Mobile devices’ access to Exchange Online mailboxes is governed by EAS mobile device policies, which specify, among other things, required encryption- and digital signature algorithms for S/MIME.  According to documentation, the strongest supported combination is currently 3DES with SHA-1.  An EAS client will always sign messages with SHA-1, which is now obsolete, deprecated by Microsoft, and no longer supported by some modern applications.  (Gmail says the signed messages use “an unsupported algorithm”, and Thunderbird considers the signatures invalid.)

I’m not really into Exchange, but some quick googling suggests that “RequireSignedSMIMEAlgorithm” is an optional element of EAS provisioning documents (which are the main part of policies), and I think it ought to be possible to clear this entry from mobile device policies.  However, the Set-MobileDeviceMailboxPolicy cmdlet currently requires either “MD5” or “SHA1” for the -RequireSignedSMIMEAlgorithm switch, so I can’t really do that from Exchange Online PowerShell.

I’m wondering if any of you has any suggestions or workarounds.  Also if there are people here working on EAS in Exchange Online, I’d like to hear their responses.