Hybrid Configuration Wizard mailflow problem

Recently the Exchange hybrid team released the new “stand alone” hybrid wizard called “Microsoft Office 365 Hybrid Configuration Wizard” or HCW.

Read the post on the Exchange Team Blog about the new Hybrid Configuration Wizard hereĀ http://blogs.technet.com/b/exchange/archive/2015/09/04/introducing-the-microsoft-office-365-hybrid-configuration-wizard.aspx

Today I decided to try it out in my lab to prepare myself for a migration.

I was amazed how easy it went. It was almost “next, next, finish”.
Only one thing didn’t work for me – the mailflow from on-premise to Office 365.

I started to investigate. First I took a look at the que. I could see the message from the outside, to on-prem. This message was supposed to be delivered to the user in the cloud.

Hybrid Configuration Wizard
Message from outside to a user in the cloud

Here is another view of the message in the que.

Hybrid Configuration Wizard
Message stuck in the que

I took a look at the error message. My first thought was that it was a network error. “Connection timed out”.

Hybrid Configuration Wizard
Connection timed out

I decided to test network connectivity. It worked as it should.

Hybrid Configuration Wizard
telnet to Office 365 worked as it should

I then took a look at the Receive Connector in my Office 365 tennant. I saw the message to the right “How to identify email sent from your email server” and was thinking if it could be somthing with my “Send Connector”.

Hybrid Configuration Wizard
Only accept messages from on-prem with the correct certificate

I went back to the on-prem server and took a look at the Send Connector. I saw that the “Assigned to services” was only assigned to IIS.

Hybrid Configuration Wizard
Only service assigned to the 3rd party certificate is IIS, – not SMTP

I then assigned the certificate to the SMTP service.

Hybrid Configuration Wizard
Assign certificate to SMTP service

Now I did a retry on the que and took a look again, and the mail was delivered to Office 365.

Hybrid Configuration Wizard
Retry que and the mails was sent succesfully

I don’t know it the Hybrid Configuration Wizard – HCW – was supposed to assign the certificate to this service or not, but remember to check.


HCW doesn’t build or choose a certificate by itself, assigning a certificate is one of the manual steps we perform during the “next, next, finish”. If this certificate we assign for the HCW-created-Send-connector to use doesn’t have SMTP service assigned, it wouldn’t be able to negotiate a TLS communication with O365’s HCW-created-Inbound-connector, and thus mail flow fails. This Inbound Connector is forced to accept only TLS encrypted mails on port 587, which is why it didn’t accept connection on port 25 either(‘Last Error’, Get-Queue).
Hope this helps clarify, but indeed a nice article to anyone who faces this error.

This checkmark should be set by the HCW, I guess it would be easily done. Yes I choose the certificate in the HCW, but it doesn’t warn me that it is not assigned for SMTP and it doesn’t do it for me.


Leave a Reply

Your email address will not be published. Required fields are marked *

Exchange Tips
Disappearing restore request

Disappearing restore request. When your restored stuff just disappear in front of you. We are running a hybrid with Exchange 2016. The users have an on-prem mailbox and an archive in Exchange Online. A employee left the company, got married and then came back. Service Desk decided to give her …

Exchange Tips
Adding IP to multiple relay connectors

Adding IP to multiple relay connectors: A customer has 5 Exchange 2013 servers. Each have an interal relay connector and an external relay connector. Everytime e.g. a new scanner or a server needs to relay email, the IP has to be added to eigther the internal og external relay connectors. …

Exchange Tips
How to phase out Exchange archive mailboxes

A customer wants to phase out their Exchange archive mailboxes. There are no reason for them to keep them. Back then they were told about cheap storage and large ost files, but all their data is placed on the same SAN and they are soon using Outlook 2013. They have …