Email Notification to Exchange Online Connector


  • Used Zammad version: 6.0.0-1686136655.9f6ee5a5.focal
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.04
  • Browser + version: Chrome and Edge latest

Expected behavior:

  • Adding email notification configuration pointing to a smtp connector i Exchange Online (Anonymous relay restricted by IP in O365)

Actual behavior:

  • Reply in Zammad GUI is:
    550 5.7.64 TenantAttribution; Relay Access Denied [ValidationStatus of ‘’ is EmptyCertificate]

Steps to reproduce the behavior:

Add a connector in Exchange online and allow SMTP from the servers outgoing IP, then try adding the
smtp host in Zammad GUI under Emails - Notifications just using smtp host and port 25 and no user.

I’ve checked that I can use telnet to send/relay emails from the same outgoing IP so it seems that Zammad sends some additional info in the outgoing SMTP?

Please advice.

Looks like your issue is the certificate that Exchange is looking for or the IP address Zammad is on is not the same in the relay.

Also, Method 3 is the most complicated of options and should only be used if 1 and 2 are not possible.

Yes, I know that opt 3 is the “hardest” but in this case the only alternative as opt 1 isn’t possible due to modern auth and opt 2 only allows recpt in the same org. And alt 3 works as intended for other systems. Right now the workaround is to relay using postfix but just wanted to see if anyone else has solved this.

Do you have agents outside of your org?

Relay access denied usually hints on invalid sender addresses.
You may want to have a look into the notification sender setting.

No agents externally but as I understand for instance user password reset requests uses this channel also?
The email - settings sender address is set to a valid address domain.

Yes correct. If you want your customers to use Zammad and being able to reset their password, then you have to be able to send to external orgs.

Then there’s the issue.

Not sure if I follow “Then there’s the issue.” ?
It is set to a valid sender address on the correct domain ie. noreply@<> and I’ve verified sending through this connector using telnet from the same source IP towards O365 and with "mail from: " and that works as expected.

Right sorry.
I can’t tell what the issue is.

Looks like it’s on Microsoft end.
Either some requirements to send through the connector are not fulfilled or the email from & to are not in allowed scopes.

Verifying this only works on e.g. telnet if you ensure to test the exact scenario Zammad is doing.
Maybe Zammad tried to notify a customer outside or your tennant which may not be allowed?