Mail server

Why don't emails go to external addresses via Outlook?

There is an Exchange 2010 server with 2 DAGs and 1 CAS, about 10,000 domain users.
The client side uses Outlook 2007/2010.
Faced with an annoying problem that manifests itself in a strange way. It all started with the impossibility of sending messages to external addresses (mail.ru, gmail.com, etc.) for **some** users, while messages were sent within the domain without problems.
The errors were as follows:
1. When authorizing after the departure - an error sending a test message: client does not have permission to send as this sender.
2. After authorization by logging in before sending, when trying to send an email to an external address - Unable to relay.
I started by checking port 25 - everything is ok, otherwise everyone would not be sent to the external device. While "lame" mailers were 10% of all users, temporarily switched users to OWA, for the same users, through the web interface, letters went to the external without any problems. Long digging forums began to sin on the Active Directory.
Found the following solution:
> Open AD Users and Computers ->
Press View and select Advanced Features ->
Do a find for the user in question ->
Go to Properties -> Security Tab ->
Select Advanced ->
Press add and type “Exchange Servers ” ->
Under Apply to, change to Descendant "msExchActiveSyncDevices" objects ->
Select the Modify permissions checkbox ->
After that, in the Exchange Power Shell, I reassigned the NT AUTHORITY \ SELF parameter to the box and everything seemed to work, but by this time this problem had spread to almost 70% of users and it was not an option for everyone to carry out such manipulations.
Perhaps the problem lies in the rights or Exchange certification, please share your experience, who faced a similar problem?