Exchange Online TLS 1.0 and 1.1 Support Ending for POP 3 and IMAP 4 Clients -- Redmondmag.com

Exchange Online TLS 1.0 and 1.1 Support Ending for POP 3 and IMAP 4 Clients

By Kurt Mackie
01/06/2023

Microsoft gave notice this week that it's planning to disable the use of the Transport Layer Security (TLS) 1.0 and TLS 1.1 security protocols for Exchange Online customers that use Post Office Protocol 3 (POP 3) and/or Internet Message Access Protocol 4 (IMAP 4) clients, starting next month.

However, organizations can continue to use TLS 1.0 and TLS 1.1 (deemed insecure) with those clients by making some configuration changes, as outlined in Microsoft's notice. The configuration changes are just for organizations that "specifically decide to opt for a less secure posture."

The disablement of TLS 1.0 and TLS 1.1 support in Exchange Online for these POP 3 and IMAP 4 clients will be a gradual process, starting next month, Microsoft explained:

Starting in February 2023, we will reject a small percentage of connections that use TLS1.0 for POP3/IMAP4. Clients should retry as they do with any other temporary error that can occur when connecting. Over time we will increase the percentage of rejected connections, causing delays in connecting that should be more and more noticeable.

Organizations eventually will get an error message informing them that TLS 1.0 and TLS 1.1 are not supported. The use of those security protocols will get disabled for POP 3 and IMAP 4 clients "by the end of April 2023."

Organizations should move to using the more secure TLS 1.2 security protocol, if possible. Microsoft already disabled TLS 1.0 and TLS 1.1 support for its non-government Exchange Online customers using other client protocols than POP 3 and IMAP 4 back in Oct. 2020.

The Exchange Online team has been keeping customers apprised about various expired or insecure protocols used with the service. Last month, it announced the end of Basic Authentication support with Exchange Online, a major security improvement that took years, and many public warnings, to finally implement.

Also last month, Microsoft gave notice that it plans to phase out the use of Remote PowerShell with Exchange Online. Such Remote PowerShell use will get blocked starting on June 1, 2023. IT pros are advised to switch to using the Exchange Online PowerShell version 3 module instead as a more secure solution.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.