Home WindowsOffice 365 Fix: StartTLS is Required to Send Email
Office 365

Fix: StartTLS is Required to Send Email

written by Cyril Kardashevsky

When sending emails from various applications or scripts, you may encounter error 5.7.3 StartTLS is Required to Send Email. You may face this error in different apps (SQL Server, Jenkins), scripts, and programming languages (Visual Basic, PowerShell, Python, Java, C#). In this article, we will look at how to fix the STARTTLS required error when sending an email.

In our case, we saw an error “450 4.4.317 Cannot connect to remote server. 5.7.3 STARTTLS is required to send mailin the tracking log of Exchange Online (Microsoft 365):

starttls is required to send email

What Does the StartTLS is Required Error Mean?

StartTLS is an extension of the SMTP protocol that allows telling the email server that the email client wants to use a secure connection using TLS or SSL. When using STARTTLS, an encrypted connection is created right on top of a usual TCP connection instead of opening a separate port for encrypted connections. The StartTLS command is used by both SMTP and IMAP (POP3 uses a different STLS command for encryption).

In order to check that your email server supports StartTLS, open a command prompt and connect to it using telnet:

telnet smtp.gmail.com 25

In this example, the client has requested (EHLO) a list of features that the email server supports and the server has returned that it can use STARTTLS: 250-STARTTLS.

starttls is required to send mail office 365

If you get a StartTLS is Required error, check:

  1. That your SMTP server supports the STARTTLS feature. Most SMTP servers implement STARTTLS only on port 587. Some servers (like Gmail) also allow to use STARTTLS on default SMTP port 53.
  2. Verify that the receiving server is configured to use TLS. Check the TLS version. Most email servers currently only accept TLS 1.2;
  3. Check if your email client supports StartTLS. If not, you need to ask the administrator of the email server to configure it to accept messages from you without using STARTTLS (by default TLS/StartTLS is enabled in Microsoft 365/Office 365). You can disable SMTP Auth (and StartTLS) for specific mailboxes on Microsoft 365 with PowerShell: 
    Set-CASMailbox -Identity user1@theitbros.com -SmtpClientAuthenticationDisabled $false

StartTLS error in PowerShell

You may encounter a StartTLS error when trying to send an email using PowerShell:

Send-Mailmessage -smtpServer smtp.theitbros.com -Port 587 -from "admin@theitbros.com" -to "team@theitbros.com" -subject "Alert" -body "Test TLS"

This command fails with an error:

Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first

If you add the -UseSsl option to the PowerShell command, the error text changes:

Send-Mailmessage : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

The matter is that some SMTP servers accept only TLS 1.2 for negotiating STARTTLS. To use TLS 1.2 for connections to the email server from the PowerShell console, run the following command before executing the Send-MailMessage cmdlet:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

To force PowerShell and other .Net Framework applications to always use TLS 1.2 for HTTPS connections, add the following values to the registry:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord 
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
kardashevsky cyril

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

3 comments

Major Tom December 11, 2022 - 1:59 pm

Using Eudora client for Windows, I need to upgradt to the latest starttls. This article tells me how to upgrade but not where to download the file and in which directory to place it.

Can you advise?

Reply
Jonathan Raper January 24, 2023 - 5:41 pm

One thing you should also consider is that, in a hybrid scenario with Exchange Online and Exchange On-Premises, if the firewall in front of the Exchange Server is doing sMTP / SPam inspection, that can and does casue this issue. On a Cisco ASA you have to add a “no fixup protocol smtp” which will solve this (that’s been known for years). On other firewalls, you may have to determine how to exclude the known/published Microsoft CIDR blocks form all SMTP inspection. Once you do that, your issue should be solved, assuming everything else with your Exchange server is working properly.

Reply
Bill O'Brien March 21, 2023 - 9:31 am

Hi, thanks for posting. I tried this [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 prior to issuing a sendmail command and it continues to fail with

send-mailmessage : Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail [BN0PR04CA0061.namprd04.prod.outlook.com 2023-03-21T13:27:10.196Z 08DB280A5A31328C]
At D:\documents\computer_network\programming\backupstatus.ps1:2 char:1
+ send-mailmessage -to bea_obrienw@hotmail.com -from obrienw90@duck.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

This is on Windows 11. Any thoughts or suggestions?

Reply

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.