Scenario: When attempting to send email from Exchange Online to Exchange On-Premises via Hybrid connectors, Exchange Online receives the following error message with a Defer Event: LED=450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail]
This error means is that a certificate that supports TLS is present on the receiving (Exchange On-Premises) server, EXCEPT it cannot build a TLS connection because of an invalid configuration.
Solution: In our case, a new certificate that was recently installed on the Exchange On-Premises Server had a different TLS Certificate Name than what was configured on the Receive Connector. Setting the ‘TLSCertificateName’ on the receive connector with the NEW Certificate fixed the issue.
#Pull the Certificate $Cert = Get-ExchangeCertificate -Thumbprint "<Thumbprint of server with SMTP Service>" #Build the TLSCert String that will be used to compare and set $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject) #Check and compare the TLSCertificateName on the Receive Connector with $TLSCert Get-ReceiveConnector "<Servername>\Default Frontend <Servername>" | Select TLSCertificateName $TLSCert #If the CertName is different, set the Receive Connector with $TLSCert Get-ReceiveConnector "<Servername>\Default Frontend <Servername>" | Set-ReceiveConnector -TlsCertificateName $TLSCert