New opt-in endpoint available for SMTP AUTH clients still needing legacy TLS

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Exchange Online ended supported for TLS1.0 and TLS1.1 in October 2020. We know that the push to meet our security and compliance requirements has made it difficult to support legacy clients and devices that use our service. A balance is needed in a shared service that hosts the emails of local bakeries as well as many countries’ governments.

While no longer supported, our servers still allow clients to use those older versions of TLS when connecting with Exchange Online. However, we have warned our customers that we can disable them at any time without further warning.

In 2022, we plan to disable those older TLS versions to secure our customers and meet compliance requirements. However, due to significant usage, we’ve created an opt-in endpoint that legacy clients can use with TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture.

To take advantage of this new endpoint, admins will have to:

  1. Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet to True.
  2. Legacy clients and devices will need to be configured to submit using the new endpoint smtp-legacy.office365.com

While the change to stop support for TLS1.0 and TLS1.1 for the regular endpoint (smtp.office365.com) will happen in 2022, we’re giving our customers advanced notice to start configuring clients that they have not been able to upgrade or update to use TLS1.2. During the long effort to deprecate the legacy TLS versions, we have documented how to identify mailboxes that are still using them here: Investigating TLS usage for SMTP in Exchange Online.

For customers who would like to force the use of TLS1.2 early, they can do so by setting the AllowLegacyTLSClients parameter to False.

New submission error speedbump to be introduced

We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice. The error will be:

421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

We intend to make a final announcement when we are ready to make the change to disable TLS1.0 and TLS1.1 for SMTP AUTH for the regular endpoint.

Additional documentation can be found here: Opt-in to Exchange Online endpoint for legacy TLS clients using SMTP AUTH

Exchange Transport Team

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.