Blog Post

Exchange Team Blog
2 MIN READ

New opt-in endpoint for POP3/IMAP4 clients that need legacy TLS

The_Exchange_Team's avatar
Jan 06, 2023

Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. This year, we plan to disable these older TLS versions for POP3/IMAP4 clients to secure our customers and meet compliance requirements. However, we know that there is still significant usage of POP3/IMAP4 clients that don’t support TLS 1.2, so we’ve created an opt-in endpoint for these clients so they can use TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture.

Only WW tenants can use this new endpoint. Tenants in US government clouds have higher security standards and cannot use older versions of TLS.

To take advantage of this new endpoint, admins will have to:

  1. Use Set-TransportConfig to set the AllowLegacyTLSClients parameter to True.
  1. Configure legacy POP3/IMAP4 clients and devices to use pop-legacy.office365.com / imap-legacy.office365.com as the new endpoint. Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use pop-legacy.partner.outlook.cn / imap-legacy.partner.outlook.cn.

Starting in February 2023, we will reject a small percentage of connections that use TLS1.0 for POP3/IMAP4. Clients should retry as they do with any other temporary error that can occur when connecting. Over time we will increase the percentage of rejected connections, causing delays in connecting that should be more and more noticeable. The error will be:

TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/popimap_tls.

We intend to fully disable TLS 1.0 and TLS 1.1 for POP3/IMAP4 on the regular endpoint by the end of April 2023.  Affected customers will receive a Message Center post in a few days notifying them of this change.

Additional documentation can be found here: Opt in to the Exchange Online endpoint for legacy TLS clients using POP3 or IMAP4.

Exchange Team

Updated Jan 06, 2023
Version 1.0
  • TriaTechDan's avatar
    TriaTechDan
    Brass Contributor

    How come you make this change after disabling basic authentication for all tenants, doesn’t modern authentication require TLS 1.2?

  • Pks90's avatar
    Pks90
    Copper Contributor

    How can we pull the report for the mailbox using TLS 1.0, TLS 1.1 for POP3/IMAP4

  • To address a few questions that came up:

    TriaTechDan No, there is no requirement for TLS 1.2 for modern auth.

    adamwordsworth There is no published timeline for how long we will keep this "...-legacy" endpoint up. But note that using this endpoint does not mean that you can keep using basic authentication past the deadline when it will be disabled for your tenant. In other words - this is not going to be a workaround for continued use of basic auth; once this is gone for a particular tenant, it is gone. This endpoint is specifically about TLS requirements.

  • tvanscot's avatar
    tvanscot
    Brass Contributor

    Is there a report we can view to find out which clients are connecting with TLS 1.0 or 1.1?

  • adamwordsworth's avatar
    adamwordsworth
    Copper Contributor

    How long will the imap-legacy.office365.com endpoint will be available for? And does this endpoint support basic authentication?

     

    I currently have a number of mailboxes utilizing IMAP on an on-prem Exchange server as the application using them doesn't support modern authentication.

  • tvanscot GrahamCleary Please check out the post that was published earlier, when we announced legacy TLS versions deprecation, related section is pasted below. Besides this guidance, there is no other logging feature that we are aware of, that can help M365/EXO customers with this task. HTH.

    Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It - Microsoft Community Hub

    POP/IMAP

    No logging exists which will expose the encryption protocol version used for POP & IMAP clients. To capture this information, you may need to capture netmon logs from your server or inspect traffic as it flows through your load balancer or firewall where HTTPS bridging is taking place.

  • takin2225's avatar
    takin2225
    Copper Contributor

    Hi

    When I check from the 365 Admin Panel, I see that I have Modern Verification enabled. I use Dynamics CRM 365 On Prem within the organization and I send emails to both my customers and users from here. When I look at the CRM mail settings, I see that EWS is used. It hasn't worked for a week. What should we do?

  • tvanscot GrahamCleary One of our engineers pointed to this article that claims you can get the info you need from Azure AD Portal/Sign-in logs, check this out and let us know if this works for you to identify impacted users, who may be using legacy TLS versions for POP/IMAP connectivity.

    See: Enable TLS 1.2 support as Azure AD TLS 1.0/1.1 is deprecated - Active Directory | Microsoft Learn

    <excerpts> 

    Overview of new telemetry in the sign-in logs

    To help you identify any clients or apps that still use legacy TLS in your environment, view the Azure AD sign-in logs. For clients or apps that sign in over legacy TLS, Azure AD marks the Legacy TLS field in Additional Details with True. The Legacy TLS field only appears if the sign-in occurred over legacy TLS. If you don’t see any legacy TLS in your logs, you're ready to switch to TLS 1.2.

     

     

  • RPfeifle's avatar
    RPfeifle
    Copper Contributor

    Warning: the formatting of this "TLS 1.0 and 1.1 are not supported" error message DOES NOT conform to the POP3 protocol spec, which can break POP3 clients!

     

    The message SHOULD have been prefixed with the "-ERR" status indicator.  Omitting this status was allowed by RFC 1725, but disallowed by RFC 1939.  It COULD have also included the extended "[SYS/PERM]" status code too, per RFC 3206.

     

    Ideally, the error message SHOULD have looked more like this instead:

    -ERR [SYS.PERM] TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/popimap_tls.

    Leave it to Microsoft to NOT conform to established standards that the rest of us live by!