Connecting to a Hotmail SMTP Server - TLS Cipher Selection

Hello Evryone

Can you please help me on upgrading or enabling the TLS on my VPS that is running CentOS 6, I tested many commands and solutions on internet but none of them worked, the TLS is needed on the email server.

My mail Server software is Powermta 3.5 and the message that I get every time is :

SMTP service unavailable: STARTTLS required but failed: SSL error: 140662389376768:error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list:t1_lib.c:1469:;140662389376768:error:14092113:SSL routines:SSL3_GET_SERVER_HELLO:serverhello tlsext:s3_clnt.c:942:; at ( while connected from ( to (

Hi @Yohasakoura,

Can you please give examples of what you tried and what error messages you got?

Most of the documentation that you'll find is about setting up TLS support for a web server (HTTPS), but it looks like what you're interested is TLS support for a mail server (STARTTLS or SMTPS). This is a less common (though still quite important) use case, so there may be less documentation focused on it.

In the particular error that you posted here, it looks to me like this is actually an outbound error where your server is trying to deliver e-mail from your site to Hotmail, rather than in inbound error where Hotmail is trying to connect to you to deliver mail. Do you agree with that interpretation? If that's so, resolving this particular error does not require you to get a certificate or to configure the certificate in your mail server because a TLS certificate in the STARTTLS security model is only presented by the server (the destination/recipient of the e-mail), not the client (the origin/sender of the e-mail). The reason for this particular error would then be something else about your configuration—not the lack of a certificate on your end.

However, we would still be happy to try to help you get a certificate set up on your mail server even if that's not the underlying reason for the error that you're receiving.

Indeed, looking again at your error message, I’m pretty sure that it’s a problem of ciphersuite mismatch between your Powermta (acting as a TLS client) and Hotmail’s mail server (acting as a TLS server), which again does not have to do with certificates at all.

It could probably be resolved by changing the cipher settings in your TLS client library (something that I have no idea how to accomplish in Powermta). Then, your Powermta would be able to negotiate a TLS session with Hotmail based on a ciphersuite that they both support.

Getting a certificate for your server could still improve security for inbound e-mails, but would not be relevant to resolving this specific error. :slight_smile:

You are right that probelem is been shown on an outband email i’m going to search for the Cipher thing that you just told me and will hit you back because right now im in trouble and that message is shown also when attempting to send to gmail aol yahoo… Thank you and if anyone else know anything about this problem just hit me up please !

please describe what you are trying to achieve to a level that @schoen articulated his answer with. Please also explain what you are trying to do - e.g. I am trying to connect to server X using Protocol Y so I can do Z.

I will then show you how to test the email server (hotmail one) and get the right configurations.

as a motivator I can connect to the server over TLS with no issues and I am 100% sure it’s not a cipher issue as I have tested TLS1, TLS1.1 and TLS1.2 and have established a TLS session for all 3



This appears to be an OpenSSL bug that was fixed in later versions.

What is the output of:

openssl s_client -connect -starttls smtp


rpm -q openssl

My analysis is that your client is connecting using an IMPLICITLY SECURE transport rather than STARTTLS which is what the server is expecting.

SMTP service unavailable: STARTTLS required but failed

The server you are connecting to only supports port 25 which requires STARTTLS for secure Mail.

Check if Powermta supports this or another option is to use a HOTMAIL service which support STMPS on port 465 (IMPLICITLY SECURE).

Hope the article helps you!


My testing of this service shows that there are a couple of other endpoints mentioned in the certificate




@ahaw021 what i try to achieve is sending outbound emails using the powermta via a GMX smtp relay so i tought that powermta doesn’t accept port 587 but it seems that it accepts that, cause when i tried sending email trough gmail smtp the problem didn’t show so im a bit confused right now

read the article and then go talk to Powermta as they will know how their client software is implemented

I have shown you that using STARTLS correctly with that server lets you interact with the SMTP Component. Why it doesn’t work for Powermta is not something I can or will troubleshoot (that’s why they have support for their product and people who know how to configure it)

they might suggest you use a different SMTP service from microsoft


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.