Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Bypass Proofpoint - "Relay Access Denied" on external forwards

            Created by Abderrahim Ibnou el kadi, Modified on Fri, 30 May at 10:50 AM by Abderrahim Ibnou el kadi


            PROBLEM:

            You are getting relay access denied with external forwards or distribution groups with external members.  This can also happen with internal forwards since often O365 will tag them as non-local even though they are internal.


            ISSUE:


            You have an external forward either through a contact or a distribution group with members outside the organisation

            The group allows external parties to email it


            Example lets say you have a distribution group called support@yourdomain.com that has as member say, people in your organisation and a person who is on gmail (lets say, supportdude@gmail.com).    If an external sender @hotmail.com emails support@yourdomain.com, everybody in your org will get it but the email to supportdude@gmail.com will get bounced with "Relay Access Denied".


            This happens because what Proofpoint sees is an Email from someone@hotmail.com to supportdude@gmail.com.  Obviously Proofpoint is pretty restrictive and will not relay mail for hotmail.com which is effectively what you're asking it to do.

            So in these cases, you need to bypass Proofpoint altogether using a bypass connector and rule.


            IMPORTANT NOTE:  Recently microsoft seems to have made changes to the platform where for some reason, even if SRS is enabled for your organisation, microsoft is not rewriting the sender in forwards and is delivering those via their high risk IP range.   So there's been an uptick as of december 2023 of clients getting this "relay access denied" message.  It's important that you know how to bypass the issue and also you may want to add this IP range to your SPF record.  See article here:  

            https://vircomhelp.freshdesk.com/support/solutions/articles/48001242045-microsoft-365-high-risk-delivery-pool



            SOLUTION:

            The solution for this scenario is:

            1- Create a CONNECTOR that sends email directly to the internet

            2- Create a RULE that calls the CONNECTOR created above if the condition in the RULE is met


            DETAILS:

            1- Create a CONNECTOR that sends directly to the Internet




            2- Create a RULE that looks for these message headers info "X-MS-Exchange-Organization-AutoForwarded " and  "TRUE" the calls the connector created above 





            Important:

            • Move the RULE to the top of the list
            • Caveats: Those emails will not transit through Proofpoint.  Also in many cases, this will break SPF/DKIM/DMARC for the original sender.  But that's outside of your control.





            Preview
            0 of 0