Mail without TLS

%3CLINGO-SUB%20id%3D%22lingo-sub-324540%22%20slang%3D%22en-US%22%3EMail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324540%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20getting%20some%20messages%20in%20my%20Office%20365%20about%20Mail%20without%20TLS.%20Is%20there%20any%20concerns%20here%3F%20Do%20I%20need%20to%20make%20any%20changes%3F%3C%2FP%3E%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Fi.gyazo.com%2F86ff168a32aac6bcc5ecb390e7248f8b.png%22%20border%3D%220%22%20%2F%3E%3C%2FP%3E%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Fi.gyazo.com%2Fa130086a564511f805d29a0241d22e29.png%22%20border%3D%220%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-324540%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328686%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328686%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4770%22%20target%3D%22_blank%22%3E%40John%20Twohig%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20John%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20the%20devices%20that%20send%20may%20be%20too%20old.%20Does%20anyone%20know%20how%20to%20%22drill%20down%22%20on%20the%20104%20NO%20TLS%20messages%20to%20see%20where%20they%20are%20coming%20from%20so%20I%20can%20determine%20if%20it%20is%20possible%20to%20turn%20on%20TLS%201.2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328684%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328684%22%20slang%3D%22en-US%22%3E%3CP%3ETim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20wondering%20the%20same%20thing%20but%20none%20of%20the%20answers%20here%20make%20sense%20to%20me.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%2C%20and%20it%20looks%20like%20yours%20as%20well%2C%20the%20connector%20exists%20to%20allow%20printers%2C%20scanners%2C%20software%2C%20and%20other%20devices%20to%20send%20email%20using%20an%20unauthenticated%20smtp%20connection%20to%20Office%20365.%20What%20appears%20to%20me%20to%20be%20happening%20is%20that%20some%20of%20those%20devices%20are%20sending%20email%20without%20using%20TLS%201.2.%20I%20assume%20that%20is%20either%20because%20the%20devices%20are%20unable%20to%20(Too%20old%20or%20need%20updates)%20or%20they%20are%20able%20too%20but%20TLS%201.2%20is%20not%20enabled%20on%20those%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20that%20the%20solution%20was%20to%20find%20those%20devices%20and%20update%20them%20and%20enable%20TLS%201.2%20if%20possible.%20However%2C%20I%20haven't%20been%20able%20to%20find%20a%20way%20to%20identify%20where%20the%20emails%20are%20coming%20from.%20In%20your%20case%20if%20you%20could%20drill%20down%20on%20the%20104%20NO%20TLS%20messages%20to%20see%20where%20they%20come%20from%20you%20could%20quickly%20determine%20whether%20they%20could%20be%20updated%20to%20send%20TLS%201.2%20and%20get%20rid%20of%20the%20warnings.%20If%20someone%20knows%20how%20to%20do%20that%20please%20tell.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20maybe%20I%20have%20completely%20misunderstood%20what%20is%20going%20on%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324834%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324834%22%20slang%3D%22en-US%22%3E%3CP%3ESwitch%20to%20using%20the%20other%20option%2C%20%22By%20verifying%20that%20the%20subject%20name%20on%20the%20certificate%20that%20the%20sending%20server%20uses%20to%20authenticate%20with%20Office%20365%20matches%20this%20domain%20name%22.%20Details%20for%20example%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fuse-connectors-to-configure-mail-flow%2Fset-up-connectors-to-route-mail%23part-2-configure-mail-to-flow-from-your-email-server-to-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fuse-connectors-to-configure-mail-flow%2Fset-up-connectors-to-route-mail%23part-2-configure-mail-to-flow-from-your-email-server-to-office-365%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20toggle%20the%20RequireTls%20parameter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324602%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324602%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20the%20Connector%20I%20am%20using%20that%20is%20getting%20the%20TLS%20warnings.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F70767i1D42B41EABDF4544%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TLS3.jpg%22%20title%3D%22TLS3.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324595%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324595%22%20slang%3D%22en-US%22%3EYou%20already%20have%20it%20on.%20Hence%20the%20sent%20and%20received%20TLS%201.2%20messages.%20It%E2%80%99s%20an%20endpoint%20you%20deal%20with%20that%20they%20have%20it%20off%20on%20their%20side.%20You%E2%80%99ll%20have%20to%20investigate%20to%20see%20if%20it%E2%80%99s%20mostly%20the%20same%20one%20and%20get%20them%20to%20turn%20it%20on%20or%20just%20ignore%20it%20%2F%20increase%20that%20alert%20threshold.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324583%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324583%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20TLS%20something%20I%20can%20turn%20on%20in%20Office%20365%20or%20does%20that%20have%20to%20be%20done%20with%20my%20Domain%20Registrar%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324576%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324576%22%20slang%3D%22en-US%22%3EIt%20really%20just%20means%20that%20you%20guys%20are%20sending%20a%20handful%20of%20e-mail%20to%20a%20domain%20that%20doesn't%20have%20TLS%20turned%20on.%20Those%20e-mails%20are%20not%20encrypted%20in%20transport%20at%20all%20and%20are%20vulnerable%20to%20traffic%20sniffing%20etc.%20But%20I%20wouldn't%20say%20there%20is%20a%20problem%20per%20say.%20Just%20may%20investigate%20for%20a%20large%20chunk%20of%20that%20e-mail%20to%20a%20domain%20and%20find%20out%20why%20they%20don't%20allow%20TLS%2C%20or%20it%20might%20be%20traffic%20that%20isn't%20sensitive.%20%3CBR%20%2F%3E%3CBR%20%2F%3EMost%20e-mail%20servers%20have%20opportunistic%20TLS%20on%20so%20it%20will%20try%20TLS%20first%20then%20do%20no%20TLS%20as%20a%20backup%20so%20there%20could%20be%20an%20issue%20with%20the%20TLS%20connection%20but%20my%20gut%20says%20that%20one%20of%20your%20domains%20you%20are%20using%20just%20has%20it%20off%20for%20some%20reason.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768164%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768164%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F238560%22%20target%3D%22_blank%22%3E%40Tim%20Hunter%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20this%20is%20old%20but%20there%20is%20a%20report%20that%20shows%20the%20devices.%20I%20ran%20it%20this%20morning%20and%20it%20showed%20how%20many%20emails%20each%20printer%2FMFD%20sent%20last%20week.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FExchange-Team-Blog%2FInvestigating-TLS-usage-for-SMTP-in-Exchange-Online%2Fba-p%2F609278%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FExchange-Team-Blog%2FInvestigating-TLS-usage-for-SMTP-in-Exchange-Online%2Fba-p%2F609278%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20comments%20near%20the%20bottom%20there%20is%20one%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F228742%22%20target%3D%22_blank%22%3E%40Shawn%20Housler%3C%2FA%3Ethat%20shows%20how%20to%20get%20the%20report.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768237%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768237%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4770%22%20target%3D%22_blank%22%3E%40John%20Twohig%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F228742%22%20target%3D%22_blank%22%3E%40Shawn%20Housler%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20found%20the%201%20email%20address%20in%20my%20account%20that%20is%20still%20apparently%20using%20TLS%201.0.%20It%20is%20an%20email%20we%20use%20for%20automated%20billing.%20How%20can%20I%20find%20out%20what%20device%20it%20is%20sending%20through%20using%20TLS%201.0%2C%20so%20I%20can%20upgrade%20that%20device%20to%20TLS%201.2%3F%20Thanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768547%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20without%20TLS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768547%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F238560%22%20target%3D%22_blank%22%3E%40Tim%20Hunter%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20perhaps%20an%20application%20and%20not%20a%20device%3F%20I%20have%20a%20couple%20of%20applications%20that%20send%20automated%20emails.%20You%20may%20have%20to%20contact%20whoever%20wrote%20the%20software%20to%20see%20when%20they%20will%20upgrade%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20heard%20from%20one%20software%20vendor%20who%20got%20back%20to%20me%20with%20a%20link%20to%20an%20update.%20I%20did%20the%20update%20so%20I%20will%20check%20the%20TLS%20reports%20next%20week%20and%20hopefully%20that%20application%20will%20be%20gone.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

I am getting some messages in my Office 365 about Mail without TLS. Is there any concerns here? Do I need to make any changes?

10 Replies
Highlighted
It really just means that you guys are sending a handful of e-mail to a domain that doesn't have TLS turned on. Those e-mails are not encrypted in transport at all and are vulnerable to traffic sniffing etc. But I wouldn't say there is a problem per say. Just may investigate for a large chunk of that e-mail to a domain and find out why they don't allow TLS, or it might be traffic that isn't sensitive.

Most e-mail servers have opportunistic TLS on so it will try TLS first then do no TLS as a backup so there could be an issue with the TLS connection but my gut says that one of your domains you are using just has it off for some reason.
Highlighted

Hi @Chris Webb 

 

Is TLS something I can turn on in Office 365 or does that have to be done with my Domain Registrar? 

Highlighted
You already have it on. Hence the sent and received TLS 1.2 messages. It’s an endpoint you deal with that they have it off on their side. You’ll have to investigate to see if it’s mostly the same one and get them to turn it on or just ignore it / increase that alert threshold.
Highlighted

Here is the Connector I am using that is getting the TLS warnings. 

TLS3.jpg

Highlighted

Switch to using the other option, "By verifying that the subject name on the certificate that the sending server uses to authenticate with Office 365 matches this domain name". Details for example here: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-...

 

You can also toggle the RequireTls parameter.

Highlighted

Tim

 

I have been wondering the same thing but none of the answers here make sense to me. 

 

In our case, and it looks like yours as well, the connector exists to allow printers, scanners, software, and other devices to send email using an unauthenticated smtp connection to Office 365. What appears to me to be happening is that some of those devices are sending email without using TLS 1.2. I assume that is either because the devices are unable to (Too old or need updates) or they are able too but TLS 1.2 is not enabled on those devices. 

 

I thought that the solution was to find those devices and update them and enable TLS 1.2 if possible. However, I haven't been able to find a way to identify where the emails are coming from. In your case if you could drill down on the 104 NO TLS messages to see where they come from you could quickly determine whether they could be updated to send TLS 1.2 and get rid of the warnings. If someone knows how to do that please tell. 

 

Or maybe I have completely misunderstood what is going on ...

Highlighted

@John Twohig   @Vasil Michev   @Chris Webb 

 

Hi John,

 

I believe the devices that send may be too old. Does anyone know how to "drill down" on the 104 NO TLS messages to see where they are coming from so I can determine if it is possible to turn on TLS 1.2.

 

Thanks!

Highlighted

@Tim Hunter 

 

I know this is old but there is a report that shows the devices. I ran it this morning and it showed how many emails each printer/MFD sent last week.

 

https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Investigating-TLS-usage-for-SMTP-in-Exchan...

 

In the comments near the bottom there is one from @Shawn Housler that shows how to get the report. 

Highlighted

 

@John Twohig 

@Vasil Michev 

@Chris Webb 

@Shawn Housler

 

So I found the 1 email address in my account that is still apparently using TLS 1.0. It is an email we use for automated billing. How can I find out what device it is sending through using TLS 1.0, so I can upgrade that device to TLS 1.2? Thanks!

 

Highlighted

@Tim Hunter 

 

Is it perhaps an application and not a device? I have a couple of applications that send automated emails. You may have to contact whoever wrote the software to see when they will upgrade it. 

 

I heard from one software vendor who got back to me with a link to an update. I did the update so I will check the TLS reports next week and hopefully that application will be gone.