Configure TLS encryption between SharePoint on-premise and Exchange


This blog will guide you through the steps required to configure, test and troubleshoot sending / receiving e-mail from SharePoint to Exchange using TLS encryption.


(There are many, only because I have included many tips along the way)

1. Install SMTP and Telnet on the SharePoint App Server using server manager

2. Or with PowerShell (why? … because it’s fun and good to practice). To install SMTP with PowerShell,  check out my script in the link below.  

Install SMTP Server and Telnet with PowerShell – Mike Lee’s Blog (

3. Configure SMTP with IIS 6 manager

4. Go to domain and add a new alias for your SharePoint Farm.


5. Configure incoming email settings from Central Admin.

6. Configure Outgoing Email Settings.

7. Port 587 will use secure e-mail settings from the Exchange receive connector

8. You can see this from the properties of the “Client Frontend Receive connector” in Exchange.


Note: that Anonymous is not enabled.

9. Now you need a send connector in Exchange.

10. Create a new send connector with the name and scope of the domain used when you configured the domain in SharePoint.


11. On the delivery page, use the SharePoint Server as the Smart Host using the FQDN.


12. Finally scoping, use the namespace that matches the domain name used in SharePoint and specify an Exchange server to host the connector.

13. Complete the connector setup.

14. Back to the SharePoint server for testing.

15. Create a new document library and add an incoming email alias.


16. Subscribe to alerts on the new library so you can test receiving mail from SharePoint as well.

Note: Keep all the default alert settings.

17. Send mail from Exchange using Outlook or OWA to the email address of the document library.

18. After sending the E-mail, watch the progress from ULS with a filer of “category contains e-mail”.


Important note: If you are running a min-role server, SMTP will only be processed on the APP servers.

19. You should see from the logs that incoming and outgoing email was processed, but let’s look at the document library to ensure it was processed as expected.

20. Everything went smooth, did yours? I didn’t think so!

21. What should you do when an email is not delivered as planned? If you followed the above steps you may have ran into a problem because I left out one particularly important piece

22. Let’s test sending email from PowerShell, using the [SPUtility]::SendEmail API.

Note: This is just an easier way to troubleshoot this issue because you are testing and viewing logs from a single place and you get to play with PowerShell and SharePoint APIs.

23. This script will write the exception to a log file and let you know why it’s not working. If you followed the instructions, you should see the following error.

24. Ok, we have a cert error, so let’s Enable CAPI2 Logging.

25. Run the script again and look at the CAPI2 log.

26. Looking at the XML from the critical error, we can see the following information.

 27. There is 3 important pieces of information in the error.

  • The certificate subject name subjectName=”michlee-exch” />
  • Error status: <ErrorStatus value=”20“ CERT_TRUST_IS_UNTRUSTED_ROOT=”true” />
  • Result value: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

28. So, what does this all mean? You configured your Outgoing E-mail from SharePoint to use TLS and you don’t trust the Exchange self-signed certificate.

29. Now go to the Exchange Server and find the matching certificate from the certificate snap-in.

30. Export the certificate from Exchange

31. Chose “do not export private key”

32. Choose DER Encoded format


33. Copy the exported certificate onto the SharePoint Server(s).

34. Import the certificate into the SharePoint Servers.

35. Open the Exchange Cert from the SharePoint Server

36. Notice when opening the Exchange Certificate from the SharePoint Server, you get a warning stating that the CA Root is not trusted.

37. Choose “Install Certificate”, this will start the import wizard

38. The import wizard will start and choose “Local machine”.

39. Chose “Place All certificates in the following Store”, and choose “Trusted Root Certificate Authorities”

40. Now you should see the certificate is in good shape.

41. Now when SharePoint sends e-mail, it will use TLS encryption and succeed.

 42. So, it’s working from the OWSTimer inside Sharepoint but failing from PowerShell.

Conclusion (Great, you made to the end!)

If you made it this far, I hope you have e-mail working between SharePoint and Exchange using TLS encryption, or learned some new ways to troubleshoot issues that involve certificates and mail flow from SharePoint.

Leave a Reply