Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: Gateway mode - Delivery Failed for inbound emails "550 5.7.51 TenantInboundAttribution"

Hi Everyone!

Do you have Inbound emails failing to be sent to the M365 email host after configuring Sophos Email gateway mode? If so, please read on.

Scenario

You have a Microsoft 365 email host as a final destination.

After configuring Sophos email and M365 to work in gateway mode, inbound emails are failing to be delivered with an error of:

550 5.7.51 TenantInboundAttribution;There is a partner connector configured that matches the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set

Symptom

Message History

Message Details


Cause

As the error suggests, this have something to do with the Connector setting. Usually its either a typo or missing recommended IP address.

Resolution

Go and check the Central account and look at the recommend IP addresses within the 'Settings > Domain Settings > Configure External Dependencies > Sophos Delivery IPs'.
Note that this is different for each region your Central account belongs to so make sure you are looking at your own account's values.

In my case, my region is us-west-2 so mine would have the following:

Now make sure that there are no typos and that everything is entered within the inbound Collector settings in M365's Exchange Admin Center's Mail flow > Connector.

The configuration instructions for M365 are in this link for your reference:
https://docs.sophos.com/central/Customer/help/en-us/index.html?contextId=e5bea6e2-b8bd-4607-a177-a3b7045c622d

As an example, here was my inbound collector setting. Notice that mine was missing the 198.154.181.128/26

So after I have entered the missing IP (or IP range) the error disappeared!

IF for some reason you are still getting the same error even if everything in the Connector settings is as recommended, then I would recommend getting a case created with Sophos support.


And that's it! 

 



Edited TAGs
[edited by: Raphael Alganes at 10:35 AM (GMT -8) on 2 Feb 2024]