This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
All of a sudden, mail flow from on-prem to Exchange Online stopped.
The connector shows a "450 4.4.317 Cannot connect to remote server [Message=UntrustedRoot]" error.
It seems that the TLS certificate is not being recognized as trusted from Exchange Online.
However, my public cert is valid and from a CA validated by MS.
Any idea about troubleshooting this? Thanks!
Is there any device between the on-prem Exchange Server and 365 that may be interfering with the mail flow?
https://learn.microsoft.com/en-us/exchange/edge-transport-servers
Hi, thanks for your answer.
I discovered later that the firewall admin had added certificate inspection and SMTP filtering to the SMTP publishing rule.
Reverting back to a plain SMTP publishing rule fixed the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 96%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
If there is a mail filter /anti spam gateway device is in between Exchange online and your onprem exchange, You should verify TLS is enabled on the default frontend receive connector. Verify if exchange server is having a valid certificate, also verify if you are seeing show STARTTLS when connected on smtp port 25 using telnet .
Upload the certificate on the middle device and enable tls on that device as well.
Finally even if that is failling for some reason whitelist microsoft exchange online network showing port 25 in below link on antispam gateway.