Can't send or receive email when using TLS 1.1 or TLS 1.0

• Applies to:

  Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online

Symptoms

Microsoft Exchange Server (on-premises) users and Microsoft 365 users can't send email messages to or receive messages from one another if the on-premises server uses Transport Layer Security (TLS) 1.1 or TLS 1.0. When this issue occurs, you receive one of the following error messages:

• 421 4.4.2 Connection dropped due to SocketError

  Users receive this non-delivery report (NDR) when they send email messages. This error message is displayed in the Queue Viewer.

• TLS negotiation failed with error SocketError

  This error message is displayed in the protocol log file of the Send connector.

• 451 5.7.3 Must issue a STARTTLS command first

  This error message is displayed in the protocol log file of the Send or Receive connector.

Cause

This issue occurs because TLS 1.1 and TLS 1.0 are deprecated in Microsoft 365.

Resolution

To resolve this issue, enable TLS 1.2 on the on-premises server that sends and receives email. Here's how to enable TLS 1.2 by modifying the registry:

Important

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. As a preventive measure, back up the registry for restoration before you modify it.

1. Install the latest Windows and Exchange updates. This is because some Windows and Exchange versions require the latest updates for TLS 1.2 to be enabled.

2. Locate each of the following registry subkeys:

   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

3. Double-click the DisabledByDefault value, enter 0 in the Value Data box, and then select OK.

4. Double-click the Enabled value, type 1 in the Value Data box, and then select OK.

5. For the settings to take effect, restart the server.

Related articles

For more TLS guidance, see the following articles:

• Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
• Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
• Understanding email scenarios if TLS versions cannot be agreed on with Exchange Online