When sending emails from various applications or scripts, you may encounter error 5.7.3 StartTLS is Required to Send Email. You may face this error in different apps (SQL Server, Jenkins), scripts, and programming languages (Visual Basic, PowerShell, Python, Java, C#). In this article, we will look at how to fix the STARTTLS required error when sending an email.
In our case, we saw an error “450 4.4.317 Cannot connect to remote server. 5.7.3 STARTTLS is required to send mail” in the tracking log of Exchange Online (Microsoft 365):
What Does the StartTLS is Required Error Mean?
StartTLS is an extension of the SMTP protocol that allows telling the email server that the email client wants to use a secure connection using TLS or SSL. When using STARTTLS, an encrypted connection is created right on top of a usual TCP connection instead of opening a separate port for encrypted connections. The StartTLS command is used by both SMTP and IMAP (POP3 uses a different STLS command for encryption).
In order to check that your email server supports StartTLS, open a command prompt and connect to it using telnet:
telnet smtp.gmail.com 25
In this example, the client has requested (EHLO) a list of features that the email server supports and the server has returned that it can use STARTTLS: 250-STARTTLS.
If you get a StartTLS is Required error, check:
- That your SMTP server supports the STARTTLS feature. Most SMTP servers implement STARTTLS only on port 587. Some servers (like Gmail) also allow to use STARTTLS on default SMTP port 53.
- Verify that the receiving server is configured to use TLS. Check the TLS version. Most email servers currently only accept TLS 1.2;
- Check if your email client supports StartTLS. If not, you need to ask the administrator of the email server to configure it to accept messages from you without using STARTTLS (by default TLS/StartTLS is enabled in Microsoft 365/Office 365). You can disable SMTP Auth (and StartTLS) for specific mailboxes on Microsoft 365 with PowerShell:
Set-CASMailbox -Identity email@example.com -SmtpClientAuthenticationDisabled $false
StartTLS error in PowerShell
You may encounter a StartTLS error when trying to send an email using PowerShell:
Send-Mailmessage -smtpServer smtp.theitbros.com -Port 587 -from "firstname.lastname@example.org" -to "email@example.com" -subject "Alert" -body "Test TLS"
This command fails with an error:
Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first
If you add the -UseSsl option to the PowerShell command, the error text changes:
Send-Mailmessage : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
The matter is that some SMTP servers accept only TLS 1.2 for negotiating STARTTLS. To use TLS 1.2 for connections to the email server from the PowerShell console, run the following command before executing the Send-MailMessage cmdlet:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
To force PowerShell and other .Net Framework applications to always use TLS 1.2 for HTTPS connections, add the following values to the registry:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord