450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 StartTLS is required to send mail]

Scenario: After a recent renewal of one of our Exchange On-Premises Certificates in our Exchange Online Hybrid Environment, we noticed a 2 minute delay when messages were sending from Exchange Online to Exchange On-Premises via a custom send connector (not the hybrid connector)

Investigating: After some troubleshooting, we realized the TLS string , $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject), was not the exact same than what was configured in various properties on our Exchange On-Premises Servers.

Solution: We ran the following PowerShell to check and set the correct certificate properties. In our specific scenario, it was the send connector (which was no longer able to send email to Exchange Online) and it was our receive connector, which was giving us a 2 minute email delay. I suspect this would have been a bigger issue if we removed the older certificate that it was still pointing to right away.

 #Find the TLSCert Name:
        $Cert = Get-ExchangeCertificate -Thumbprint <thumbprint of new certificate> -server <Exchange Server name>
        $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)

    #Check and set the Transport Server to the new cert:
       Get-transportserver -identity <servername> | Select InternalTransportCertificateThumbprint
       #If the thumbprint is not the new cert, move the SMTP Service, and any other service, to the new certificate
       enable-exchangecertificate -thumbprint <thumbprint> -services SMTP 
    #Check and Set the Send Connector to the new TLS Certificate Name
        Get-SendConnector -identity <Office 365 send Connector> | Select TLSCertificateName
        #If its not using the new cert,  run the following
        Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert
    #Check and Set the Receive Connector
        Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Select TLSCertificateName
        #If its not using the new cert,  run the following
        Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Set-ReceiveConnector -TlsCertificateName $TLSCert


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: