Occurs when combining the Office 365 Exchange connector with existing or new Symantec Email Security.cloud (Symantec.cloud) implementations.
When creating the Inbound Partner Connector via Exchange EAC for Symantec.cloud “Reject Email messages if they aren’t sent over TLS” is checked by default. TLS Encryption is enabled by default
Recently TLS encryption was made available to Email Security.cloud customers.
For existing and new Security cloud customers TLS Encryption is disabled by default in the Symantec Email Security.cloud management portal.
1) Some emails are not received by Exchange Online mailboxes.
2) Symantec.cloud Track and Trace Email function reports “454 4.7.0 Failed to establish appropriate TLS channel: Access Denied.” for emails in question.
Enable TLS for all mail receiving Office 365 domains in Symantec.cloud Management Console.
Reconfigure the Inbound Connector without TLS / TLS opportunistic and lock it down to the Symantec.cloud public ranges.
The following Exchange Online Powershell command came in handy when we had to recreate the Inbound Partner as Office 365 will only let you put in /24 -/32 subnets.