Blog Post

Exchange Team Blog
3 MIN READ

New opt-in endpoint available for SMTP AUTH clients still needing legacy TLS

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Aug 18, 2021
Update (April 2023): For Microsoft 365 operated by 21Vianet, TLS1.0 and TLS1.1 for SMTP AUTH will no longer be supported after June 30, 2023. We will be disabling TLS 1.0 and TLS 1.1 usage with SMTP,...
Updated Apr 13, 2023
Version 5.0
announcements
exchange online
tips 'n tricks
transport
Shaunwilks's avatar
Shaunwilks
Copper Contributor
Oct 27, 2021

I can tell you what a support team told me but that is not consistent with what is happening in practise.

 

- Legacy is meant to support 1.1 and 1.0 exclusively - it has been designed to reject 1.2 requests.

- Legacy in practise has a high failure rate I was told because it was rejecting 1.2 traffic. In practise that wasnt what I found like you it was rejecting other TLS requests much like the smtp service was.

 

So while they suggest they support 1.1 and 1.0 in smtp.office365.com - you cant use it given the high failure rate

So while they suggest legacy as a workaround - you cannot use it either because of the high failure rate

 

We have always followed MS best practise outline here https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fnetwork-programming%2Ftls&data=04%7C01%7Cv-swirnk%40microsoft.com%7Cf99bcfb375314037684508d99420f262%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703694490058954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0&sdata=xJbnadBC4MKCaz0L3AkWsmfokox%2FxKoZ%2BHpIwffBulo%3D&reserved=0

"To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version the operating system (OS) supports."

                And

"Do not specify the TLS version. Configure your code to let the OS decide on the TLS version."

    And then

"Perform a thorough code audit to verify you're not specifying a TLS or SSL version."

 

So while they suggest the OS and the SMTP Server determine and use the highest version of TLS .12 available that just isnt true.

All our testing showed the same code on the same OS jumped between 1.0 and 1.2. This left us with a real problem because we couldnt use SMTP or Legacy. 

 

This article includes details on how to set TLS Versions and String Crypto registry keys. we have had to apply them any any client workstation.

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client

 

This seems to path the OS and ensure it consistently uses TLS 1.2 - where prior to loading there was no certainly on what the clinet .NET framework and the destination office365 server wanted to use.