts… with seemingly no way to flag them as not phishing attempts
- The connectors on-prem looked ok, and after, double, triple and ninieteenth-thousandth checking, they were solid
- The connectors in EXO were manually created (for reasons i don’t know that pre-date me) and the HCW created connectors had been disabled. No idea why.
- The connectors in EXO looked fine and validated without any issue
- After circling around for ages, i compared the disabled HCW connector with the active connect with “get-inboundconnector | fl”
- This is when i noticed that the HCW created connector had IP’s in the “EFSkipIPs” property
The Fix
- EFSkipIPs can be configured as per the powershell doco here
- The EFSkipIPs property looks like it defines IP’s that should be excluded from enhanced filtering. Since the HCW automatically populates this field – most of us will never have to use this…. but if some bright spark decides that the HCW isn’t good enough for them (for whatever reason), then this becomes important.
- Because i had the previous, disabled connector, created by the HCW – i already knew the IP’s i needed to add. If you don’t have this, you will need get your the Public IP that is presented to EXO. This could be obtained with something such as www.whatsmyip.com
- The multi-valued property… well, it would have been nice on the doco page if an example was included… so since there isn’t one in the official doc – here is an example below:
Set-inboundConnector -Identity “OrgToEXO” -EFSkipIPs @{Add=”xx.xx.xx.xx”, “xy.xy.xy.xy”}
- After that, i needed to wait approx 15 minutes (not sure on the exact time, but it didn’t work straight away) – and bingo-bango – no more mail flow issue