New opt-in endpoint available for SMTP AUTH clients still needing legacy TLS

Published Aug 18 2021 02:11 AM 18.1K Views

Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. We know that the push to meet our security and compliance requirements has made it difficult to support legacy clients and devices that use our service. A balance is needed in a shared service that hosts the emails of local bakeries as well as many countries’ governments.

While no longer supported, our servers still allow clients to use those older versions of TLS when connecting with Exchange Online. However, we have warned our customers that we can disable them at any time without further warning.

In 2022, we plan to disable those older TLS versions to secure our customers and meet compliance requirements. However, due to significant usage, we’ve created an opt-in endpoint that legacy clients can use with TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture Note that only WW customers will be able to use this new endpoint. Customers in US Government clouds have higher security standards and will not be able to opt-in to use older versions of TLS.

To take advantage of this new endpoint, admins will have to:

  1. Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet to True.
  2. Legacy clients and devices will need to be configured to submit using the new endpoint smtp-legacy.office365.com

While the change to stop support for TLS1.0 and TLS1.1 for the regular endpoint (smtp.office365.com) will happen in 2022, we’re giving our customers advanced notice to start configuring clients that they have not been able to upgrade or update to use TLS1.2. During the long effort to deprecate the legacy TLS versions, we have documented how to identify mailboxes that are still using them here: Investigating TLS usage for SMTP in Exchange Online.

For customers who would like to force the use of TLS1.2 early, they can do so by setting the AllowLegacyTLSClients parameter to False.

New submission error speedbump to be introduced

We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice. The error will be:

421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

We intend to make a final announcement when we are ready to make the change to disable TLS1.0 and TLS1.1 for SMTP AUTH for the regular endpoint.

Additional documentation can be found here: Opt-in to Exchange Online endpoint for legacy TLS clients using SMTP AUTH

Exchange Transport Team

7 Comments
Frequent Visitor

Powershell commands:

 

Audit

Get-TransportConfig | select AllowLegacyTLSClients

To disable legacy TLS

Set-TransportConfig -AllowLegacyTLSClients $false

To enable legacy TLS

Set-TransportConfig -AllowLegacyTLSClients $true

 

Occasional Visitor

The information about the alternate endpoint should be added to https://aka.ms/smtp_auth_tls since that's the error message they're going to see in the logs. Not all orgs will choose to enable it, but for those that do, having the endpoint name be available in the information page will help people who are trying to submit have an immediate action they can take to get mail flowing again.

Frequent Contributor

@The_Exchange_Team Great info. Was actually doing this research today for a customer and wondered why SMTP AUTH Clients were using TLS 1.0/1.1 still since I thought it already was disabled for all tenants - this explains why.

 

However, we do see other accounts showing up accessing Exchange Online in the TLS Deprecation Report. I assume these are all the other protocols than just SMTP AUTH?

https://servicetrust.microsoft.com/AdminPage/TlsDeprecationReport/Download

Care to comment if these also will be blocked in 2022 or earlier without any further notice?

Microsoft

@devinganger Yes, we were waiting for this blog post to get published so that we could point it here. It has already been updated.

 

@Jonas Back Correct, that report shows other client protocols. We do not have anymore information about the other protocols but they will have also have TLS1.0 and TLS1.1 disabled. Customers should not be surprised when that happens.  

Occasional Visitor

@Sean_Stevenson @Awesome, thank you!!

Occasional Visitor

We have alot of HP copiers that send via smtp, but I can't find anywhere how to change them to tls 1.2  It's good I could now change them to legacy, but would rather use 1.2   Does anyone know how to do this?

Frequent Contributor

@nick_lgl Some printers might require an firmware update to get TLS 1.2 support.

%3CLINGO-SUB%20id%3D%22lingo-sub-2660775%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2660775%22%20slang%3D%22en-US%22%3E%3CP%3EPowershell%20commands%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAudit%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-TransportConfig%20%7C%20select%20AllowLegacyTLSClients%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3ETo%20disable%20legacy%20TLS%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-TransportConfig%20-AllowLegacyTLSClients%20%24false%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3ETo%20enable%20legacy%20TLS%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-TransportConfig%20-AllowLegacyTLSClients%20%24true%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2662523%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662523%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20information%20about%20the%20alternate%20endpoint%20should%20be%20added%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsmtp_auth_tls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fsmtp_auth_tls%3C%2FA%3E%26nbsp%3Bsince%20that's%20the%20error%20message%20they're%20going%20to%20see%20in%20the%20logs.%20Not%20all%20orgs%20will%20choose%20to%20enable%20it%2C%20but%20for%20those%20that%20do%2C%20having%20the%20endpoint%20name%20be%20available%20in%20the%20information%20page%20will%20help%20people%20who%20are%20trying%20to%20submit%20have%20an%20immediate%20action%20they%20can%20take%20to%20get%20mail%20flowing%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2662747%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662747%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3BGreat%20info.%20Was%20actually%20doing%20this%20research%20today%20for%20a%20customer%20and%20wondered%20why%20SMTP%20AUTH%20Clients%20were%20using%20TLS%201.0%2F1.1%20still%20since%20I%20thought%20it%20already%20was%20disabled%20for%20all%20tenants%20-%20this%20explains%20why.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20we%20do%20see%20other%20accounts%20showing%20up%20accessing%20Exchange%20Online%20in%20the%20TLS%20Deprecation%20Report.%20I%20assume%20these%20are%20all%20the%20other%20protocols%20than%20just%20SMTP%20AUTH%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fservicetrust.microsoft.com%2FAdminPage%2FTlsDeprecationReport%2FDownload%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fservicetrust.microsoft.com%2FAdminPage%2FTlsDeprecationReport%2FDownload%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ECare%20to%20comment%20if%20these%20also%20will%20be%20blocked%20in%202022%20or%20earlier%20without%20any%20further%20notice%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2669403%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2669403%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1131723%22%20target%3D%22_blank%22%3E%40devinganger%3C%2FA%3E%26nbsp%3BYes%2C%20we%20were%20waiting%20for%20this%20blog%20post%20to%20get%20published%20so%20that%20we%20could%20point%20it%20here.%20It%20has%20already%20been%20updated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%26nbsp%3BCorrect%2C%20that%20report%20shows%20other%20client%20protocols.%20We%20do%20not%20have%20anymore%20information%20about%20the%20other%20protocols%20but%20they%20will%20have%20also%20have%20TLS1.0%20and%20TLS1.1%20disabled.%20Customers%20should%20not%20be%20surprised%20when%20that%20happens.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2669595%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2669595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384127%22%20target%3D%22_blank%22%3E%40Sean_Stevenson%3C%2FA%3E%26nbsp%3B%40Awesome%2C%20thank%20you!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2728404%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728404%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20alot%20of%20HP%20copiers%20that%20send%20via%20smtp%2C%20but%20I%20can't%20find%20anywhere%20how%20to%20change%20them%20to%20tls%201.2%26nbsp%3B%20It's%20good%20I%20could%20now%20change%20them%20to%20legacy%2C%20but%20would%20rather%20use%201.2%26nbsp%3B%20%26nbsp%3BDoes%20anyone%20know%20how%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2728816%22%20slang%3D%22en-US%22%3ERe%3A%20New%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728816%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1148834%22%20target%3D%22_blank%22%3E%40nick_lgl%3C%2FA%3E%26nbsp%3BSome%20printers%20might%20require%20an%20firmware%20update%20to%20get%20TLS%201.2%20support.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2659652%22%20slang%3D%22en-US%22%3ENew%20opt-in%20endpoint%20available%20for%20SMTP%20AUTH%20clients%20still%20needing%20legacy%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2659652%22%20slang%3D%22en-US%22%3E%3CP%3EExchange%20Online%20ended%20support%20for%20TLS1.0%20and%20TLS1.1%20in%20October%202020.%20We%20know%20that%20the%20push%20to%20meet%20our%20security%20and%20compliance%20requirements%20has%20made%20it%20difficult%20to%20support%20legacy%20clients%20and%20devices%20that%20use%20our%20service.%20A%20balance%20is%20needed%20in%20a%20shared%20service%20that%20hosts%20the%20emails%20of%20local%20bakeries%20as%20well%20as%20many%20countries%E2%80%99%20governments.%3C%2FP%3E%0A%3CP%3EWhile%20no%20longer%20supported%2C%20our%20servers%20still%20allow%20clients%20to%20use%20those%20older%20versions%20of%20TLS%20when%20connecting%20with%20Exchange%20Online.%20However%2C%20we%20have%20warned%20our%20customers%20that%20we%20can%20disable%20them%20at%20any%20time%20without%20further%20warning.%3C%2FP%3E%0A%3CP%3EIn%202022%2C%20we%20plan%20to%20disable%20those%20older%20TLS%20versions%20to%20secure%20our%20customers%20and%20meet%20compliance%20requirements.%20However%2C%20due%20to%20significant%20usage%2C%20we%E2%80%99ve%20created%20an%20opt-in%20endpoint%20that%20legacy%20clients%20can%20use%20with%20TLS1.0%20and%20TLS1.1.%20This%20way%2C%20an%20organization%20is%20secured%20with%20TLS1.2%20unless%20they%20specifically%20decide%20to%20opt%20for%20a%20less%20secure%20posture%20Note%20that%20only%20WW%20customers%20will%20be%20able%20to%20use%20this%20new%20endpoint.%20Customers%20in%20US%20Government%20clouds%20have%20higher%20security%20standards%20and%20will%20not%20be%20able%20to%20opt-in%20to%20use%20older%20versions%20of%20TLS.%3C%2FP%3E%0A%3CP%3ETo%20take%20advantage%20of%20this%20new%20endpoint%2C%20admins%20will%20have%20to%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESet%20the%20%3CSTRONG%3EAllowLegacyTLSClients%3C%2FSTRONG%3E%20parameter%20on%20the%20%3CSTRONG%3ESet-TransportConfig%3C%2FSTRONG%3E%20cmdlet%20to%20True.%3C%2FLI%3E%0A%3CLI%3ELegacy%20clients%20and%20devices%20will%20need%20to%20be%20configured%20to%20submit%20using%20the%20new%20endpoint%20%3CSTRONG%3Esmtp-legacy.office365.com%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EWhile%20the%20change%20to%20stop%20support%20for%20TLS1.0%20and%20TLS1.1%20for%20the%20regular%20endpoint%20(smtp.office365.com)%20will%20happen%20in%202022%2C%20we%E2%80%99re%20giving%20our%20customers%20advanced%20notice%20to%20start%20configuring%20clients%20that%20they%20have%20not%20been%20able%20to%20upgrade%20or%20update%20to%20use%20TLS1.2.%20During%20the%20long%20effort%20to%20deprecate%20the%20legacy%20TLS%20versions%2C%20we%20have%20documented%20how%20to%20identify%20mailboxes%20that%20are%20still%20using%20them%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Finvestigating-tls-usage-for-smtp-in-exchange-online%2Fba-p%2F609278%22%20target%3D%22_blank%22%3EInvestigating%20TLS%20usage%20for%20SMTP%20in%20Exchange%20Online%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EFor%20customers%20who%20would%20like%20to%20force%20the%20use%20of%20TLS1.2%20early%2C%20they%20can%20do%20so%20by%20setting%20the%20%3CSTRONG%3EAllowLegacyTLSClients%3C%2FSTRONG%3E%20parameter%20to%20False.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1416026058%22%20id%3D%22toc-hId-1416026089%22%3ENew%20submission%20error%20speedbump%20to%20be%20introduced%3C%2FH1%3E%0A%3CP%3EWe%20are%20fully%20aware%20that%20many%20customers%20will%20not%20have%20noticed%20the%20multiple%20Message%20Center%20posts%20and%20blog%20posts%2C%20and%20are%20not%20aware%20of%20clients%20or%20devices%20that%20are%20still%20using%20TLS1.0%20to%20submit%20messages.%20With%20this%20in%20mind%2C%20starting%20in%20September%202021%2C%20we%20will%20reject%20a%20small%20percentage%20of%20connections%20that%20use%20TLS1.0%20for%20SMTP%20AUTH.%20Clients%20should%20retry%20as%20with%20any%20other%20temporary%20errors%20that%20can%20occur%20during%20submission.%20Over%20time%20we%20will%20increase%20the%20percentage%20of%20rejected%20connections%2C%20causing%20delays%20in%20sending%20that%20more%20and%20more%20customers%20should%20notice.%20The%20error%20will%20be%3A%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3E421%204.7.66%20TLS%201.0%20and%201.1%20are%20not%20supported.%20Please%20upgrade%2Fupdate%20your%20client%20to%20support%20TLS%201.2.%20Visit%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsmtp_auth_tls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fsmtp_auth_tls%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EWe%20intend%20to%20make%20a%20final%20announcement%20when%20we%20are%20ready%20to%20make%20the%20change%20to%20disable%20TLS1.0%20and%20TLS1.1%20for%20SMTP%20AUTH%20for%20the%20regular%20endpoint.%3C%2FP%3E%0A%3CP%3EAdditional%20documentation%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fopt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOpt-in%20to%20Exchange%20Online%20endpoint%20for%20legacy%20TLS%20clients%20using%20SMTP%20AUTH%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EExchange%20Transport%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2659652%22%20slang%3D%22en-US%22%3E%3CP%3EDue%20to%20significant%20usage%2C%20we%E2%80%99ve%20created%20an%20opt-in%20endpoint%20that%20legacy%20clients%20can%20use%20with%20TLS1.0%20and%20TLS1.1%20in%20our%20shared%20service.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2659652%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20'n%20Tricks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etransport%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 24 2021 02:55 PM
Updated by: