You may receive the error “5.7.3 STARTTLS is required to send email” from some apps or scripts when you try to send an e-mail message via an SMTP/IMAP host. In this article, we’ll look at the possible causes of “STARTTLS is required” error and how to fix it when sending e-mails.
For example, you may receive the error “450 4.4.317 Cannot connect to remote server. 5.7.3 STARTTLS is required to send mail” when you try to send mail from Exchange Online (Microsoft 365) to a misconfigured SMTP server. The screenshot below is from the Exchange Online message tracking log:
This error can occur in different applications (SQL Server, Jenkins), scripts and programming languages (Visual Basic, PowerShell, Python, Java, C#).
What Does the StartTLS is Required Error Mean?
StartTLS is a command in the SMTP protocol that informs the email server that the client wants to use a secure connection using TLS or SSL. When using STARTTLS, an encrypted TLS/SSL connection is created right on top of a usual TCP connection instead of opening a separate port for encrypted connections. The StartTLS command is used by both SMTP and IMAP (POP3 uses a different STLS command for encryption).
You can manually check if the remote SMTP server supports StartTLS. Open a command prompt and connect to the SMTP host using telnet:
telnet smtp.gmail.com 25
The SMTP client connects to the SMTP server using an unencrypted protocol (all data is transmitted in plain text). The client should receive a list of options supported by the SMTP server after sending the HELO command. If the SMTP server supports STARTTLS, the server response must contain the line: 250-STARTTLS.
The client can then send it the STARTTLS command, and the client and SMTP server start TLS negotiation.
If you get a StartTLS is Required error, check:
- That your SMTP server supports the STARTTLS feature. Most SMTP servers only implement STARTTLS on TCP port 587. Some hosts (like smtp.gmail.com) also allow to use STARTTLS on the default SMTP port 25;
- Check that the receiving server is configured to use TLS and that a valid SSL certificate is installed. Check the TLS version. Most email servers currently only accept TLS 1.2+;
- Check that your operating system and email client support TLS 1.2. You can enable the TLS 1.2 protocol in almost all modern OSs;
- In some applications/clients, you need to check that the Requires a secure connection (SSL) option is enabled (this will enable STARTTL):
- In rare cases, you can ask the administrator of the email server to configure it to accept messages from you without using STARTTLS (by default TLS/StartTLS is enabled in Microsoft 365/Office 365). You can disable SMTP Auth (and StartTLS) for specific mailboxes on Microsoft 365 with PowerShell:
Set-CASMailbox -Identity firstname.lastname@example.org -SmtpClientAuthenticationDisabled $false
This error can also occur if your Send Connector (in case of on-prem Exchange Server) is configured to require TLS, but the STARTTLS verb is missing in the response from the remote SMTP server.
StartTLS error in Send-Mailmessage PowerShell Command
You might receive a StartTLS error when you try to send an e-mail by using the Send-MailMessage PowerShell cmdlet:
Send-Mailmessage -smtpServer smtp.theitbros.com -Port 587 -from "email@example.com" -to "firstname.lastname@example.org" -subject "Alert" -body "Test TLS"
This command may fail with an error:
Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first.
Send-MailMessage: Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail.
If you add the -UseSsl option to the PowerShell command, the error text changes:
Send-Mailmessage : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
The cause of this problem is that some SMTP servers only accept TLS 1.2 for STARTTLS negotiation. TLS 1.2 protocol is supported in all versions of Windows starting with Windows 8/Server 2012. However, in older builds of Windows 10 and Windows Server 2012, the legacy TLS 1.0 protocol is used by default for HTTPS connection when -UseSSL flag is set.
In order to temporarily enable TLS 1.2 in your PowerShell session, add the following command to your PS1 script:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Make sure that TLS 1.2 is now supported in the current PowerShell session:
To permanently enable strong cryptography in PowerShell and other .Net Framework applications add the following values to the registry on Windows Server 2016 and below:
Set-Itemproperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord Set-Itemproperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord Set-Itemproperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord Set-Itemproperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord
PowerShell will now always use TLS 1.2 for HTTPS connections. You can use the Send-MailMessage cmdlet to send e-mail through a STARTTLS-enabled SMTP host.