This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 97%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWK%3C/text%3E%3C/svg%3E)
Hello,
does anyone know why Microsoft is configuring mail servers with loopback addresses on Microsoft365 cloud service ?
Few examples:
For each of these servers nslookup command shows 127.0.0.1 on public Internet.
Acording to standards defined in RFC documents (https://www.ietf.org/standards/rfcs/) it is not allowed:
• RFC 1122 => Internal host loopback address. Addresses of this form MUST NOT appear outside a host.
• RFC 5735 => 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address.
It cauese problems with e-mail messages delivery from Microsoft365 cloud mail servers to other e-mail servers on Internet.
Example:
Mar 5 14:01:44 mx postfix/from_WORLD/smtpd[5368]: NOQUEUE: reject: RCPT from mail-roabra01on2042.outbound.protection.outlook.com[40.107.111.42]:
554 5.7.1 <BRA01-ROA-obe.outbound.protection.outlook.com>: Helo command rejected: mail server in loopback network;
from=<..............................> to=<............................> proto=ESMTP helo=<BRA01-ROA-obe.outbound.protection.outlook.com>*
To narrow down this issue, I want to confirm with you:
Exchange online could send email to external mail server without any other configuration. From my Exchange online, it could send email to Gmail and Hotmail without issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 53%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
I have tried to contact the news agency nieuwsuur.nl to inform them about organized slavery, racisms and crimes committed against me and some other people in the Europe(Benelux). I got a reply back from someone pretending to be nieuwsuur.nl
from: Nieuwsuur Mail <email address removed for privacy reasons>
to: Vincent Rogiest <email address removed for privacy reasons>
date: Aug 19, 2023, 5:57 PM
subject: Automatisch antwoord: onderzoek
mailed-by: eur02-vi1-obe.outbound.protection.outlook.com
signed-by: nieuwsuur.nl
security: Standard encryption (TLS) Learn more
: Important according to Google magic.
Can anyone inform me what is going on here in the old Europe ?
Organizations that cooperate with us use Exchange online to send e-mails to my organization.
We have Exchange on-prem instalation with MX server at front (postfix).
We have noticed that many e-mails are rejected by our MX server with information : Helo command rejected: mail server in loopback network
When we checked that we found out that it is caused by incorrect configuration of DNS record for some e-mail servers, especially those owned by Microsoft that I mentioned above.
I don't know why loopback address are used for those servers ? What is the purpose ?
I guess this phenomenon may related with the MX server that your used. Because all Exchange online servers are using the same configuration which could send emails to external successfully. You could try to check with the MX server side, whether they could bypass emails which sent from Exchange online.
I don't think that there is problem with my MX. It works acording to rules defined in RFC documents that I mentioned earlier.
Checks IP address of SMTP server sending message and rejects those that should never appear on Internet.
IMHO the problem is with only few Micsrosoft365 servers that are misconfigured.
Nobody should use loopback addresses on Internet and violate RFC rules even such a big company as Microsoft.
Problem solved.
Microsoft acknowledged the configuration problem with few Microsoft365 mail servers and corrected it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 95%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
There still seem to be some misconfigured outbound mail servers:
$ host EUR03-AM7-obe.outbound.protection.outlook.com
EUR03-AM7-obe.outbound.protection.outlook.com has address 127.0.0.1
EUR03-AM7-obe.outbound.protection.outlook.com has IPv6 address ::1
It seems the problem still exists
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 28.999999999999996%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Problem still exists for servers:
EUR02-DB5-obe.outbound.protection.outlook.com
EUR03-AM7-obe.outbound.protection.outlook.com
MS needs to correct them.
554 5.7.1 <EUR02-DB5-obe.outbound.protection.outlook.com>: Helo command rejected: mail server in loopback network
C:\>nslookup EUR02-DB5-obe.outbound.protection.outlook.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: EUR02-DB5-obe.outbound.protection.outlook.com
Addresses: ::1
127.0.0.1
C:\>nslookup EUR03-AM7-obe.outbound.protection.outlook.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: EUR03-AM7-obe.outbound.protection.outlook.com
Addresses: ::1
127.0.0.1
I have also noticed a problem with one of these servers, and created a new case referring to the earlier one which they solved by correcting the DNS entries.
I hope they will correct it as before.
Problem solved for EUR03-AM7-obe.outbound.protection.outlook.com.
EUR03-AM7-obe.outbound.protection.outlook.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: EUR03-AM7-obe.outbound.protection.outlook.com
Addresses: 2a01:111:f400:7eaf::200
104.47.51.232
But server EUR02-DB5-obe.outbound.protection.outlook.com still points to 127.0.0.1
C:\>nslookup EUR02-DB5-obe.outbound.protection.outlook.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: EUR02-DB5-obe.outbound.protection.outlook.com
Addresses: ::1
127.0.0.1
I know. I'm still waiting for this one to be corrected.
I will let you know once I receive information about change of DNS entry for the second server.