How to Bypass Proofpoint - "Relay Access Denied" on external forwards

Created by Abderrahim Ibnou el kadi, Modified on Tue, 27 Feb at 5:03 PM by Yves Lacombe


PROBLEM:

You are getting relay access denied with external forwards or distribution groups with external members.  This can also happen with internal forwards since often O365 will tag them as non-local even though they are internal.



ISSUE:


You have an external forward either through a contact or a distribution group with members outside the organisation

The group allows external parties to email it


Example lets say you have a distribution group called support@yourdomain.com that has as member say, people in your organisation and a person who is on gmail (lets say, supportdude@gmail.com).    If an external sender @hotmail.com emails support@yourdomain.com, everybody in your org will get it but the email to supportdude@gmail.com will get bounced with "Relay Access Denied".


This happens because what proofpoint sees is an Email from someone@hotmail.com to supportdude@gmail.com.  Obviously proofpoint is pretty restrictive and will not relay mail for hotmail.com which is effectively what you're asking it to do.

So in these cases, you need to bypass proofpoint altogether using a bypass connector and rule.


IMPORTANT NOTE:  Recently microsoft seems to have made changes to the platform where for some reason, even if SRS is enabled for your organisation, microsoft is not rewriting the sender in forwards and is delivering those via their high risk IP range.   So there's been an uptick as of december 2023 of clients getting this "relay access denied" message.  It's important that you know how to bypass the issue and also you may want to add this IP range to your SPF record.  See article here:  

https://vircomhelp.freshdesk.com/support/solutions/articles/48001242045-microsoft-365-high-risk-delivery-pool




SOLUTION (SUMMARY):


The solution is to create both a connector and a rule.   


Connector first:

Create a new connector in office365

Give it a name:  "Bypass Proofpoint"

From Office365

To Partner Organisation

If invoked by a Rule

Route via MX resolution

When asked to test, use an external address to your domain.


Now the rule:

If the sender is external to the organisation

And the recipient is external to the organisation

Redirect the Email to a Connector (Select: "Bypass proofpoint")


This should cover all the cases of external forwards or external members of distribution groups.


Caveats: Those emails will not transit through proofpoint.  Also in many cases, this will break SPF/DKIM/DMARC for the original sender.  But that's outside of your control.




SOLUTION (DETAILS)



This topic will help set up a connector to use by a RULE if email meets the requirements like in this scenario:

Outbound mail is going through your hosting system but for some reason when an incoming mail is received from an external user i.e.: user@external.com  and the recipient has a forward to an external account user2@external2.com , that email may be blocked with error explaining that relaying is denied, and the reason is that the server thinks that someone is trying to relay through as the forwarded email kept the external FROM address i.e.: user@external.com .

To fix this you will need to create a Connector that is sending from O365 directly to the outside with one condition which is if it is called by a RULE. 

I- Creating a connector:

1- open the Exchange Admin Center (EAC)

2- Click on mail flow 

3- Click on connectors (on the right pane)

4- click on the PLUS sign


In the connector Popup window:

5- in the From : chose  "Office 365"

6- TO: chose "Partner Organization"


7- click NEXT

8-fill in the Name of the RULE

9- Add a description (this is very important if you have many connectors) then click NEXT


10- Chose "Only when i have a transport rule set up that redirects messages to this connector"


11-Chose " Use the MX record associated with the partner's domain" then NEXT


12- Leave the setting by default and click NEXT


13- A recap of your configuration will be displayed, then click NEXT

14-Add and External email address i.e.: user@externaldomain.com click Validate


Once the connector is created, we now need to create the RULE that calls this connector if the condition is met. 


II- Creating a RULE:

Always in the EAC, click the RULES on the top left

1- Click on the(+) to create a new RULE

2- Enter a name for the RULE

3- Under "Apply this rule if..." chose "the sender is located..." then  "Outside the organization" in the pop up window

4- Under "Apply this rule if..." chose "the recipient is located..."  then  "Outside the organization" in the pop up                window

4- Uncheck "Audit this rule with severity"

5- click on "More option..."

6- Under "Do the following ..." chose "Redirect the message to" then chose "the following connector"

7-In the title pop up window chose the connector you just created in our example "Special outbound connector"

8- Make sure that your select the option  "Stop processing more rules"

9- SAVE


Important:

  • Move the RULE to the top of the list