Receipt of TLS Certificate Request from SMTP Server (smtp.office365.com) When Sending Emails

Bonnie Yang 0

We are currently using smtp.office365.com as our SMTP server to send emails, and we utilize TLS (STARTTLS) for encryption. We have noticed that under certain unknown circumstances, the SMTP server sends a TLS Certificate Request step to the client-side of SMTP(us). We would like to know if there is a method to prevent the SMTP server from sending TLS Certificate Requests to our SMTP sending endpoint. If it is not possible to disable the sending of TLS Certificate Requests, we would like to understand in which scenarios the server sends TLS Certificate Requests. Thank you!!

Brett Jhonson 0 Reputation points

2024-05-02T06:46:38.6566667+00:00

SMTP service provider like smtp.office365.com may send TLS Certificate Requests to the client-side (your SMTP endpoint) for secure communication. It's a standard part of TLS negotiation for encryption. While it's not typically possible to disable TLS Certificate Requests, they're sent for ensuring secure connections. Common scenarios triggering these requests include initial handshake, renegotiation, or when the server needs to verify the client's identity. For further insight, consult Microsoft's documentation or contact their support team.
Brayden Diego 0 Reputation points

2024-05-15T05:47:18.73+00:00

You're using smtp.office365.com for SMTP server, and it sometimes sends TLS Certificate Requests unexpectedly. Unfortunately, there is no clear method to prevent this. These requests are often sent when the server wants to authenticate the client's identity for safe communication. Reviewing your settings and confirming compatibility with Office 365's TLS requirements may help.
Michael Smithh 0 Reputation points

2024-05-20T09:26:54.2433333+00:00

To prevent smtp.office365.com from sending TLS Certificate Requests, you can't disable this feature. The server sends TLS Certificate Requests typically for enhanced security during the handshake process. For reliable email delivery without such issues, consider using an alternative SMTP service provider like Sendinblue or SMTPget for smoother operations.
William 880 0 Reputation points

2024-05-27T08:01:28.0466667+00:00

When encountering a TLS certificate request from smtp.office365.com while sending emails, ensure your SMTP configuration aligns with Office 365's security requirements. Double-check TLS settings and certificate validity. For reliable email delivery without such issues, consider using an alternative like Digitalaka or Mailchimp, offering reliable Voice SMS services, for assistance and guidance.

1 answer

Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor

2024-02-21T08:31:16.5966667+00:00

Hi @Bonnie Yang,

It should be the expected behavior as by default, Exchange Online always uses opportunistic TLS.

If Exchange Online fails to establish secure connection with the target server, it will fall back to send the message without encryption.

For more details please refer to this documentation:

How Microsoft 365 uses TLS between Microsoft 365 and external, trusted partners

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Bonnie Yang 0 Reputation points

2024-02-21T10:26:16.27+00:00

Hi @Kael Yao-MSFT ,

Thank you very much for your response! I apologize for not articulating my question clearly. I hope I can clarify my question. During the TLS handshake, the "certificate request" step is optional. However, I have observed that in certain situations, smtp.office365.com (smtp server) sends a "certificate request" to us, which I would prefer to avoid. Could you please assist me in finding a method to prevent the server from sending us the "certificate request"? Alternatively, under what circumstances does the server trigger this step? Your generous assistance is greatly appreciated! Best Regards, Bonnie

Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor

2024-02-22T03:20:24.08+00:00

Sorry I may not be very clear in my former reply.

Could you please assist me in finding a method to prevent the server from sending us the "certificate request"?

To me the server would always try to send you a certificate request first to encrypt the connection (as you are using STARTTLS).

If you reject it or the connection failed due to other reasons, then the server will fall back to try to connect without encryption.

Bonnie Yang 0 Reputation points

2024-02-22T10:15:59.5066667+00:00

Hi @Kael Yao-MSFT ,

Thank you for your patient response.

I apologize for not expressing clearly. By "certificate request" here, I mean the server requesting the client's certificate.

The step(certificate request) is optional, and you may refer to this website for further information:

https://learn.microsoft.com/en-us/archive/blogs/kaushal/client-certificate-authentication-part-1

(in TLS, server's certificate is necessary, client's certificate is optional.

in my case, under certain conditions, smtp.office365.com will have a "certificate request" step, while under other conditions it will not.)

I would appreciate your guidance on how to prevent smtp.office365.com from requesting a certificate, or if you could provide information on the circumstances under which it requests the client's certificate.

Thank you again for your response and kind assistance.

Best Regards,
Bonnie

Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor

2024-02-23T06:37:36.4433333+00:00

Yes it is optional, but if you are using STARTTLS, which actually means you told the server you would like to try secure connection first instead of insecure connection, then the server will ask for your certificate for encryption purpose.

For the process you can refer to RFC 3207 (4.1 Processing After the STARTTLS Command):

The decision of whether or not to believe the authenticity of the other party in a TLS negotiation is a local matter. However, some general rules for the decisions are: - A SMTP client would probably only want to authenticate an SMTP server whose server certificate has a domain name that is the domain name that the client thought it was connecting to. - A publicly-referenced SMTP server would probably want to accept any verifiable certificate from an SMTP client, and would possibly want to put distinguishing information about the certificate in the Received header of messages that were relayed or submitted from the client.
Sign in to comment

Share via

Receipt of TLS Certificate Request from SMTP Server (smtp.office365.com) When Sending Emails

1 answer