Category Archives: Office 365

Everything about Microsoft Office 365 services and new trends.

Setting up signature or disclaimer for all users in Office 365 Exchange online.

The Story

In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.
To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign


 Click on “Apply disclaimers…”


When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one


but here’s what mine looks like,
I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details


after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.


Now the disclaimer code is as following and you may want to configure it or customize it according to your needs. 


<div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”> 
<div><img alt=”Logo” src=”“><p><p><p>Tel: %%PhoneNumber%%</br> 
Gsm: %%MobileNumber%%</br> 
Fax: %%FaxNumber%%</br> 
<span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br> 
<p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________ 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=””></a></span></br></div></br>
<span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span> 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=>Company Name </a></span></br></br> 

 I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you. 
The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything 

Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.

If you’re an HTML noob , you can use the following links for testing and changing colors..etc
For color changing

Using the website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane

See how it looks like


Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.


To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user. 


Mail is empty as you can see 

image Tags: Exchange Online,ExchangeOnline,Office365,Office 365,Signature


Set OWA redirection from On-premises OWA to Office 365

If you run Hybrid Migration Wizard and you noticed that Migrated users from Exchange On-Premises to O365 are not redirected to O365 Owa page then you will have to go through the following to check if there’s an issue and fix it.

In Normal cases, This is done automatically upon running the HCW (Hybrid configuration wizard) but in some cases it might not be found. And therefore when migrated user try to login using the local Exchange OWA page the user is not redirected to O365 OWA and get’s an error.


In order to make sure that redirection is the problem, open Exchange Management PowerShell and run the below command see for ur self if the “TargetOWAURL” is set.

Below in this screen shot, the value for targetowaURL is not set, so we’ll have to set it as in the snapshot after that.

The targetowaURL will point to the OWA of the tenant Url.

The Target URL must be like in the following snapshot

To resolve this case, we’ll have to run the cmdlet

Set-OrganizationRelationship “On Premises to Exchange Online Organization Relationship” -TargetOwaURL:

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find a way to configure this gateway to allow any incoming or outgoing emails from Office 365 tenant to Exchange on-premises using the white list feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment, I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.


Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.


While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was was greylisted on the SMTP gateway due to it not being added to the white list.


If you read the article you’ll notice that the subnet has been mentioned as removed. so adding the IP to the white list has solved the problem for me



Hope this helps

For any questions or inquery please mail me

Importing PST to Office 365 Exchange online mailboxes through the new Import Service


Microsoft has decided to charge for this service (8$ for each GB) … 

Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.

In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots.

So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:

  1. Granting Permission

Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management

Under Roles: click on + and add Mailbox Import Export role

Click on + Under Members and add your user account


2. `Copy Secure URL and secure storage account key

To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane

Then click on the Key sign below


When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .


The secure storage account key is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …

Here’s my Secure Storage account key that I am using on a trial version of Office 365.


Next: Copying the URL.

The URL has an important part which you will be using in Azure Storage Explorer tool in order to login and browse your Tenant’s storage which you’ll use to upload PST to.

The URL will appear as following.. You will need to copy the part in bold

You have to copy this in to the storage account name


3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)

In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer

To download azcopy, you can use the following link

Or download them from the Import page as well under Resources:


Once the tool is installed. Right click on it and open it as administrator

The following command will take all the files inside my local folder path C:\Users\Mohammed\Desktop\upload

It will create a folder in Azure’s default folder ingestiondata called “Server01/PSTshareR1/”

It will use the destkey that I have retrieved from Office 365 Import window. And will leave all the logs in your local drive c:\PSTupload\Uploadlog.log

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest: /Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log


To make sure that files are uploaded. I will open Azure Storage Explorer 6 (Preview) and click Add Account on top

On add storage account window I will use the blob name that I have got from the URL earlier and storage secure key in the storage account key below and click on save.


Once I click that I will get a list of directories, The default directory which is used by Office 365 is the “Ingestiondata” folder, There our files will be uploaded.


4. Create CSV File to import PST

Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample

To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.


From <>


The friendly path here is the path of the folder you have created in Azure through the Azcopy command

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

CSV Sample


So the CSV File is ready.

In Azure Storage Explorer I doubled check if the PST files has finished uploading and it’s there.


5. Using the Upload Files over the network

Back to Office 365 portal, go to Import and click on the + Sign and select Upload files over the network


Select I have access to the mapping file as well


Click on + and upload the CSV file that you have prepared for the mapping

Next File is imported, Click on “By checking this box, you agree to the terms and conditions of this service.


As soon as you accept and click next the Import is going to check path, email, folder and will start the import process.



Email before importing


Imported started, folder has been created


Importing is done



Importing is done


Import Microsoft IP address to receive connector

Sometimes when you launch Office 365 Hybrid integration wizard from Exchange 2010, after successfully implementing the integration the IPs of Microsoft are not all imported in the “Receive Connector” for Microsoft so you might have to consider to add them manually to your on-premises Exchange server.

In order to do so, Open Microsoft Exchange Management shell as Administrator and follow the following cmdlets.

[PS] C:\>$RecvConn = Get-ReceiveConnector “Inbound from Office 365

[PS] C:\>$RecvConn.RemoteIPRanges += “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”, “”

[PS] C:\>Set-ReceiveConnector “Inbound from Office 365” -RemoteIPRanges $RecvConn.RemoteIPRanges

Hit Enter after each PS line and you will be able to find all those IPs in your connector.

Export Office 365 users from specific domain and change their passwords

First of all you will need to connect to your tenant with your global admin account using the following script

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After connecting you will need to type the following command line which will export all users in a specific domain that’s added to your portal if you have more than one domain added there.

Get-MsolUser -DomainName | Select UserPrincipalName | Export-Csv C:\users.csv –NoTypeInformation


Change passwords for those users by using the following command and pressing enter you’ll be giving a line to enter your new password that you wanna set for all users in the exported file.

$PASS = Read-Host


Run this command to change the passwords

Import-Csv C:\Users.csv | % {Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword $PASS -ForceChangePassword $True}


That’s it. Now users inside the exported csv file have the new password which you have just set.

Note that users will be prompted to reset their passwords upon login, if you don’t want this to happen you can remove the -ForceChangePassword $True parameter. Tags: Office365,Office 365,Exchange Online,Azure

Exchange: Cannot process command because of one or more missing mandatory parameters


After you Synchronize users from Local Active Directory to Office 365 Directory using dirsync and try to enable users licenses on Office 365 portal you get the following error.


Exchange: Cannot process command because of one or more missing mandatory parameters: ArchiveGuid.Exchange: An unknown error has occurred. Refer to correlation ID: dfd8cc2d-e6a4-4b47-8e1e-2059031893c1

According to the error message, it indicates that parameter ArchiveGuid is missed, please refer to the following steps to narrow down this issue:

1.Please Connect Windows PowerShell to Exchange Online and run the command below to compare this parameter of users have errors with normal users:

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-Mailbox <username_with_errors> | fl archive* 

Get-Mailbox <username_no_erros>  | fl archive*

Apparently the commands above didn’t work. And so I had to check something else.!

In order to solve the problem first

  1. I had to assign License to the user synced on O365.
  2. Check User’s Proxy target attribute using ADSI. (Which was correct)
  3. Checking Archiving Attributes since the error is mentioning the Archiving option.
  4. After checking the Archiving attributes it turns that the admin of Exchange has changed the below attributes before he assign user the license on o365 and migrate the user. 

                    5. So deleting the value below msExchArchiveName and setting up msExchRemoteReceipeintType back to 4                             have solved the problem                    6. Of course DirSync needs to be applied in order to sync changes to AD on O365.


The migration for the User should be “continued” from previous migration batch in the portal otherwise if you start any new batch for the same user the result will be completed but migration won’t take place.

If you used DirSync to sync users from local to online, please try to restart the DirSync to check whether this issue persists or not.

Exchange Hybrid Integration with Office 365

Before Starting the process of implementing the integration, you must consider using some tools to see if your environment has no issues.

First you must use this tool IdFix check the active directory for any possible issues when installing Dirsync and synchronizing users and their objects to the cloud.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

  1. To prepare Exchange for hybrid configuration with Exchange Online you need to prepare the following steps.

  • Install ADFS (Optional) for SSO (To authenticate users from Local AD)

Note about ADFS:

ADFS can be the reason of so much headache and it’s always better to avoid installing it, instead of using ADFS to use the same password for users on a large scale deployments, the Dirsync can Synchronize local Passwords to Azure AD and same password can be used for both users local and online.

  1. Create an enterprise admin user account on the domain for DirSync service
  2. Installation of Dirsync with Password synchronization: We prepare a separate server for the DirSync tool that is windows 2008 R2 SP1 or 2012 R2 installed and the server

should be domain joined in order to reach Active Directory.

  1. The account used with Dirsync should be member of the domain admin. Also you need to have the admin credentials for the tenant that you signed up to on O365.

Next again

Click Next after selecting the proper location

While installing I had an error saying that current user was not member of the Synchronization Engine FIMSyncAdmins group.

I tried uninstall DirSync but it it gives the same error message

The FIMSyncAdmins group is a local group on the server. Your user is not a member of that group locally. Try adding your user to the group.. after adding the user to the required group the installation were completed successfully.

First you need to make sure that your customized (personal) domain is active.

Now we need to enable Dirsync from the portal, next to Active Directory ® Synchronization Click on Set up and activate DirSync.

Now click on Activate

Now after we made sure that our domain is active and we activated Dirsync on Office 365 portal let’s Go back to DirSync server to complete the steps and check if we can start syncing your Active Directory.

Type your enterprise admin user which you have prepared for Dirsync, for my case I’m just going to use the domain admin user since it’s a Lab.

Make sure you Enable Hybrid Deployment since Azure active directory will modify objects in your on-premises AD.

In case you would want to have your On-premises AD password for users synchronized with users on Office 365

then you must tick the option as in the below snapshot.

Here, When I click next I get an error as following:


The new version of Dirsync doesn’t accept the domain admin account.


In order to resolve the problem you have to create a new user account with enterprise admin privileges

Use this account to connect to AD during config.

Here I created the new user and added the required groups.

After using the new account there was no issue with the setup and I could complete the configuration successfully.

Once the configuration finished you will be able to find event ID 611 in the logs.

Now checking Office 365 portal, I can see that users have been synced to the Office 365 portal:

Now let’s go to the Exchange On-Premises server, and before starting the HCW on Exchange on-premises you will have to do three main steps:

  1. Make sure Autodiscover is set
  2. Make sure WSSecurity is set to true.
  3. Make sure that’s MSProxy is set to True.

You need to make sure that Autodiscover URL on autodiscover virtual directory is set for internal and External. To do so first check the current configuration by using the following commands.

Get-autodiscovervirtualdirectory | fl

If the Internal and external Autodiscover urls are not set then set them using the following command line.

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Internalurl

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Externalurl

From <>

Now we have to enable the wssecurity and mrsproxy since both of them are not enabled by default in the virtual directory:

You can still check if you need to to make sure that it’s enabled or not by using the following cmdlet

Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl

Now to enable the WebServices use the following cmdlet on Exchange Management shell

To enable the WSSecurity use the following CMDlet

Then use the command “Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl” to see if the values have changed

I need to go to my Local exchange server and start the Hybrid process.

From Under MS Exchange on-premises we click on Organization Configuration after we add our trusted tenant domain to the Exchange server.

Click Next, and enter the credentials for your domain admin and tenant admin.

Click Next, Add enter the verified domain.

Click next, here you will need to press ctrl + C to copy the value and create this value as txt in your public DNS.

Click next once you verified that the value has been published and available on

Select the Mailbox, Client Access, Hub transport.

Here click Next again, below you will need to create a new A Name record in your public DNS that directs to your Inbound connector’s IP under ForeFront Online Protection and the FQDN e.g. “” under the outbound connector or place the SMTP gateway’s Public IP if you have it and create an A name in your public DNS that has the same IP .

In the following step, the snapshot shows the certificate which I have associated with my hub transport server however, this certificate is public certificate that’s brought from 3rd party.

Select the certificate and choose how you want to route your mail.

Click Manage, When clicking manage you might get the following error message

Summary: 2 item(s). 1 succeeded, 1 failed.

Elapsed time: 00:03:37



Exchange Management Shell command completed:

Set-HybridConfiguration -Features ‘MoveMailbox’,’OnlineArchive’,’FreeBusy’,’Mailtips’,’MessageTracking’,’OwaRedirection’,’SecureMail’,’CentralizedTransport’ -Domains ‘’ -ClientAccessServers ‘EXCH01’ -TransportServers ‘EXCH01’ -ExternalIPAddresses ‘’ -OnPremisesSmartHost ‘’ -SecureMailCertificateThumbprint ‘E2539EB2BE3BB5FFB56B5EF3BF4CB2017A645717’

Elapsed Time: 00:00:06




Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Configure Mail Flow Execution of the Set-HybridMailflow cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Connector validation failed: RouteAllMessagesViaOnPremises can be set to true only when there is at least one inbound connector of type OnPremises with AssociatedAcceptedDomains set to empty.

at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)


Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_11_2014_15_9_37_635277281771541111.log.

Exchange Management Shell command attempted:

Update-HybridConfiguration -OnPremisesCredentials ‘System.Management.Automation.PSCredential’ -TenantCredentials ‘System.Management.Automation.PSCredential’

Elapsed Time: 00:03:31

As Microsoft Employee advises it’s better to use the internet instead. So we will go with this option and see what happens.

The general recommendation and default setting is not do this, but to deliver e-mail from Exchange Online to external recipients directly to the Internet instaed.

If it is no requirement, I advise you to skip that option.

From <>

And here we are done.

Looking at the Hub Transport, we can see that at remote domains we have new domains added automatically after the Hybrid Configuration.

Error migrating user from office 365 to on-premises

After migrating a user from on-premises exchange to O365 and try to move it back from O365 to On-premises the user will not move and you will see a message similar to the one below.

Resolution :

To resolve this issue, you will have to disable the ESMTP Inspection rule on your Cisco firewall.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp



Emails between O365 and On-premises do not work

Emails between O365 and On-premises do not work

When sending an e-mail from O365 migrated users to On-premise users the On-premise users  don’t get e-mails.

Failure Message

From: Microsoft Outlook <>
Date: 4 Nisan 2014 22:35:30 GMT+3
To: <>
Subject: Undeliverable: deneme

Delivery has failed to these recipients or groups:

User (
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.

User2 ( Company ) (
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.

Diagnostic information for administrators:

Generating server:
Receiving server: (

User (
4/4/2014 7:35:30 PM – Remote Server at ( returned ‘550 4.4.7 QUEUE.Expired; message expired’

4/4/2014 7:27:34 PM – Remote Server at ( returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was

User2 ( Company ) (
4/4/2014 7:35:30 PM – Remote Server at ( returned ‘550 4.4.7 QUEUE.Expired; message expired’

4/4/2014 7:27:34 PM – Remote Server at ( returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was”

Original message headers:

Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.908.10; Wed, 2 Apr 2014 19:31:29 +0000 Received: 

from ( by 

( with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 12:49:18 +0000 Received: from ([]) by 

([]) with mapi id 15.00.0913.002; Wed, 2 Apr 2014 12:49:17 +0000 Content-Type: multipart/mixed; boundary=”_000_2c4cf07ee43e4faab98dc52f068a566fDB4PR03MB620eurprd03pro_” 

 From: test <> To: “User ( Company )” <>, “User2 ( Company )” <> Subject: deneme Thread-Topic: deneme Thread-Index: Ac9Oce26frtuRTMySYWFyAvAom/lyQ== Date: Wed, 2 Apr 2014 12:49:16 +0000 Message-ID: <> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: <> x-originating-ip: [] X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:DB4PR03MB610;;FPR:;LANG:tr;;SKIP:2; MIME-Version: 1.0 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 03 X-MS-Exchange-CrossPremises-AuthSource: X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: X-MS-Exchange-CrossPremises-avstamp-service: 1.0 X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating;SFV:SKI;SKIP:0; X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-ContentConversionOptions: True;00160000;True;; X-OrganizationHeadersPreserved: Return-Path: X-OriginatorOrg:


When you try to telnet the Office 365 hub transport from Exchange on-premises server it won’t recognize the telnet commands on the SMTP server.


451 4.4.0 Primary target IP address responded with: “451 5.7.3 Must issue a STARTTLS commnd first” Office 365 Hybrid

If you have an Office 365 hybrid configuration you may experience issues sending emails between on premise and cloud users (in either direction).

The Exchange 2013 (or 2010) on premises queue viewer may show:

‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was’

The Office 365 Message Trace Console shows the delivery status of ‘None’

Office 365 Message Trace 

The errors suggest the TLS connection cannot be made but a TLS certificate IS present and during the Hybrid Connection Wizard the required connectors are automatically created so should not require an additional configuration.

When an email is sent between on premise & cloud (Office 365) users of your SSO domain it is sent across one of the automatically created send connectors. These connectors are secured using TLS.

So, assuming you have ruled out all the normal stuff its now time to get baffled. We know the on premise server can send and receive external email. We also know that the Office 365 service can send and receive email. It is just the email between the two services that does not work.

I was banging my head against a wall for ages until I used Telnet to connect from my on premise Exchange server to Microsoft cloud gateway.

What I got is shown below:

This is not correct. As you can see the server has not recognised the “ehlo” statement and the banner does not “look right”…

A bit of digging around the firewall I noticed that packets were being dropped when TLS was attempted.

The firewall is a Cisco PIX 515. I disabled ESMTP inspection but that made no difference so I discounted this as the cause.

After a lot more digging around and raging I remembered that the PIX was behind another Cisco firewall – this time an ASA 5510. So I accessed this device and sure enough this edge firewall was also inspecting and dropping TLS over SMTP.

Once both firewall were configured not to inspect ESMTP the default configuration that was set by the Hybrid Configuration Wizard started working straight away.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp
Now telnet the cloud server and you should see a correct banner: