Published by: @edi

After the migration of 2 users who are in Offce 365, they can send emails to each other but do not receive emails from on-premise users who are not migrated and also not from external senders (e.g. GMX).

Hard to say with the little information available. How about briefly explaining your configuration? Sounds a bit like a hybrid deployment, doesn't it?

Hello Norbert,

Yes, as mentioned in the first sentence, we have a hybrid configuration.

The users are synchronized via Azure AD Connect.

We have two connectors each for On-Premise (Exchange 2013) and Exchange Online:

• From our organization to O365
• From O365 to our organization

We have an intermediate Sophos UTM9 as a spam filter, where we have also stored the Office 365 domain in the routing.

Thank you very much

Just not too much ;) So do you have centralized mailtransport? If not, the mails have to arrive at O365 somehow. Between the on-prem and cloud users... Are all users with mailboxes in both GALs synchronized? Do they all have the onmicrosoft.com routing address?

Hello Norbert,

Do you have centralized mailtransport?
No, do we need to activate this?

Between the on-prem and cloud users... are all users with mailboxes in both GALs synchronized?

Yes.

Do they all have the onmicrosoft.com routing address?

Yes.

Thank you very much

Published by: @edi

No, do we need to activate this?

It depends on what you want/planned.

does the connector between o365 and on-prem work?

Hello Norbert,

we thought the "centralized mailtransport" is the problem why the EMAILS do not work.

1.the first plan was a complete migration to Office365, then delete the on-premise Exchange, unfortunately an unexpected problem has arisen Microsoft Nav Dynamics SMTP + Office 365 is not supported. Do you have a suggestion for the solution?
2.the second plan is Office365 + On-Premise Exchange in parallel, so that we have mailboxes that work with NAV

does the connector between o365 and on-prem work?
We think so, or rather how can we check this :)

Thank you very much

On the o365 site you can even just press test ;) So the mails are received by Sophos and are sent on-prem to the exchange. This normally then sends them to the cloud mailboxes via the mail.onmicrosoft.com addresses. The cloud should then deliver the mails back to your on-prem Exchange via the connector, which then sends them to the local mailboxes or to Sophos on the Internet. If both sides don't work for you? Then in my opinion your setup is not correct somewhere. Without logs, however, you will certainly not be able to solve this in the forum.

Hello Norbert,

We have tested the connectors and get the message "450 4.4.317 Cannot connect to remote server [Message=CertificateExpired]" Return. We have checked the certificate on the on-premise via the GUI, the correct certificate was also selected in the HCW. Can we also check the certificate on the O365 side?

Thank you very much

https://testconnectivity.microsoft.com/tests/O365ResolveSmarthost/input

@edibut EOL can establish an SMTP(S) connection directly to your Exchange...in other words, you have a -> successfully <- hybrid environment set up by the wizard?

Greetings,
Ralf

Hello Ralf,

Thank you for your reply, we have carried out the test and received the attached message.

Published by: @edi

450 4.4.317 Cannot connect to remote server [Message=CertificateExpired]" Return.

You either arrive on the wrong server (with the wrong cert) from outside, or your Exchange has bound the wrong cert. I just tried this via Telnet. Are you sure that you have configured centralized Mailflow correctly? Because at mail.euredomain.at NO Exchange comes to port 25 but probably Sophos. That doesn't work.

Hello Norbert,

Just for your information:

We have not configured (activated) the centralized mailflow.

Thank you very much.

But that doesn't change my statement. Your hybrid config does not fit. See above. And why Sophos antispam if you don't have a centralized mailflow? Where does your mx point to? And can cloud users send external mails?

Hello Norbert,

We suspect that the problem lies with our certificate.
We have a wildcard certificate(*.apoverlag.at)
For HCW(transport certificate) we select the *.apoverlag.at, the certificate has no SAN(mail.apoverlag.at), could this be the problem?

Thank you very much

No, the problem is that Mail.apoverlag.at is not your exchange.

Important

Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic. Secure mail flow between your on-premises Exchange organization and Microsoft 365 or Office 365 depends on information contained in messages sent between the organization. Firewalls that allow SMTP traffic on TCP port 25 through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organization and Microsoft 365 or Office 365, this information is removed. If this happens, the message will no longer be considered internal to your organization and will be subject to anti-spam filtering, transport and journal rules, and other policies that may not apply to it.

Source: https://docs.microsoft.com/en-us/exchange/transport-routing

If EOL and OnPrem build up a relationship with each other, there must be nothing in between.

Greetings,
Ralf

I have been trying to explain this for some time. Maybe your quote/link will help ;)

Hello,

We have now configured the route for Hybrid on the firewall and can now establish a connection. But now, in the next step, we get the message "The test email was routed out from O365 without using any connector.". Is our assumption here correct that we still have to store a Receiveconnector on the On Premise Exchange because HCW has not automatically created a Receiveconnector?

The HCW sets everything up correctly (you can and must run it several times). So if your Exchange is now directly accessible from outside via port 25, then have the HCW configured again and then take a look.