Opt in to the Exchange Online endpoint for legacy TLS clients using SMTP AUTH

  • Article

Note

We have already disabled TLS 1.0 and 1.1 for most Microsoft 365 services in the world wide environment. For Microsoft 365 operated by 21 Vianet, TLS1.0 and TLS1.1 will be disabled on June 30, 2023.

Exchange Online no longer supports use of TLS1.0 and TLS1.1 in the service as of October 2020. This change is due to security and compliance requirements for our service. While no longer supported, our servers still allow clients to use those older versions of TLS when connecting to the SMTP AUTH endpoint (smtp.office365.com).

In 2022, we plan to completely disable those older TLS versions to secure our customers and meet those security and compliance requirements. However, due to significant usage, we've created an opt-in endpoint that legacy clients can use with TLS1.0 and TLS1.1. Note that this endpoint is not available in GCC, GCC-High, or DoD environments that have legacy TLS permanently turned off.

Configuring the new endpoint

If customers have SMTP AUTH clients that only support older TLS versions, they need to be configured to use the new endpoint for world wide:

  • smtp-legacy.office365.com

Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use the endpoint

  • smtp-legacy.partner.outlook.cn

To use this less secure endpoint, admins need to enable the following setting:

  • The value $true for the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet.

Make sure that the mailbox is configured to allow sending using SMTP AUTH. For more info, visit: Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online

Opt in to legacy client endpoint

You can opt in (or opt out) for your organization in the new EAC or by using Exchange Online PowerShell.

To opt in with the new EAC, go to the Mail Flow settings page under Settings and toggle the setting labeled "Turn on use of legacy TLS clients"

To opt in, run the following command:

Set-TransportConfig -AllowLegacyTLSClients $true

To view the current status of the property, run the following command in Exchange Online PowerShell:

Get-TransportConfig | Format-List AllowLegacyTLSClients