New opt-in endpoint available for SMTP AUTH clients still needing legacy TLS

Published Aug 18 2021 02:11 AM 187K Views

Update (Feb 2022): We have started to disable TLS1.0 and TLS1.1 for the default SMTP AUTH endpoints. If you have clients that can’t use TLS1.2, they should be configured to use the opt-in legacy endpoint by now.

Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. We know that the push to meet our security and compliance requirements has made it difficult to support legacy clients and devices that use our service. A balance is needed in a shared service that hosts the emails of local bakeries as well as many countries’ governments.

While no longer supported, our servers still allow clients to use those older versions of TLS when connecting with Exchange Online. However, we have warned our customers that we can disable them at any time without further warning.

In 2022, we plan to disable those older TLS versions to secure our customers and meet compliance requirements. However, due to significant usage, we’ve created an opt-in endpoint that legacy clients can use with TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture Note that only WW customers will be able to use this new endpoint. Customers in US Government clouds have higher security standards and will not be able to opt-in to use older versions of TLS.

To take advantage of this new endpoint, admins will have to:

  1. Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet to True.
  2. Legacy clients and devices will need to be configured to submit using the new endpoint smtp-legacy.office365.com

While the change to stop support for TLS1.0 and TLS1.1 for the regular endpoint (smtp.office365.com) will happen in 2022, we’re giving our customers advanced notice to start configuring clients that they have not been able to upgrade or update to use TLS1.2. During the long effort to deprecate the legacy TLS versions, we have documented how to identify mailboxes that are still using them here: Investigating TLS usage for SMTP in Exchange Online.

For customers who would like to force the use of TLS1.2 early, they can do so by setting the AllowLegacyTLSClients parameter to False.

New submission error speedbump to be introduced

We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice. The error will be:

421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

We intend to make a final announcement when we are ready to make the change to disable TLS1.0 and TLS1.1 for SMTP AUTH for the regular endpoint.

Additional documentation can be found here: Opt-in to Exchange Online endpoint for legacy TLS clients using SMTP AUTH

Exchange Transport Team

26 Comments
Co-Authors
Version history
Last update:
‎Feb 01 2022 02:39 PM
Updated by: