Home WindowsOffice 365 Fix: StartTLS is Required to Send Email
Office 365

Fix: StartTLS is Required to Send Email

written by Cyril Kardashevsky

You may receive the error “5.7.3 STARTTLS is required to send email” from some apps or scripts when you try to send an e-mail message via an SMTP/IMAP host. In this article, we’ll look at the possible causes of “STARTTLS is required” error and how to fix it when sending e-mails.

For example, you may receive the error “450 4.4.317 Cannot connect to remote server. 5.7.3 STARTTLS is required to send mail” when you try to send mail from Exchange Online (Microsoft 365) to a misconfigured SMTP server. The screenshot below is from the Exchange Online message tracking log:

starttls is required to send mail

This error can occur in different applications (SQL Server, Jenkins), scripts and programming languages (Visual Basic, PowerShell, Python, Java, C#).

What Does the StartTLS is Required Error Mean?

StartTLS is a command in the SMTP protocol that informs the email server that the client wants to use a secure connection using TLS or SSL. When using STARTTLS, an encrypted TLS/SSL connection is created right on top of a usual TCP connection instead of opening a separate port for encrypted connections. The StartTLS command is used by both SMTP and IMAP (POP3 uses a different STLS command for encryption).

You can manually check if the remote SMTP server supports StartTLS. Open a command prompt and connect to the SMTP host using telnet:

telnet smtp.gmail.com 25

The SMTP client connects to the SMTP server using an unencrypted protocol (all data is transmitted in plain text). The client should receive a list of options supported by the SMTP server after sending the HELO command. If the SMTP server supports STARTTLS, the server response must contain the line: 250-STARTTLS.

5.7.3 starttls is required to send mail

The client can then send it the STARTTLS command, and the client and SMTP server start TLS negotiation.

If you get a StartTLS is Required error, check:

  1. That your SMTP server supports the STARTTLS feature. Most SMTP servers only implement STARTTLS on TCP port 587. Some hosts (like smtp.gmail.com) also allow to use STARTTLS on the default SMTP port 25;
  2. Check that the receiving server is configured to use TLS and that a valid SSL certificate is installed. Check the TLS version. Most email servers currently only accept TLS 1.2+;
  3. Check that your operating system and email client support TLS 1.2. You can enable the TLS 1.2 protocol in almost all modern OSs;
  4. In some applications/clients, you need to check that the Requires a secure connection (SSL) option is enabled (this will enable STARTTL):
  5. In rare cases, you can ask the administrator of the email server to configure it to accept messages from you without using STARTTLS (by default TLS/StartTLS is enabled in Microsoft 365/Office 365). You can disable SMTP Auth (and StartTLS) for specific mailboxes on Microsoft 365 with PowerShell: 
    Set-CASMailbox -Identity user1@theitbros.com -SmtpClientAuthenticationDisabled $false

This error can also occur if your Send Connector (in case of on-prem Exchange Server) is configured to require TLS, but the STARTTLS verb is missing in the response from the remote SMTP server.

StartTLS error in Send-Mailmessage PowerShell Command

You might receive a StartTLS error when you try to send an e-mail by using the Send-MailMessage PowerShell cmdlet:

Send-Mailmessage -smtpServer smtp.theitbros.com -Port 587 -from "admin@theitbros.com" -to "team@theitbros.com" -subject "Alert" -body "Test TLS"

This command may fail with an error:

Send-Mailmessage : The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first.

the server response was: 5.7.3 starttls is required to send mail

Or:

Send-MailMessage: Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail.

If you add the -UseSsl option to the PowerShell command, the error text changes:

Send-Mailmessage : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

The cause of this problem is that some SMTP servers only accept TLS 1.2 for STARTTLS negotiation. TLS 1.2 protocol is supported in all versions of Windows starting with Windows 8/Server 2012. However, in older builds of Windows 10 and Windows Server 2012, the legacy TLS 1.0 protocol is used by default for HTTPS connection when -UseSSL flag is set.

In order to temporarily enable TLS 1.2 in your PowerShell session, add the following command to your PS1 script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Make sure that TLS 1.2 is now supported in the current PowerShell session:

[enum]::GetNames([Net.SecurityProtocolType])

error in processing. the server response was: 5.7.3 starttls is required to send mail

To permanently enable strong cryptography in PowerShell and other .Net Framework applications add the following values to the registry on Windows Server 2016 and below:

Set-Itemproperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord

Set-Itemproperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord

Set-Itemproperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord

Set-Itemproperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\' -Name SystemDefaultTlsVersions -Value 1 -Type DWord

PowerShell will now always use TLS 1.2 for HTTPS connections. You can use the Send-MailMessage cmdlet to send e-mail through a STARTTLS-enabled SMTP host.

kardashevsky cyril

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

3 comments

Major Tom December 11, 2022 - 1:59 pm

Using Eudora client for Windows, I need to upgradt to the latest starttls. This article tells me how to upgrade but not where to download the file and in which directory to place it.

Can you advise?

Reply
Jonathan Raper January 24, 2023 - 5:41 pm

One thing you should also consider is that, in a hybrid scenario with Exchange Online and Exchange On-Premises, if the firewall in front of the Exchange Server is doing sMTP / SPam inspection, that can and does casue this issue. On a Cisco ASA you have to add a “no fixup protocol smtp” which will solve this (that’s been known for years). On other firewalls, you may have to determine how to exclude the known/published Microsoft CIDR blocks form all SMTP inspection. Once you do that, your issue should be solved, assuming everything else with your Exchange server is working properly.

Reply
Bill O'Brien March 21, 2023 - 9:31 am

Hi, thanks for posting. I tried this [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 prior to issuing a sendmail command and it continues to fail with

send-mailmessage : Error in processing. The server response was: 5.7.3 STARTTLS is required to send mail [BN0PR04CA0061.namprd04.prod.outlook.com 2023-03-21T13:27:10.196Z 08DB280A5A31328C]
At D:\documents\computer_network\programming\backupstatus.ps1:2 char:1
+ send-mailmessage -to bea_obrienw@hotmail.com -from obrienw90@duck.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

This is on Windows 11. Any thoughts or suggestions?

Reply

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.