Home
%3CLINGO-SUB%20id%3D%22lingo-sub-609278%22%20slang%3D%22en-US%22%3EInvestigating%20TLS%20usage%20for%20SMTP%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-609278%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20is%20committed%20to%20enforcing%20the%20best%20security%20for%20our%20services.%20As%20a%20result%2C%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4057306%2Fpreparing-for-tls-1-2-in-office-365%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ETLS1.0%2C%20TLS1.1%2C%20and%203DES%20were%20deprecated%3CB%3E%3CI%3E%20%3C%2FI%3E%3C%2FB%3Ein%20the%20Office%20365%20service%3C%2FA%3E.%20While%203DES%20is%20currently%20in%20the%20process%20of%20being%20disabled%2C%20there%20is%20no%20date%20set%20for%20disabling%20TLS1.0%20and%20TLS1.1.%20That%20said%2C%20we%20are%20working%20towards%20disabling%20these%20TLS%20versions%20for%20Exchange%20Online%20endpoints.%20Should%20TLS1.0%20be%20compromised%2C%20we%20will%20have%20to%20act%20quickly%20to%20disable%20it%20in%20our%20service%20to%20protect%20our%20customers.%20In%20the%20case%20of%20SSL3.0%2C%20we%20disabled%20it%20in%20the%20service%20just%20over%20a%20month%20after%20the%20compromise%20was%20disclosed.%20Therefore%2C%20we%20urge%20you%20to%20be%20proactive%20by%20verifying%20TLS1.2%20support%20for%20all%20of%20your%20email%20clients%20and%20servers%20as%20soon%20as%20possible.%20For%20inbound%20and%20outbound%20connections%20with%20email%20servers%20and%20devices%20that%20are%20exposed%20to%20the%20internet%2C%20TLS1.0%20usage%20is%20still%20around%205%25.%20In%20most%20cases%2C%20TLS%20usage%20is%20optional%20for%20messages%20that%20are%20sent%20and%20received%20on%20the%20internet.%20There%20are%20certain%20scenarios%20where%20TLS%20is%20mandatory%2C%20and%20if%20TLS1.0%20is%20turned%20off%20in%20Exchange%20Online%2C%20mail%20flow%20will%20be%20affected.%20For%20example%2C%20over%2010%25%20of%20connections%20from%20customer%20on-premises%20email%20servers%20and%20devices%20still%20use%20TLS1.0.%20Even%20worse%20are%20the%20legacy%20SMTP%20Auth%20client%20submissions%20that%20are%20used%20by%20multi-function%20printers%20and%20applications%20that%20need%20to%20send%20email.%20For%20the%20SMTP%20Auth%20protocol%2C%20just%20less%20than%2050%25%20of%20connections%20are%20still%20using%20TLS1.0.%20These%20are%20likely%20old%20printers%20or%20legacy%20applications%20that%20either%20have%20not%20or%20cannot%20be%20updated%20to%20use%20TLS1.2.%20To%20help%20you%20identify%20if%20your%20organization%20is%20contributing%20to%20those%20numbers%2C%20we%20have%20developed%20several%20reports%20for%20Exchange%20Online.%20You%20can%20use%20these%20reports%20to%20help%20determine%20which%20clients%20and%20servers%20are%20still%20using%20TLS1.0%20and%20TLS1.1%20to%20connect%20to%20the%20various%20email%20protocol%20endpoints%20in%20Exchange%20Online.%20These%20reports%20can%20be%20found%20in%20the%20Security%20and%20Compliance%20Center%20under%20the%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Fmailflow%2Fdashboard%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EMail%20Flow%20Dashboard%3C%2FA%3E.%3C%2FP%3E%3CH2%20id%3D%22toc-hId-1759369785%22%20id%3D%22toc-hId-1760056127%22%3EEmails%20between%20your%20on-premises%20or%20partner%20email%20servers%20and%20Exchange%20Online%3C%2FH2%3EThird-party%20email%20servers%20sending%20and%20receiving%20email%20to%20and%20from%20our%20customers%20are%20normally%20beyond%20our%20control%20(or%20even%20the%20control%20of%20our%20customers).%20However%2C%20your%20on-premises%20or%20partner%20email%20servers%20are%20easily%20identified%20because%20their%20connections%20to%20and%20from%20Exchange%20Online%20use%20mail%20flow%20connectors.%20Exchange%20Online%20relies%20on%20successful%20TLS%20negotiations%20and%20certificates%20to%20identify%20and%20use%20the%20correct%20inbound%20connector.%20You%20can%20also%20configure%20outbound%20connectors%20to%20force%20the%20use%20of%20TLS.%20If%20a%20connector%20with%20forced%20TLS%20uses%20TLS1.0%20today%2C%20messages%20will%20fail%20to%20send%20when%20TLS1.0%20is%20disabled%20in%20Exchange%20Online.%20To%20help%20identify%20servers%20that%20require%20updating%20to%20TLS1.2%2C%20we%20have%20developed%20the%20Connector%20Report%2C%20which%20is%20available%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Fmailflow%2Fdashboard%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EMail%20Flow%20Dashboard%3C%2FA%3E%20in%20the%20Security%20and%20Compliance%20Center.%20To%20access%20the%20report%2C%20click%20%3CB%3EView%20Details%3C%2FB%3E%20and%20then%20the%20%3CB%3EConnector%20Report%3C%2FB%3E%20link.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F03%2FTLSreport1.png%22%20target%3D%22_blank%22%3E%3CIMG%20width%3D%22891%22%20height%3D%22440%22%20title%3D%22TLSreport1%22%20style%3D%22border%3A%200px%20currentcolor%22%20alt%3D%22TLSreport1%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F03%2FTLSreport1_thumb.png%22%20border%3D%220%22%20class%3D%22%22%20%2F%3E%3C%2FA%3E%20The%20Connector%20Report%20allows%20you%20to%20review%20mail%20flow%20volume%20or%20TLS%20usage%20for%20a%20specific%20connector%2C%20or%20traffic%20to%20and%20from%20the%20internet%20that%20does%20not%20use%20a%20connector.%26nbsp%3B%20The%20numbers%20behind%20the%20charts%20are%20available%20in%20the%20Details%20Table.%20For%20detailed%20information%20on%20the%20messages%20involved%20(including%20if%203DES%20is%20being%20used)%2C%20you%20can%20download%20the%20data%20using%20the%20%3CB%3ERequest%20report%3C%2FB%3E%20feature.%20From%20that%20data%2C%20you%20can%20identify%20the%20exact%20server%20or%20device%2C%20and%20you%20can%20attempt%20to%20upgrade%20the%20server%20or%20device%20to%20TLS1.2.%3CH2%20id%3D%22toc-hId--792787176%22%20id%3D%22toc-hId--792100834%22%3EEmail%20submitted%20using%20the%20legacy%20SMTP%20Auth%20client%20submission%20protocol%3C%2FH2%3EEmail%20clients%20can%20submit%20email%20messages%20using%20several%20different%20protocols.%20The%20SMTP%20Auth%20protocol%20is%20a%20widely%20supported%20protocol%20that%E2%80%99s%20used%20primarily%20by%20devices%20and%20applications%20that%20send%20automated%20messages%20on%20behalf%20of%20customers.%20Examples%20include%20scanner%20to%20email%20devices%2C%20or%20applications%20that%20send%20out%20alerts%20or%20notifications.%20SMTP%20Auth%20is%20identified%20by%20its%20endpoint%20%3CB%3Esmtp.office365.com%3C%2FB%3E.%20To%20protect%20against%20the%20disclosure%20of%20credentials%2C%20TLS%20is%20mandatory%20for%20SMTP%20Auth.%20This%20means%20that%20when%20TLS1.0%20is%20disabled%2C%20no%20messages%20can%20be%20sent%20from%20devices%20or%20clients%20that%20do%20not%20support%20TLS1.2.%20To%20help%20identify%20which%20of%20your%20devices%20and%20applications%20are%20still%20using%20TLS1.0%2C%20we%20have%20created%20the%20SMTP%20Auth%20Clients%20report.%20This%20report%20is%20available%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Fmailflow%2Fdashboard%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EMail%20Flow%20Dashboard%3C%2FA%3E%20where%20its%20widget%20displays%20the%20number%20of%20mailboxes%20that%20have%20used%20SMTP%20Auth%20in%20the%20last%20week.%20The%20report%20displays%20pivots%20for%20sending%20volume%20and%20TLS%20version%20usage.%20The%20details%20table%20provides%20the%20individual%20users%20or%20system%20accounts%20and%20their%20volume%20or%20TLS%20usage.%20You%20can%20also%20download%20the%20data%20using%20the%20%3CB%3ERequest%20report%3C%2FB%3E%20feature%2C%20which%20includes%20information%20about%20whether%20or%20not%203DES%20is%20being%20used.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F03%2FTLSreport2.png%22%20target%3D%22_blank%22%3E%3CIMG%20width%3D%22876%22%20height%3D%22474%22%20title%3D%22TLSreport2%22%20style%3D%22border%3A%200px%20currentcolor%22%20alt%3D%22TLSreport2%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F03%2FTLSreport2_thumb.png%22%20border%3D%220%22%20class%3D%22%22%20%2F%3E%3C%2FA%3E%3CH2%20id%3D%22toc-hId-950023159%22%20id%3D%22toc-hId-950709501%22%3EEmail%20submitted%20using%20one%20of%20Microsoft's%20client%20submission%20protocols%3C%2FH2%3EThe%20previously%20described%20reports%20apply%20to%20SMTP-related%20mail%20flow%20and%20submissions.%20For%20other%20protocols%2C%20a%20report%20is%20available%20on%20the%20%3CA%20href%3D%22http%3A%2F%2Fsecurescore.microsoft.com%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESecure%20Score%20site%3C%2FA%3E.%20You%20can%20find%20if%20you%20have%20any%20TLS%201.0%2F1.1%20and%203DES%20usage%20for%20Exchange%20Online%20by%20clicking%20%3CB%3EScore%20Analyzer%3C%2FB%3E%20and%20scrolling%20to%20the%20%3CB%3ERemove%20TLS%20dependencies%3C%2FB%3E%20tab.%20If%20you%20want%20details%20on%20who%20is%20connecting%20using%20these%20weaker%20ciphers%20and%20protocols%2C%20click%20on%20the%20%3CB%3EUpdate%3C%2FB%3E%20button%20and%20then%20%3CB%3ELaunch%20now%3C%2FB%3E%20on%20the%20flyout%20that%20appears.%20This%20will%20take%20you%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fservicetrust.microsoft.com%2F%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESecure%20Trust%20Portal%3C%2FA%3E%20where%20you%20can%20download%20your%20TLS%201.0%2F1.1%20and%203DES%20reports.%20With%20these%20reports%2C%20you%20can%20now%20investigate%20the%20TLS%20usage%20in%20your%20Office%20365%20organization%20and%20take%20the%20necessary%20actions%20to%20avoid%20any%20mail%20flow%20disruptions%20in%20the%20future.%20%3CSPAN%20class%3D%22author%22%3ESean%20Stevenson%3C%2FSPAN%3E%3C%2FLINGO-BODY%3E

Microsoft is committed to enforcing the best security for our services. As a result, TLS1.0, TLS1.1, and 3DES were deprecated in the Office 365 service. While 3DES is currently in the process of being disabled, there is no date set for disabling TLS1.0 and TLS1.1. That said, we are working towards disabling these TLS versions for Exchange Online endpoints. Should TLS1.0 be compromised, we will have to act quickly to disable it in our service to protect our customers. In the case of SSL3.0, we disabled it in the service just over a month after the compromise was disclosed. Therefore, we urge you to be proactive by verifying TLS1.2 support for all of your email clients and servers as soon as possible. For inbound and outbound connections with email servers and devices that are exposed to the internet, TLS1.0 usage is still around 5%. In most cases, TLS usage is optional for messages that are sent and received on the internet. There are certain scenarios where TLS is mandatory, and if TLS1.0 is turned off in Exchange Online, mail flow will be affected. For example, over 10% of connections from customer on-premises email servers and devices still use TLS1.0. Even worse are the legacy SMTP Auth client submissions that are used by multi-function printers and applications that need to send email. For the SMTP Auth protocol, just less than 50% of connections are still using TLS1.0. These are likely old printers or legacy applications that either have not or cannot be updated to use TLS1.2. To help you identify if your organization is contributing to those numbers, we have developed several reports for Exchange Online. You can use these reports to help determine which clients and servers are still using TLS1.0 and TLS1.1 to connect to the various email protocol endpoints in Exchange Online. These reports can be found in the Security and Compliance Center under the Mail Flow Dashboard.

Emails between your on-premises or partner email servers and Exchange Online

Third-party email servers sending and receiving email to and from our customers are normally beyond our control (or even the control of our customers). However, your on-premises or partner email servers are easily identified because their connections to and from Exchange Online use mail flow connectors. Exchange Online relies on successful TLS negotiations and certificates to identify and use the correct inbound connector. You can also configure outbound connectors to force the use of TLS. If a connector with forced TLS uses TLS1.0 today, messages will fail to send when TLS1.0 is disabled in Exchange Online. To help identify servers that require updating to TLS1.2, we have developed the Connector Report, which is available in our Mail Flow Dashboard in the Security and Compliance Center. To access the report, click View Details and then the Connector Report link. TLSreport1 The Connector Report allows you to review mail flow volume or TLS usage for a specific connector, or traffic to and from the internet that does not use a connector.  The numbers behind the charts are available in the Details Table. For detailed information on the messages involved (including if 3DES is being used), you can download the data using the Request report feature. From that data, you can identify the exact server or device, and you can attempt to upgrade the server or device to TLS1.2.

Email submitted using the legacy SMTP Auth client submission protocol

Email clients can submit email messages using several different protocols. The SMTP Auth protocol is a widely supported protocol that’s used primarily by devices and applications that send automated messages on behalf of customers. Examples include scanner to email devices, or applications that send out alerts or notifications. SMTP Auth is identified by its endpoint smtp.office365.com. To protect against the disclosure of credentials, TLS is mandatory for SMTP Auth. This means that when TLS1.0 is disabled, no messages can be sent from devices or clients that do not support TLS1.2. To help identify which of your devices and applications are still using TLS1.0, we have created the SMTP Auth Clients report. This report is available in the Mail Flow Dashboard where its widget displays the number of mailboxes that have used SMTP Auth in the last week. The report displays pivots for sending volume and TLS version usage. The details table provides the individual users or system accounts and their volume or TLS usage. You can also download the data using the Request report feature, which includes information about whether or not 3DES is being used. TLSreport2

Email submitted using one of Microsoft's client submission protocols

The previously described reports apply to SMTP-related mail flow and submissions. For other protocols, a report is available on the Secure Score site. You can find if you have any TLS 1.0/1.1 and 3DES usage for Exchange Online by clicking Score Analyzer and scrolling to the Remove TLS dependencies tab. If you want details on who is connecting using these weaker ciphers and protocols, click on the Update button and then Launch now on the flyout that appears. This will take you to the Secure Trust Portal where you can download your TLS 1.0/1.1 and 3DES reports. With these reports, you can now investigate the TLS usage in your Office 365 organization and take the necessary actions to avoid any mail flow disruptions in the future. Sean Stevenson
3 Comments
Not applicable
Thanks
New Contributor

Does this Connected Report still exist, I cannot seem to find it anywhere?

Senior Member

https://protection.office.com/mailflow/dashboard --> Outbound and Inbound mail flow --> View Details --> Connector Report.