Attribution errors preventing messages in your DLP Cloud Service for Email Office365 integration

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Attribution errors preventing messages in your DLP Cloud Service for Email Office365 integration

book

Article ID: 212988

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email

Issue/Introduction

You are setting up the Symantec Data Loss Prevention Cloud Service for Email, with O365 in Reflecting mode.

But messages are being rejected with various attribution errors.

Cause

Possible errors on messages as following:

451 4.4.62 Mail sent to the wrong Office 365 region. ATTR35. For more information please go to https://go.microsoft.com/fwlink/?linkid=865268 [SN2NAM02FT002.eop-nam02.prod.protection.outlook.com]

550 5.7.64 TenantAttribution; Relay Access Denied [SN1NAM02FT001.eop-nam02.prod.protection.outlook.com]

These appear to suggest that there is an issue with DNS for your domains in O365, however, it is more likely that there is a problem with the configuration of an Inbound Connector - specifically in regard to the one configured for the DLP Cloud Service for Email.

Environment

Release :

Component :

Resolution

Verify that the Inbound Connector is setup as per the existing documentation:

See pages 34-38 of the Implementation Guide: Symantec™ Data Loss Prevention Cloud Service for Email Implementation Guide: Last updated: 06 February 2020 (broadcom.com)
Or this section of the Help Center: Configuring Office 365 to use Office 365 for email delivery using Reflecting mode (broadcom.com)

In particular, the "550 5.7.64 TenantAttribution; Relay Access Denied" error can indicate that:

The certificate on the upstream smarthost does not match the "domain" in the "How to identify email sent from your email server" in the Inbound Connector.
- The solution is to make sure the value in Inbound Connector matches the CN of the smarthost certificate.
- FYI: the CN referred to here is the Detector FQDN, which was sent in the Welcome Email, and is in the format of "<DetectorID-or-GUID>.ds.dlp.protect.broadcom.com". It is also visible in the Enforce Server console entry for your Cloud Detector.
The Inbound Connector is configured to accept mail from "Partner organization" rather than "Your organization's email server" as directed by the Implementation Guide.
- The solution is to recreate the Inbound Connector choosing "Your organization's email server" for the "From" setting.

Both of the above errors (451 and 550) have also been seen when the Inbound Connector was not configured at all.

Feedback

thumb_up Yes

thumb_down No