Looking at it further, it only appears to happen with the quarantine report.
The UTM sends the spam quarantine report out to the user. The user has an automatic reply set [as they are away] which is then forwarded back to the UTM.
It then appears the UTM sends the quarantine report again [and then the auto reply] and so on until it bounces due to a mail loop.
Normal email to the user [from internal [doesn't hit UTM] & external] doesn't have this behavior and responds as it should.
Even with the above happening, the user only gets one quarantine report in their inbox so it's not flooding it.
It's almost like the UTM gets an auto reply and doesn't know what to do with it and then tries to forward it back to the user who then auto replies and so on until exchange cuts the loop.
Log below:
2016:05:03-07:00:24 UTM01-1 exim-out[9258]: 2016-05-03 07:00:24 1axTNJ-0002Jv-0l => P=
R=static_route_hostlist T=static_smtp H=10.1.2.100 [10.1.2.100]:25 X=TLSv1:ECDHE-RSA-AES256-SHA:256 C="250 2.6.0 [InternalId=227116] Queued mail for delivery"
2016:05:03-07:00:30 UTM01-1 smtpd[9306]: SCANNER[9306]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTNm-0002Q6-G5"
size="2727"
2016:05:03-07:00:33 UTM01-1 smtpd[9306]: SCANNER[9306]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTNp-0002Q6-7L" size="2727"
2016:05:03-07:00:36 UTM01-1 smtpd[9306]: SCANNER[9306]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to=""
subject="Automatic reply: Quarantine Report for " queueid="1axTNs-0002Q6-0j" size="2727"
2016:05:03-07:00:38 UTM01-1 smtpd[9306]: SCANNER[9306]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTNu-0002Q6-TZ" size="2727"
2016:05:03-07:01:20 UTM01-1 smtpd[9759]: SCANNER[9759]: id="1000" severity="info"
sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTOa-0002XP-Ak" size="2727"
2016:05:03-07:02:00 UTM01-1 smtpd[9958]: SCANNER[9958]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTPE-0002ac-8b"
size="2727"
2016:05:03-07:17:10 UTM01-1 smtpd[14886]: SCANNER[14886]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axTdu-0003s6-Fd" size="2727"
2016:05:03-07:32:20 UTM01-1 smtpd[19101]: SCANNER[19101]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to=""
subject="Automatic reply: Quarantine Report for " queueid="1axTsa-0004y5-Fb" size="2727"
2016:05:03-07:47:26 UTM01-1 smtpd[21568]: SCANNER[21568]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axU7C-0005bs-1k" size="2727"
2016:05:03-08:02:40 UTM01-1 smtpd[24605]: SCANNER[24605]: id="1000" severity="info"
sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axULw-0006Or-9b" size="2727"
2016:05:03-08:17:46 UTM01-1 smtpd[27509]: SCANNER[27509]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axUaY-00079h-Jc"
size="2727"
2016:05:03-08:32:53 UTM01-1 smtpd[30313]: SCANNER[30313]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to="" subject="Automatic reply: Quarantine Report for " queueid="1axUpB-0007sv-AZ" size="2727"
2016:05:03-08:48:00 UTM01-1 smtpd[1224]: SCANNER[1224]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.1.2.3" from="" to=""
subject="Automatic reply: Quarantine Report for " queueid="1axV3o-0000Jk-0b" size="2727"
Permalink
Cannot retrieve contributors at this time
554 5.4.14 Hop count exceeded - possible mail loop NDR for outgoing email Provides a fix for the 554 5.4.14 Hop count exceeded - possible mail loop issue in Exchange Server. simonxjx ITPro troubleshooting v-six dcscontentpm Normal
Exchange Server CSSTroubleshoot MET150
Exchange Server 2016 Exchange Server 2013 3/31/2022 Consider the following scenario: In this scenario, the message cannot be sent. Instead, it loops between the Exchange Edge Transport server and Exchange Online Protection [EOP]. Additionally, you receive
a non-delivery report [NDR] that resembles the following: 554 5.4.14 Hop count exceeded - possible mail loop This issue occurs because the Exchange Edge server cannot associate the SMTP address space for the application as a subdomain to the accepted domain. This is true even though the accepted domain is configured as a parent domain.titledescriptionauthoraudiencems.topicms.authormanagerlocalization_priorityms.customsearch.appveridappliestoms.date "554 5.4.14 Hop count exceeded - possible mail loop" NDR for outgoing email that's sent to an on-premises application in Exchange Server
Symptoms
Cause
In this scenario, the subdomain would be part of the address space in the EdgeSync - Inbound to SiteName send connector.
Resolution
To fix this issue, follow these steps:
Add the subdomain as an accepted domain. To do this, run the following command:
New-AcceptedDomain -DomainName app.Contoso.com -DomainType InternalRelay -Name app.contoso.com
To have the added accepted domain synced to the Edge servers immediately, run the following command:
Start-EdgeSynchronization
Alternatively, wait for the changes to be synced to the Edge servers.