This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 77%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER3%3C/text%3E%3C/svg%3E)
I am trying to validate the exchange online connector with enable TLS with SAN. But it is not handsake with Exchange On-prem. Getting this error.
Reason: [{LED=550 5.4.317 Message expired, cannot connect to remote server};{MSG=451 5.7.3 STARTTLS is required to send mail};{FQDN="removed fqdn for security"};{IP=removed IP for security};{LRT=9/30/2025 7:11:10 AM}]. OutboundProxyTargetIP: removed IP. OutboundProxyTargetHostName: remove On-prem server.
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
Hi @Vergil-V
Thank you so much for your help and response,
As I found the cause. Email hit on another connector due to misconfigured in IP ranges.
Removed IP ranges from same connector after that it worked for default incoming connector on Exchange Server.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 3%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi @Radhe Chauhan
Thank you for updates.
I’m glad to hear that removing the misconfigured IP resolved the issue of not being able to connect to the remote server.
This is a great piece of additional information that can be helpful for other members experiencing similar issues. It's also something new that I’ve learned today.
I truly appreciate your contribution
Hi @Radhe Chauhan
Thank you for reaching out to Microsoft Learn Q&A!
Based on your description, I understand that you're encountering error codes 550 5.4.317 (Message expired) and 451 5.7.3 (STARTTLS is required to send mail) during the email validation step while setting up the Exchange Online connector with TLS enabled and using a certificate that includes Subject Alternative Names (SAN).
These error codes typically indicate issues with TLS configuration or certificate validation. Based on my research, here are some areas you may want to review:
1.Review Exchange Online Connector configuration:
2.Verify on-premises certificate:
You can verify the certificate's validity and ensure that the Fully Qualified Domain Names (FQDNs) listed in the Subject Alternative Name (SAN) field are correct.
To do this, you can use the Get-ExchangeCertificate command in Exchange PowerShell, which will display details such as the subject, certificate domains, and services. For example:
Get-ExchangeCertificate | fl Subject, CertificateDomains, Services
3. Check Receive Connector settings:
You should also review the Receive Connector on your Exchange server to ensure that it is correctly bound to the certificate and that TLS is enabled.
You can use the Get-ReceiveConnector command in Exchange PowerShell to check the TLS certificate name and authentication mechanism. For example:
Get-ReceiveConnector -Identity "<yourReceiveConnectorName>" | fl TlsCertificateName, AuthMechanism
4.Firewall or load balancer restrictions:
Confirm that there are no restrictions (such as port 25 being blocked) between Exchange Online and your Exchange Server.
Reference: Network ports for clients and mail flow in Exchange | Microsoft Learn
Additionally, if you're working in a hybrid environment and have recently installed or renewed your certificate, it's recommended to run the Hybrid Configuration Wizard (HCW) to ensure that the hybrid setup continues to function correctly and that all necessary configurations are properly updated.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Radhe Chauhan
I just wanted to kindly follow up to see if you’ve had a chance to review my previous response.
We would greatly appreciate any updates you may be able to provide, particularly regarding the usefulness of the information we shared. Your feedback is essential to our ongoing efforts to enhance the quality of our support.
Thanks again for your time, and we look forward to hearing from you
Hi @Radhe Chauhan
Hope you're having a good day.
May I ask if there have been any updates regarding the error codes 550 5.4.317 (Message expired) and 451 5.7.3 (STARTTLS is required to send mail)?
Have you had a chance to review the responses shared so far?
I’d appreciate any updates you can provide, and please let me know if there’s anything further I can do to assist.
"cannot connect to remote server"
Why cant it connect? Was it working before? Does your firewall allow access from ExO?