Can't establish a TLS connection to a remote mail server in Exchange Online or Exchange Server

PROBLEM

You can't establish a Transport Layer Security (TLS) connection to a remote mail server by using the following services and applications:
  • Microsoft Exchange Online
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2010
For example, in Exchange Server, you see messages in the message queue that are in a Retry state.

CAUSE

This issue occurs if a nonsecure signature algorithm is used in the remote mail server’s certificate chain. When TLS 1.2 is enabled on servers that are running Exchange Server, additional security checks are introduced during a TLS negotiation. This means that the remote mail server's certification chain is subject to checks for nonsecure signature algorithms. If a certificate in the certificate chain uses MD5 or MD2 hash algorithms, TLS negotiation fails.

Analysis of the certificate chain that's sent by the remote mail server shows that a nonsecure algorithm is used.

SOLUTION

To resolve this problem, update the certificate on the remote mail server.

MORE INFORMATION

To work around this problem, you can configure the remote server not to advertise until the certificate can be updated. However, in this configuration, no connection to the server will be encrypted.

Still need help? Go to Microsoft Community or the Exchange TechNet Forums.
Properties

Article ID: 3027536 - Last Review: Dec 21, 2016 - Revision: 1

Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard Edition, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Online

Feedback