Forum Discussion

Iron Contributor

Aug 19, 2025

Solved

O365 hybrid connector to onprem failing TLS

We're having issue with the connector to on-prem from Exchange Online If we enable the TLS it fails with the error Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send ma...

exchange online

Exchange Server

StefanoC66
Aug 20, 2025
Found that the STARTLS command availability depends on the security options combination enabled on the connector.
created a connector with just TLS enabled and worked

jovanimp

MCT

Aug 19, 2025

common causes for STARTTLS errors

1. Missing or Incorrect TLS Certificate Binding

After renewing an SMTP certificate, the Receive Connector may still reference the old certificate in its TlsCertificateName property.
If the connector isn’t bound to a valid certificate, Exchange won’t advertise STARTTLS.

✅ 2. Self-Signed or Untrusted Certificate

If the certificate used for SMTP isn’t trusted by the sending system (or is self-signed), STARTTLS negotiation can fail.

✅ 3. STARTTLS Disabled on Receive Connector

The connector might have AuthMechanism settings that don’t include TLS, or RequireTLS is misconfigured.

✅ 4. Inline Devices Stripping STARTTLS

Firewalls, load balancers, or SMTP appliances can remove the STARTTLS capability from the SMTP banner.

✅ 5. DNS or FQDN Mismatch

The FQDN advertised by the connector doesn’t match the certificate CN/SAN, causing TLS handshake failures.

✅ 6. Outbound Connector Misconfiguration

On-prem or Exchange Online connectors not set to RequireTLS or missing TlsSenderCertificateName.

✅ 7. Expired Certificate

If the SMTP certificate is expired, STARTTLS will fail.

✅ 8. Opportunistic TLS Disabled

If the sending system doesn’t attempt STARTTLS and the receiving system requires it, the message will be rejected.

StefanoC66

Iron Contributor

Aug 19, 2025

jovanimp

The receive connector is the same for port 25 and 587

below an extract of it

unspaceId : 8694c07f-0c4d-40e5-848b-af31a34b85fd
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : True
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : SRVEX01.domain.local
ServiceDiscoveryFqdn :
TlsCertificateName : <I>CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US<S>CN=*.XXXXX.com, O=XXXX

Since the fact the connector is the same for the two ports but only on port 587 I see the STARTLS option makes me wonder about some particular setting to change.

Looking on another installation ( exchange 2019 ) the startls is present also on port 25

William_Holmes
Brass Contributor
Aug 19, 2025
What is the output of Get-ExchangeCertificate on your on-premises server instance(s)? Take a look at:

https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/enable-exchangecertificate?view=exchange-ps

and make sure you enabled the correct valid cert for smtp.
- StefanoC66
  Iron Contributor
  Aug 20, 2025
  William_Holmes
  the certificate looks correct and is enabled for SMTP