Exchange Online legacy TLS Endpoints for POP3 IMAP and SMTP
Hi All,
New opt-in endpoint for POP3/IMAP4 clients that need legacy TLS
https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-for-pop3-imap4-clients-that-need-legacy-tls/ba-p/3710395
https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-for-pop3-imap4-clients-that-need-legacy-tls/ba-p/3710395
- Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020.
- This year, we plan to disable these older TLS versions for POP3/IMAP4 clients to secure our customers and meet compliance requirements.
- However, we know that there is still significant usage of POP3/IMAP4 clients that don’t support TLS 1.2, so we’ve created an opt-in endpoint for these clients so they can use TLS1.0 and TLS1.1.
- This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture.
Get-TransportConfig | fl AllowLegacyTLSClients
pop-legacy.office365.com
imap-legacy.office365.com
Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use
pop-legacy.partner.outlook.cn
imap-legacy.partner.outlook.cn
Opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/opt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth
smtp-legacy.office365.com
Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use the endpoint
smtp-legacy.partner.outlook.cn
imap-legacy.office365.com
Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use
pop-legacy.partner.outlook.cn
imap-legacy.partner.outlook.cn
Opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/opt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth
smtp-legacy.office365.com
Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use the endpoint
smtp-legacy.partner.outlook.cn
Wikipedia TLS
https://de.wikipedia.org/wiki/Transport_Layer_Security
https://de.wikipedia.org/wiki/Transport_Layer_Security
The most known SSL/TLS Attacks
- 2011 BEAST (Browser Exploit Against SSL/TLS)
- 2012 CRIME (Compression Ratio Info-leak Made Easy)
- 2013 BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)
- 2014 POODLE-Angriff (Padding Oracle On Downgraded Legacy Encryption)
- 2014 Heartbleed-Bug in OpenSSL.
- 2015 FREAK-Angriff (Factoring RSA Export Keys)
As you can see TLS 1.2 exists since 2008
Let's have a look at the TLS Configuration in Exchange Server.
Exchange Server TLS configuration best practices
https://learn.microsoft.com/en-us/Exchange/exchange-tls-configuration?view=exchserver-2016
https://learn.microsoft.com/en-us/Exchange/exchange-tls-configuration?view=exchserver-2016
- TLS 1.2 support was added with Cumulative Update (CU) 19 to Exchange Server 2013 and CU 8 to Exchange Server 2016. Exchange Server 2019 supports TLS 1.2 out of the box.
- It is possible to disable TLS 1.0 and 1.1 on Exchange Server 2013 with CU 20 and later or on Exchange Server 2016 with CU 9 and later. It is also required to have the latest version of .NET Framework and associated patches supported by your CU in place.
Exchange Server build numbers and release dates
https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
- Exchange Server 2016 CU9 March 20, 2018
- Exchange Server 2013 CU20 March 20, 2018
Conclusion: It's almost 5 Years since you can use Exchange on TLS 1.2 only.
My recommendation would be to seek for a Solution that Supports TLS 1.2 in before you enable "AllowLegacyTLSClients". You will decrease your Security Posture. Now is the Time to do it right!
Regards
Andres Bohren