I redirect outgoing emails in my organization to my postfix MTA. from there, i'm redirecting the mails to office 365 for relaying to the original recipients.

For external recipients, I get the following error:

550 5.7.64 TenantAttribution; Relay Access Denied 
[....prod.protection.outlook.com] (in reply to RCPT TO command))

I have an inbound connector to 'Office 365' and still the mails are blocked with the error above.

danny h.
  • 21
  • 1
  • 1
  • 2
  • `I have an inbound connector to 'Office 365' and still the mails are blocked with the error above.` - Telling us that without telling us any of the configuration settings of said connector doesn't give us enough information to help. – joeqwerty Jan 03 '19 at 18:56
  • @joeqwerty (I'm a colleague of danny) ConnectorType is from Partner to office 365. It verifies the message come from specific IP range (where we configured the postfix external IP). TLS required but without verifying specific subject. Emails are only rejected when recipient is form outside the org. – yair Jan 04 '19 at 06:55

2 Answers2


This suggests that you've not got a proper certificate chain set up on your local MTA. Have you reviewed article 3212877 in the Microsoft Knowedgebase? If you're using TLS (and you should) then the Exchange/O365 server needs to be able to validate all the certificates in any incoming TLS connection back to a trusted root.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • (I'm a colleague of danny) The Connector is marked with `Reject messages if they aren’t encrypted using Transport Layer Security ‎(TLS)‎.` (without enforcing a specific subject). Note this access denied error only appears when recipient is not part of the organization, I think it means the TLS works OK, but we still see that error for external recipients. Or do you mean a fully trusted certificate chain (and not just self signed one) is specifically needed for relaying to external recipients? – yair Jan 04 '19 at 06:49
  • @yair I would expect a fully trusted certificate chain is required. – Rob Moir Jan 21 '19 at 08:13

I think you may first review your relay configuration on O365 according this official article.

And you could refer to this Microsoft KB article about this error. Please check the certificate on your postfix MTA, and the IP configuration about the connector.

Shaw Lu
  • 339
  • 1
  • 4
  • (I'm a colleague of danny) Is it required to have a certificate by a trusted CA (and not just self signed one) even if the Inbound connector require TLS but without verifying the subject? Note that the connector does work when recipients are inside the org (report show emails pass through the connector and with TLS) – yair Jan 04 '19 at 07:06
  • Hi, According this article: “Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid certification authority-signed (CA-signed) certificate.” https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail Though it doesn’t say trusted third-party CA, but I think a self-signed certificate is not the case, and in my understanding Exchange online requires a public trusted certificate. – Shaw Lu Jan 07 '19 at 07:56