Office 365 SMTP - 535 5.7.3 Authentication unsuccessful

In one of the manager upgrades recently, there was a dot net upgrade as well. I have been investigating this from another angle and for linux and sometimes OS X there does seem to be a tls issue. But all tests that I have seen this usually isn’t a problem on windows systems. That’s because the implementation in Windows uses the native dot net and is likely to have a greater version installed anyway, whereas OS X and Linux use mono and whatever lubos incorporates into the package. I haven’t got to the bottom of it yet and hence I haven’t posted my research on it, it’s not complete. However, you can verify it yourself if you can capture packets between the manager computer and your router/the outside world. A browser isn’t sufficient, you need something like wireshark to get to the bottom of it and if it is a tls issue it will show it’s ugly head in the packet captures. The issue stems from the fact in the version of dot net that manager uses, the default credentials are not set correctly. It was fixed one or two subversions later (from 4.7).

There is a workaround that MS suggests and it is possible that option 3 might be an option, but requires a little but of effort on your part. I’d be more hopeful that lubos can look into setting a default value, posted below.

I started posting about it here, but never really finished getting to the bottom of it:

So it’s only partly a manager fault, the other part is a security requirement at the other end on your mail server, it is not allowing TLSv1 and enforces TLSv1.2 or higher, but dot net less than 4.7 not defaulting to a more secure connection. From what I understand of the handshake (this is a very laymans paraphrasing from a guy who doesn’t fully understand: ME!), the server accepts the v1 handshake enough for it to then reject the certificate because it wants a more secure connection.

from:

@lubos, I don’t know if this is the answer, but something like this line of code may help:

System.Net.ServicePointManager.SecurityProtocol =  System.Net.SecurityProtocolType.Tls12

I don’t know if that is the precise line, you’ll need to look into further. You might want to start here:

this looks VERY pertinent, I’m not sure what version @lubos upgraded NET4.6.1 from, but previously it wasn’t an issue, it seems only 4.6, 4.6.1 and possibly 4.6.2:

ServicePointManager.SecurityProtocol Property

so it seems to me this is the pertinent value:

  • prior to 4.6 everything worked, was probably using SSL3
  • at 4.6 SSL3 was dropped, the most secure was preferred (we’re not on this)
  • at 4.6.1 (not sure)
  • at 4.6.2 nodefault set and so what applications sets as default, minimum, and doesn’t take into consideration what the server wants because as far as it’s concerned starttls worked, it thinks???
  • at 4.7 system default set

Anyway, most dotNet stuff is beyond me, lubos is going to have to look into it further if mail servers are going to reject TLSv1 connections, which appear to be happening more and more, and anything less than NET4.7 requires developers to take action.