Fedora Linux 43 Exposes 20-Year-Old Microsoft Outlook Security Failure (nerds.xyz)
- Reference: 0183588314
- News link: https://linux.slashdot.org/story/26/06/03/2120212/fedora-linux-43-exposes-20-year-old-microsoft-outlook-security-failure
- Source link: https://nerds.xyz/2026/06/fedora-43-outlook-security-bug/
> Fedora Linux 43 users upgrading to the latest Dovecot mail server discovered something rather unsettling: some older Microsoft Outlook configurations may have been [2]silently ignoring SSL/TLS settings for POP3 email connections for years . According to a Fedora community [3]blog post , affected Outlook clients reportedly continued using insecure port 110 connections even when encryption was enabled in the application settings. The issue surfaced after Dovecot 2.4 disabled plaintext authentication on non secure connections by default, causing Outlook users to suddenly lose mailbox access after the Fedora 43 upgrade.
>
> The report suggests the behavior may date back as far as Outlook 2007, although modern Outlook builds were not fully tested. Fedora admins stress that the problem could be limited to legacy account configurations rather than current versions of Outlook itself. Still, the discovery has sparked discussion among Linux admins and security folks because many users likely assumed their email traffic was encrypted simply because Outlook claimed SSL/TLS was enabled. The incident also highlights how stricter defaults in modern open source infrastructure can expose ancient assumptions and questionable behaviors that quietly survived for decades.
[1] https://slashdot.org/~BrianFagioli
[2] https://nerds.xyz/2026/06/fedora-43-outlook-security-bug/
[3] https://fedoramagazine.org/fedora-43-upgrade-revealed-20-years-old-outlook-security-bug/
Where have all the cowboys ehhh I mean firewalls g (Score:1)
Should this not have been noticed in firewall logs a long time ago? Like if your default config was ssl enabled wouldn't you have noticed way too much port 110 activity being blocked? The article does mention this seems to only be affecting certain user with certain configurations, but I feel like this is behaviour that would have been noticed a long time ago if it was wide spread. Not saying something isn't fishy, just saying someone somewhere should have noticed this a long time ago if it was actually
Re: Where have all the cowboys ehhh I mean firewal (Score:2)
Not real. I never had 110 open and outlook would use the ssl port.
Re: (Score:3)
That's a really good question (with bonus Paula Cole reference). I can offer you a hypothesis that might answer it, and that is: default permit.
Almost everyone still configures their firewalls to be default permit (or mostly default permit) because it's the easiest way to avoid breaking things. That's true even when it's desirable to break things so that the root cause can be identified and fixed, because quite often management doesn't care about this: they just want things to work, and when a sysadmin
legacy tax (Score:2)
Just unplug the old insecure protocols by default. Break stuff if it is going to be leaking credentials on the wupd Internet. Don't trust that MS tests their software with anything but their own IIS suite. (Which probably dropped unencrypted / unsigned POP3 as a default option decades ago)
Re: legacy tax (Score:2)
Iâ(TM)ve had issues with some open source projects which deprecated SSL in favor of using StartTLS. Upon dumping the traffic, I realized that StartTLS would silently fail and fall back to being totally unencrypted. If Iâ(TM)m forced to use StartTLS, I only use it over an ssh tunnel.
Re: (Score:2)
oof. Yea. I think a better policy for StartTLS is to refuse authentication if it isn't activated. Doesn't totally prevent clients from sending their auth over clear text or to a MiM, but at least the bad client won't silently work.
Re: legacy tax (Score:2)
Microsoft want to drive everyone to their proprietary protocols.
Lookout! (Score:5, Funny)
Better name for it.
Email guy... (Score:3)
So I'm an email guy from way back... Literally decades...
Nobody leaves ports 110 & 143 open & exposed anymore. Not just blocked by a firewall rule, the Dovecot daemon's themselves, properly configured, simply don't listen on non-secure ports anymore at all. It's dead technology. You get bit by this, you're just an idiot.
What I found amusing is the bit about modern Outlook vs. Legacy. Modern Outlook, even on your desktop, is a cloud play. You might think you have a local App. You don't. Modern Outlook can't handle a simple "Linux" username as an account. The user "bob@example.com" represented by a "bob" entry in /etc/password cannot be used by a modern Outlook client. It passes the domain to M$ cloud and converts it to "bob@example.com", which a local vanity Dovecot domain will reject. It's intentional... They have placed their cloud between your local App and the email server. You think you're running a local app, but they're hoovering up all your email in a proxy config.
T
Re: Email guy... (Score:2)
If you do it right you use POP3S and IMAPS, then you have encrypted the traffic so that the data is protected. It's still POP3 and IMAP, but in an envelope.
"Legacy configurations" (Score:2)
> limited to legacy account configurations rather than current versions of Outlook
I'm assuming "legacy account configurations" means anyone who hasn't moved to "Outlook (new)" or whatever they're calling it this week. Meaning the vast majority of Outlook users.
Re: (Score:1)
wouldn't the logs in dovecot shown what port and if ssl/tls was being used for pop3 connections?
Re: (Score:2)
I would assume this would have been found long ago if it was a wide spread issue. I have to assume there's plenty of orgs out there with security configurations strict enough that they would totally block unsecured port 110 at the server. Thus admins would have found client failing to be able to connect and drilled further into the issue. This has to be some config issue with particular clients.
Re: (Score:3)
STARTTLS on port 110 is was a very common configuration. So you wouldn't tell anything in the logs from simply the port number.
Re: (Score:2)
Not sure, don't ever deal with POP3. Come to think of it, it may be the use of that protocol that they refer to with "legacy account configuration", and not the desktop application.