Exchange Online Rejects Old TLS Connections in January 2021

Time to Make Final Checks

It’s natural to take time off during the holiday season to forget about the woes of IT operations. One of the nice things about using a service like Office 365 is that other people take care of running it while you’re away. On the downside, decisions made by the people who run the service (for the right reasons) can impact an organization if you’re not careful.

Which brings me to the topic of Transport Layer Security (TLS), or more specifically the imminent removal of TLS 1.0 and TLS 1.1 from Exchange Online. Microsoft has been trying to remove these versions of TLS and move tenants to TLS 1.2 since October 2018. The hammer is now descending to enforce change.

Gradual Removal from Exchange Online

Like any communications protocol, removing the older versions of TLS from Exchange Online has been a long drawn-out process. Microsoft formally retired TLS 1.0 and 1.1 in July 2020 and intended to remove support in October 2020. However, they left everything in place to allow organizations some extra time to prepare. Time has now run out and Microsoft will start to remove TLS 1.0 and 1.1 support from Exchange Online starting January 11, 2021. As stated in Office 365 notification MC229914 published on 14 December:

We’ll be gradually making the change and so initial impact could be messages getting delayed and only when the change is completed will messages fail to be delivered to their destinations.”

In other words, Microsoft has a lot of work to do to remove TLS 1.0 and 1.1 from the 300,000-odd Exchange Online servers running across the Office 365 datacenters. Your connections will keep on working until one day they won’t.

Old TLS is Still Used

Email traffic sent by Exchange Online uses TLS 1.2. Microsoft highlights potential issues in hybrid organizations where on-premises Exchange servers might still use the older versions. Another area of concern is where traffic passes through “hybrid routing,” or third-party infrastructures used for purposes like email hygiene. Inbound traffic from other organizations which haven’t updated their infrastructure is also likely to run into problems.

I took a quick look at the Mail Flow dashboard widget (Figure 1) for inbound and outbound mail flow and found that some inbound and outbound traffic to my domain is unprotected or uses the older version. The numbers of problematic messages are low, but some traffic is present. The important thing to remember is that Exchange Online uses opportunistic TLS, meaning that it will work down through the list of available ciphers until it gets to a point where both the sending and receiving server agree. Up to now, TLS 1.0 and 1.1 have been available (and are used); from January 11 those options will go away and sending and receiving messages from domains which use those versions will cease.

Image 1 Expand
TLS usage
Figure 1: TLS usage for Exchange Online (image credit: Tony Redmond)

Multi-Function Appliances Also a Concern

In addition to the Mail Flow data, Microsoft has published guidance to help tenants find traffic using the older versions of TLS. In that post they call out multi-function appliances which use SMTP AUTH connections to send email via Exchange Online as a special area of concern. These MFAs must use TLS to connect to to send email. Once TLS 1.2 is enforced, any MFA configured to use TLS 1.0 or 1.1 won’t be able to connect.

Some MFAs are easier to reconfigure than others. For now, the first order of business is to discover if any appliances use old versions of TLS. Microsoft recommends that administrators run the SMTP AUTH report to identify potential issues. Once you know what you’ve got to deal with, you can build a plan to adjust devices.

Good Change

You can’t argue against better security. Microsoft is steadily closing off potential weaknesses in Exchange Online in line with being secure by default. The ongoing campaign to deprecate basic authentication for client connections to Exchange Online is possibly the most obvious example of their work; insisting on using TLS 1.2 for server connections will become more apparent next month.