office 365 "Cannot connect to SMTP server" "SSL negotiation failed"

Matthew Brady 195

Hi team, I work for Ricoh and we have had several clients call in today with an error message when trying to scan. The error message is "Cannot connect to SMTP server" "SSL negotiation failed". Upon checking their setups they are all using office365 accounts for SMTP authentication, all of them stopped working this morning.

Have their been any updates or changes we need to be aware of?

Thanks

Matthew Brady 195 Reputation points

2025-02-03T03:15:00.47+00:00

to add to this, out of 4 scans, 3 will return with the SSL negotiation has failed error and the 4th will go through
Jens Schels 5 Reputation points

2025-02-03T08:23:27.07+00:00

Got the same issue. SSL negotiation failed.
eyeyyeyeyeeyye 10 Reputation points

2025-02-03T09:27:31.6766667+00:00

We're having the same issue (SSL negotiation failed & cannot connect to SMTP server). It's been going on for a week. Nothing changed on our end. If you guys find a fix, please share it with us. Thank you.
GF 5 Reputation points

2025-02-03T10:31:59.43+00:00

Please advise how to solve.
Dawid Kuprowski 20 Reputation points

2025-02-03T10:50:48.3233333+00:00

We have the same issue with Ricoh devices.
Rafael Rozic 0 Reputation points

2025-02-03T11:51:13.33+00:00

Same issue on our end with our Ricoh device, just started last week. Some scans go through fine, but most of them fail (inconsistent). Also checked Exchange Online settings for the scanner account and "SmtpClientAuthenticationDisabled" was not set.

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

Get-CASMailbox -Identity 'accountname'

Name ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled

accountname True True True True True

But even setting it to $false(which should allow SMTP Auth) does not resolve the issue.

Set-CASMailbox -Identity 'accountname' -SmtpClientAuthenticationDisabled $false

Name ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled

accountname True True True True True False

Any idea how to fix this?
Carstens, Helge 5 Reputation points

2025-02-03T12:31:17.5033333+00:00

Same here. 30 RICOH devices and all have the same errors.
Marcos Santos 0 Reputation points

2025-02-03T13:06:47.52+00:00

Same issue in Brazil using Konica Minolta devices. Started Today.
Dmitrii Solomkin 0 Reputation points

2025-02-03T14:41:53.1333333+00:00

Same problem here. Has anyone found a workaround?
Panayiotis Falas 0 Reputation points

2025-02-03T14:55:10.43+00:00

Same here. if any workaround let us know
Dux, Monika 125 Reputation points

2025-02-03T15:10:31.39+00:00

Same here! The problem started last week Monday, 27.01.2025.
Marius L 5 Reputation points

2025-02-03T19:04:16+00:00

I got the same issue with Konica Minolta 5020i some scans work some i get the SSL error. Dose any one have an ideea about this issue ? Or how can we check with MS to fix this ?
Mark Siminski 5 Reputation points

2025-02-03T19:58:45.4766667+00:00

We are experiencing the same issue with Sharp MFPs, they are able to intermittently send out scan to emails but mostly error out when authenticating and we receive:"ERROR[3332]: Connection to SMTP server test failed", just started a day ago, more printers now starting to have this issue.
Spencer Brooks 10 Reputation points

2025-02-03T20:50:33.5733333+00:00

Same issue with us running Sharp copiers. Sometimes it works, sometimes it does not. Microsoft support does not recongize this as an issue, something is obviously broken.
Stephen Rayburn 5 Reputation points

2025-02-03T20:50:35.47+00:00

Same issue for our Org with Konica MFP's (error 107), would love a solution here.
Mateusz Olender 0 Reputation points

2025-02-04T09:25:55.6966667+00:00

Same problem with Konica and Oki printers/multidevice. I found that problem is related with automatic group policy upadate in inspection journal.

Date 30.01.2025, 08:34

Type of action GroupLifecyclePolicies_Get

Corelation ID: 6b8e81e6-623a-4b58-a090-d8326f2b404b

Category GroupManagement

Stansuccess

ID Object 4e3a7a89-1115-4f9f-a415-9cc830d92408

I can't find how to undo these settings. Changing group settings or creating an exclusion group from MFA doesn't make any changes
Tom Grant 0 Reputation points

2025-02-04T10:49:28.6833333+00:00

Hello! Same here with xerox printers (affected model Versalink B7030 Fault Code 016-781: SMTP Server Connect Error), they work intermittently with send&mail function. No way to debug more the error. We have an open ticket with ms.
Jan Schwärzel 0 Reputation points

2025-02-04T12:21:25.65+00:00

Same error with all sorts of printers (Brother, Sharp, Ricoh, Canon...). Always some SSL-error. We hade some customers with a 50/50 chance, every other try works.
Bognár Zalán 0 Reputation points

2025-02-04T14:58:51.3433333+00:00

Hi,
It's not a solution, but temporarily use the Google SMT server with an app password. On an old device, due to multi-factor authentication, it only works with an app password. This solves the problem while keeping encryption intact. You can also try using a Microsoft app password, but I'm not sure if that will work...
Server: smtp.gmail.com
TLS: 587
Alexander-9903 0 Reputation points

2025-02-04T19:06:42.34+00:00

We have the same issue with the Sharp MX-B455W but not with the Sharp MX-4070V. We will get a firmware update update tomorrow that is suppose to fix the issue.

Firmware Update did not fix it. Error is still coming up
Stefan Bauer 0 Reputation points

2025-02-04T22:07:59.36+00:00

We have the same issue with Ricoh IM350 and Ricoh MPC2003. But not all recipients are affected within the same or external organisation. Maybe it depends on wich server is contacted? In the firewall logs i can see outgoing smtp traffic to different ip addresses of Microsoft. Some of them do not accept the connection, some do.
Stuart Haddad 0 Reputation points

2025-02-12T22:49:06.62+00:00

Is there any official word from Microsoft regarding this change?
Dustin Burson 20 Reputation points

2025-02-12T22:53:17.76+00:00

Microsoft took screenshots of my logs and how I have my smtp relay configured.

I also provided this subject page to them to review what findings others have had so far regarding the Ricoh - non-elliptic curves.

I'll update when I get more updates.

Accepted answer

Dux, Monika 125 Reputation points

2025-02-04T09:39:11.7533333+00:00

Dear all, I just got a reply from Ricoh technician: "It looks to me as if Microsoft has disabled the cipher suites WITHOUT elliptic curves for TLS1.2. ECDHE is only possible with newer controllers from 18S onwards".

Our affected MFPs models are: MP C307 , MP 6055, IM C3000, MP C3004ex, and they all have an older controller 16S or 17S.

We also use IM C300, and, so far, this one seems to be affected.
Please sign in to rate this answer.

10 people found this answer helpful.
Michael Griz 20 Reputation points

2025-02-05T16:22:31.9466667+00:00

This maybe the cause but I don't see how this is an accpeted answer.

Ben Barnes 30 Reputation points

2025-02-11T16:54:09.19+00:00

Its not the cause - See my Comment below.

Wireshark shows TLS negotiation works, and agrees on:

Ricoh Stills throws SSL negotiation Failed, even though it hasn't.

Have asked Microsoft to review their SMTP protocol Logs for the EXO Servers in question... they seem to be unable to do that right now.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

13 additional answers

Marvin Telch 30 Reputation points

2025-02-05T05:38:38.68+00:00

Good morning everyone,

I did a few analyses yesterday.

I sent several queries via dig for smtp.office365.com via the large known European DNS servers. The result was 116 servers.

Only one of these 116 servers still supports TLS_RSA. All others only support Elliptic Curve.

Then I sent further queries via dig to DNS servers outside Europe and received 14 servers. Of these 14, 7 still support TLS_RSA.

Please add one of these servers as smtp server for testing.

Since the TTL of the IP addresses after resolution is less than 10 seconds, this also explains why about 1/4 scans work because a different mail server is addressed with each scan (DNS Round Robin).

Unfortunately, I have not found any information from Microsoft that Microsoft disables TLS_RSA on its mail servers. Moreover, Microsoft does not seem to have done this on all mail servers (or not yet).

List of servers that support TLS_RSA:

40.99.148.242

52.97.129.242

52.97.146.162

52.97.146.194

52.97.211.210

52.97.211.226

52.98.207.2

52.97.173.18

40.99.218.98
Please sign in to rate this answer.

5 people found this answer helpful.
Ben Barnes 30 Reputation points

2025-02-06T12:50:39.3133333+00:00

Great find but its not possible to connect to smtp.office365.com via an IP - the connection will be rejected due to how the cert is set up their side.

Michael M 0 Reputation points

2025-02-06T16:18:10.8366667+00:00

Just for clarification, these are DNS server options, not SMTP servers. Your smtp server should remain as smtp.office365.com

Ben Barnes 30 Reputation points

2025-02-07T06:15:22.4966667+00:00

"Please add one of these servers as smtp server for testing." is not possible due to how Microsoft Implement Certs. Try sending an SMTP Mail via PowerShell using any IP instead of the DNS Name - it will fail.

Those IPs are also not DNS Server Options, they are Endpoints relating to SMTP.Office365.com which is in itself a CNAME.

Setting your DNS server on your device to one of those IPs is not going to fix the issue.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ben Barnes 30 Reputation points

2025-02-07T06:30:33.14+00:00
Can somebody Try enabling support for the legacy SMTP endpoint in their tenant:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/opt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth

Then setting the SMTP Server on their Affected Printer to:

smtp-legacy.office365.com

My guess is that this should work - your emails should still be encrypted with TLS 1.2 if your printer supports it, based on what OpenSSL Says (TLS 1.2 is supported on the endpoints I have been hitting with RSA)

We are awaiting a change request to try this - can anybody get it implemented and tested faster than us to check?
Please sign in to rate this answer.

2 people found this answer helpful.
Jannick Schröer 25 Reputation points

2025-02-07T09:43:50.69+00:00

Hey, i tried using the SMTP Server smtp.legacy.offic365.com and it did work.
These are the settings i tested:

Ben Barnes 30 Reputation points

2025-02-09T07:46:55.8366667+00:00

Nice one! Thanks for Trying That out. Will be doing the Same in a Lab on Monday and Verifying for Ourselves.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Rodney Ty 5 Reputation points

2025-02-04T16:38:37.3633333+00:00

Any fix for sharp copiers?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Marvin Telch 30 Reputation points

2025-02-05T06:53:58.2666667+00:00

And once again: It seems that the servers that only offered Elliptic Curve via TLS1.2 yesterday now support TLS_RSA again! It looks like Microsoft is reversing the changes.
Please sign in to rate this answer.

1 person found this answer helpful.
Gołębiak Marek 0 Reputation points

2025-02-05T07:21:41.34+00:00

Hi

Unfortunately, in our case, we are still experiencing problems. We have not yet forced communication with servers that maybe still allow TLS RSA to test

maybe reversing need more time to cover up the problem
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

office 365 "Cannot connect to SMTP server" "SSL negotiation failed"

13 additional answers

Your answer