Microsoft to deprecate legacy TLS in Exchange Online starting July

Source: Bleeping Computer

Overview

Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026.

The Transport Layer Security (TLS) cryptographic protocol protects users’ information from eavesdropping, tampering, and message forgery when accessing email over the Internet via client/server applications. However, the original TLS 1.0 specification (introduced in 1999) and its TLS 1.1 successor (introduced in 2006) are now considered outdated and insecure for encrypting traffic.

“We’re planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry‑deprecated for some time and are no longer considered secure,” — Microsoft.

Impact of deprecation

• POP3 and IMAP4 connections will require TLS 1.2 or later.
• Connections using TLS 1.0 or TLS 1.1 will fail.
• Legacy applications or devices may stop connecting.
• Custom or embedded systems may require updates.

(From a Monday Message Center update.)

TLS 1.2+ required to avoid disruptions

Before legacy TLS starts getting deprecated in July, Exchange Online customers who use POP or IMAP to access email should:

• Ensure that their email clients and applications support TLS 1.2 or later.
• Stop using legacy endpoints to connect to the service.
• Update custom or embedded applications (such as devices or legacy services) to versions that support modern TLS versions.

“If you aren’t sure if you are using legacy versions, check the configuration of your POP and IMAP clients and, if you are, your application or device vendor can typically confirm TLS support and provide upgrade guidance,” — Microsoft.

Background

In a coordinated October 2018 announcement, Microsoft, Apple, Google, and Mozilla revealed that they would retire the insecure TLS 1.0 and TLS 1.1 protocols in the first half of 2020. Microsoft later began enabling TLS 1.3 by default in Windows 10 Insider builds released in August 2020.

The U.S. National Security Agency (NSA) also provides guidance on identifying and replacing outdated TLS protocol versions and configurations with modern, secure alternatives to decrease attack surfaces and prevent unauthorized access to data.