Mail Loop

[brywhi]

Hello,
We have a PMG cluster (just one master plus one node) that is been running for a few years now, works great. It handles mail for about 12 domains, and relays it to Office 365 exchange.

Just recently after upgrading to PMG 7.1-4, we started seeing some weirdness in mail between two domains. They're both in Office 365, but totally separate tenants/exchange environments. Different companies entirely. They were working fine before.

Basically, we get an error on mails between the two domains that says "Hop count exceeded - possible mail loop ATTR1".

In PMG logs, we can see the mail looping several times before Exchange gives up and kills it.

In the sending Exchange server's message trace, the first "try" has From IP of the client sending it, and a To IP of our PMG server. Subsequent tries have a From IP and a To IP of the PMG mail server. The Exchange server that should be receiving it never has it showing up in the log. Basically, on Exchange's end, it looks like PMG is just bouncing it back to the originating server instead of relaying it to the proper server.

This doesn't happen on the other domains on our PMG server, and it doesn't happen from external services (ie: gmail.) Only between these two domains we have on our PMG gateway.

For now, so the two entities can communicate, we've moved their MX records to go straight to Microsoft instead of routing through PMG, but this is not our desired outcome.

How can I begin to troubleshoot this further?

 

[brywhi]

Hi all,
Any ideas? Let me know what logs/data I should share.

 

[Stoiko Ivanov]

This sounds like an issue with the setup on the exchange side - and it's nothing that would have changed with an upgrade of PMG (maybe someone of one of the domains changed something on the exchange side)

depending on your setup - I assume that PMG is the mx for both domains - then the mailflow should be:
for mail from domain1.example to domain2.example
domain1-client -> o365 (their smtp-server) -> dns-lookup -> pmg -> (via PMGs relaydomain and transport entry) -> o365-> domain2-client

I'd say - check the settings in office365 for both domains - and also make sure both are setup correctly as relay-domain, with correct transport entry in PMG

I hope this helps!

 

[brywhi]

Is anyone else out there experiencing this? Our O365 config hasn't changed, and we've reviewed it and it seems to be correct. For some reason, PMG seems to just loop it back and forth to the Exchange server until Exchange kills it.

 

[tech566624]

Hello,

We are currently experiencing the same issue. At our point I think PMG is sending multiple times the same email when it's loopback to itself. We have a inbound connector setup for PMG in O365 when we disable it it's solve the issue. It's more a fix than a real solution. We are still searching the cause of this problem. Hope this help you.

 

[DSI_FA]

Hello,

We are also experiencing the same problem, we have disabled outgoing filtering until it is resolved.

Here is the user mail return error message:
host
XXXXXXX.mail.protection.outlook.com[104.47.25.36] said: 554 5.4.14 Hop
count exceeded - possible mail loop ATTR1
[MR2FRA01FT006.eop-fra01.prod.protection.outlook.com
2023-08-10T12:56:00.658Z 08DB98DCDF4D90A1] (in reply to end of DATA
command)

Do you have a sample configuration for a Microsoft 365 implementation?

 

[DSI_FA]

Hello everyone,

We found a solution in Microsoft 365 settings.
You don't need a connector from your internal organization (PMG) to Microsoft 365.
We followed the following recommendations:
https://www.spamhero.com/support/204932

For security, we have added a rule that blocks all incoming mail on the domain ****.onmicrosoft.com