Can't establish a TLS connection to a remote mail server in Exchange Online or Exchange Server

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Enterprise More

PROBLEM


You can't establish a Transport Layer Security (TLS) connection to a remote mail server by using the following services and applications:
  • Microsoft Exchange Online
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2010
For example, in Exchange Server, you see messages in the message queue that are in a Retry state.

CAUSE


This issue occurs if a nonsecure signature algorithm is used in the remote mail server’s certificate chain. When TLS 1.2 is enabled on servers that are running Exchange Server, additional security checks are introduced during a TLS negotiation. This means that the remote mail server's certification chain is subject to checks for nonsecure signature algorithms. If a certificate in the certificate chain uses MD5 or MD2 hash algorithms, TLS negotiation fails.

Analysis of the certificate chain that's sent by the remote mail server shows that a nonsecure algorithm is used.

SOLUTION


To resolve this problem, update the certificate on the remote mail server.

MORE INFORMATION


To work around this problem, you can configure the remote server not to advertise until the certificate can be updated. However, in this configuration, no connection to the server will be encrypted.

Still need help? Go to Microsoft Community or the Exchange TechNet Forums.