When sending emails from various applications or scripts, you may encounter error 5.7.3 StartTLS is Required to Send Email. You may face this error in different apps (SQL Server, Jenkins), scripts, and programming languages (Visual Basic, PowerShell, Python, Java, C#). In this article, we will look at how to fix the STARTTLS required error when sending an email.
In our case, we saw an error “450 4.4.317 Cannot connect to remote server. 5.7.3 STARTTLS is required to send mail” in the tracking log of Exchange Online (Microsoft 365):
What Does the StartTLS is Required Error Mean?
StartTLS is an extension of the SMTP protocol that allows telling the email server that the email client wants to use a secure connection using TLS or SSL. When using STARTTLS, an encrypted connection is created right on top of a usual TCP connection instead of opening a separate port for encrypted connections. The StartTLS command is used by both SMTP and IMAP (POP3 uses a different STLS command for encryption).
In order to check that your email server supports StartTLS, open a command prompt and connect to it using telnet:
telnet smtp.gmail.com 25
In this example, the client has requested (EHLO) a list of features that the email server supports and the server has returned that it can use STARTTLS: 250-STARTTLS.
If you get a StartTLS is Required error, check:
- That your SMTP server supports the STARTTLS feature. Most SMTP servers implement STARTTLS only on port 587. Some servers (like Gmail) also allow to use STARTTLS on default SMTP port 53.
- Verify that the receiving server is configured to use TLS. Check the TLS version. Most email servers currently only accept TLS 1.2;
- Check if your email client supports StartTLS. If not, you need to ask the administrator of the email server to configure it to accept messages from you without using STARTTLS (by default TLS/StartTLS is enabled in Microsoft 365/Office 365). You can disable SMTP Auth (and StartTLS) for specific mailboxes on Microsoft 365 with PowerShell:
Set-CASMailbox -Identity firstname.lastname@example.org -SmtpClientAuthenticationDisabled $false
StartTLS error in PowerShell
You may encounter a StartTLS error when trying to send an email using PowerShell:
Send-Mailmessage -smtpServer smtp.theitbros.com -Port 587 -from "email@example.com" -to "firstname.lastname@example.org" -subject "Alert" -body "Test TLS"
This command fails with an error:
Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first
If you add the -UseSsl option to the PowerShell command, the error text changes:
Send-Mailmessage : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
The matter is that some SMTP servers accept only TLS 1.2 for negotiating STARTTLS. To use TLS 1.2 for connections to the email server from the PowerShell console, run the following command before executing the Send-MailMessage cmdlet:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
To force PowerShell and other .Net Framework applications to always use TLS 1.2 for HTTPS connections, add the following values to the registry:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Using Eudora client for Windows, I need to upgradt to the latest starttls. This article tells me how to upgrade but not where to download the file and in which directory to place it.
Can you advise?
One thing you should also consider is that, in a hybrid scenario with Exchange Online and Exchange On-Premises, if the firewall in front of the Exchange Server is doing sMTP / SPam inspection, that can and does casue this issue. On a Cisco ASA you have to add a “no fixup protocol smtp” which will solve this (that’s been known for years). On other firewalls, you may have to determine how to exclude the known/published Microsoft CIDR blocks form all SMTP inspection. Once you do that, your issue should be solved, assuming everything else with your Exchange server is working properly.
Hi, thanks for posting. I tried this [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 prior to issuing a sendmail command and it continues to fail with
send-mailmessage : Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail [BN0PR04CA0061.namprd04.prod.outlook.com 2023-03-21T13:27:10.196Z 08DB280A5A31328C]
At D:\documents\computer_network\programming\backupstatus.ps1:2 char:1
+ send-mailmessage -to email@example.com -from firstname.lastname@example.org …
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
This is on Windows 11. Any thoughts or suggestions?