Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

External email messages that are sent to an Exchange Online mailbox in a hybrid deployment have an SCL value of -1


View products that this article applies to.

Problem

You have a hybrid deployment of Microsoft Exchange Online in Microsoft Office 365 pre-upgrade and your on-premises Microsoft Exchange Server environment. You notice that all external email messages that are sent to an Exchange Online mailbox have a spam confidence level (SCL) value of -1. In this situation, these messages may be delivered to the Exchange Online mailbox even if they are spam or junk messages.

The following is an example of the header of an email message that's sent from the Internet to an Exchange Online mailbox and routed through the on-premises environment:
From: John Smith <external email address>
To: Cassie Hicks <cassie@contoso.com>
Content-Type: multipart/alternative; boundary="000e0cd6eb98872f8904c0cdd515"
X-OrganizationHeadersPreserved: O365-E14-HC-01.contoso.local
Return-Path: <external email address>
X-CrossPremisesHeadersPromoted: CH1PRD0410HT004.namprd04.prod.outlook.com
X-CrossPremisesHeadersFiltered: CH1PRD0410HT004.namprd04.prod.outlook.com
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-MS-Exchange-Organization-AuthSource: O365-E14-HC-01.contoso.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: mail.contoso

↑ Back to the top


Cause

When the Exchange 2010 Hybrid Configuration Wizard creates the Microsoft Forefront Online Protection for Exchange (FOPE) inbound connector to Exchange Online, anti-spam settings are disabled.

In the example in the "Problem" section, although X-MS-Exchange-Organization-AuthAs is set to Anonymous, X-MS-Exchange-Organization-SCL is set to -1. This setting lets the message bypass all spam filtering on FOPE Edge servers and in the Outlook Junk Mail filter.

Additionally, the FOPE inbound connectors that are created by the Hybrid Configuration Wizard are read-only. Therefore, you can't edit the existing connector.

↑ Back to the top


Solution

To resolve this issue, create a new FOPE inbound connector that accepts mail from the Internet and that enables anti-spam settings so that external messages have a SCL value of something other than -1. To do this, follow these steps:
  1. Sign in to the FOPE Administration Center.
  2. Create a new inbound connector. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Administration tab, and then click Company.
    2. Next to Inbound Connectors, click Add.
    3. Type a name and a description.
    4. In the Sender Domains box, type the following:
      *.*
    5. In the Sender IP Addresses box, enter the IP address of the on-premises Exchange 2010 Hub Transport server (hybrid server).

      Note If you want FOPE to only accept mail from these IP addresses, click Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. When you use this setting, a nondelivery report (NDR) is generated for all messages that originate from an IP address that isn't listed in the Sender IP Addresses box.
    6. Under Transport Layer Security Settings, click Force TLS, select the Sender certificate matches check box, and then enter the fully qualified domain name (FQDN) of the hub server (hybrid server).
    7. Under Filtering, select the following check boxes (if they aren't already selected):
      • Apply IP reputation filtering
      • Apply spam filtering
      • Apply policy rules
    8. Click Save.
  3. Add the inbound connector that you created in step 2 to your organization's domain. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Domains tab, and then select your organization's domain (the routing domain).

      Note Typically, <domain>.mail.onmicrosoft.com is created by the Hybrid Configuration Wizard, where <domain> is the name of your organization's domain.
    2. In the Inbound Connectors box, select the connector, click Remove, and then click OK.
    3. Click Select, select the connector that you created in step 2, and then click OK.
    4. Wait for as long as 40 minutes for the changes to propagate to the FOPE servers.
  4. Create an inbound connector for on-premises and shared domains. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Administration tab, and then click Company.
    2. Next to Inbound Connectors, click Add.
    3. Type a name and a description.
    4. In the Sender Domains box, type the name of all shared namespace and on-premises domains. Separate each domain name by using a comma.
    5. In the Sender IP Addresses box, enter the IP address of the on-premises Exchange 2010 Hub Transport server (hybrid server).

      Note If you want FOPE to only accept mail from these IP addresses, click Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above. When you use this setting, a nondelivery report (NDR) is generated for all messages that originate from an IP address that isn't listed in the Sender IP Addresses box.
    6. Under Transport Layer Security Settings, click Force TLS, select the Sender certificate matches check box, and then enter the fully qualified domain name (FQDN) of the hub transport server (hybrid server).
    7. Under Filtering, do the following:
      • Clear the Apply IP reputation filtering check box.
      • Clear the Apply spam filtering check box.
      • Select the Apply policy rules check box.
    8. Click Save.
  5. Add the inbound connector that you created in step 4 to your organization's domain. To do this, follow these steps:
    1. In the FOPE Administration Center, click the Domains tab, and then select your organization's domain (the routing domain).
    2. In the Inbound Connectors box, select the connector, click Remove, and then click OK.
    3. Click Select, select the connector that you created in step 4, and then click OK.
    4. Wait for as long as 40 minutes for the changes to propagate to the FOPE servers.
Note This procedure doesn't affect on-premises email messages. On-premises email messages will still have an SCL value of -1 because the messages contain the following in the header:
X-MS-Exchange-Organization-AuthAs: Internal

↑ Back to the top


More information

When the Exchange 2010 Hybrid Configuration Wizard creates on-premises connectors and FOPE inbound connectors, the wizard does this with Mutual Transport Layer Security (TLS) enabled. In this scenario, the TrustedMailOutboundEnabled option is set to True in the on-premises domain, and the TrustedMailInboundEnabled option is set to True in the cloud-based domain. This means that messages that are sent from the on-premises environment to Exchange Online have a SCL value of -1, and X-MS-Exchange-Organization-AuthAs is set to Internal.

The following is an example:
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-MS-Exchange-Organization-AuthSource: O365-E14-HC-01.contoso.local
X-MS-Exchange-Organization-SCL: -1

↑ Back to the top



Still need help? Go to the Office 365 Community website.

↑ Back to the top


Keywords: KB2737890, hybrid, o365a, o365e, o365, pre-upgrade, o365062011

↑ Back to the top

Article Info
Article ID : 2737890
Revision : 7
Created on : 6/19/2013
Published on : 6/19/2013
Exists online : False
Views : 2566