Exchange Online TLS 1.0 and 1.1 Support Ending for POP 3 and IMAP 4 Clients
Microsoft gave notice this week that it's planning to disable the use of the Transport Layer Security (TLS) 1.0 and TLS 1.1 security protocols for Exchange Online customers that use Post Office Protocol 3 (POP 3) and/or Internet Message Access Protocol 4 (IMAP 4) clients, starting next month.
However, organizations can continue to use TLS 1.0 and TLS 1.1 (deemed insecure) with those clients by making some configuration changes, as outlined in Microsoft's notice. The configuration changes are just for organizations that "specifically decide to opt for a less secure posture."
The disablement of TLS 1.0 and TLS 1.1 support in Exchange Online for these POP 3 and IMAP 4 clients will be a gradual process, starting next month, Microsoft explained:
Starting in February 2023, we will reject a small percentage of connections that use TLS1.0 for POP3/IMAP4. Clients should retry as they do with any other temporary error that can occur when connecting. Over time we will increase the percentage of rejected connections, causing delays in connecting that should be more and more noticeable.
Organizations eventually will get an error message informing them that TLS 1.0 and TLS 1.1 are not supported. The use of those security protocols will get disabled for POP 3 and IMAP 4 clients "by the end of April 2023."
Organizations should move to using the more secure TLS 1.2 security protocol, if possible. Microsoft already disabled TLS 1.0 and TLS 1.1 support for its non-government Exchange Online customers using other client protocols than POP 3 and IMAP 4 back in Oct. 2020.
The Exchange Online team has been keeping customers apprised about various expired or insecure protocols used with the service. Last month, it announced the end of Basic Authentication support with Exchange Online, a major security improvement that took years, and many public warnings, to finally implement.
Also last month, Microsoft gave notice that it plans to phase out the use of Remote PowerShell with Exchange Online. Such Remote PowerShell use will get blocked starting on June 1, 2023. IT pros are advised to switch to using the Exchange Online PowerShell version 3 module instead as a more secure solution.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.