Legacy TLS tour continues with Exchange Online blocking old versions from July 2026
(2026/04/29)
- Reference: 1777487711
- News link: https://www.theregister.co.uk/2026/04/29/exchange_online_blocks_old_versions/
- Source link:
Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.
Redmond [1]warned , "We will start to block legacy version connections starting in July 2026."
The move is long overdue, and the Windows giant has been warning users for years that it was coming. Support for TLS 1.0 and 1.1 in Exchange Online ended in 2020. In 2023, Microsoft announced plans to disable those older TLS versions for POP3 and IMAP4 clients in the name of compliance and security, but acknowledged that there was a "significant" number of POP3/IMAP4 clients that didn't support TLS 1.2 or later, and so added an endpoint for clients to opt to keep using the legacy protocols.
[2]
It was, however, very much an opt-in thing, and in July 2026, the time will run out.
[3]
[4]
Transport Layer Security (TLS) dates back decades. 1.0 was published in 1999, and 1.1 in 2006. Both were deprecated in 2021, and Microsoft stated that they "are no longer considered secure."
However, Microsoft is also famous for backward compatibility, and has historically taken a very cautious approach when it comes to switching off services that might make its corporate customers shriek. Hence, Redmond kept the lights on for TLS 1.0 and 1.1, even considering the inherent insecurity of the technology.
[5]
Microsoft expects minimal impact from the change. The company wrote, "Modern email clients and libraries already support TLS 1.2 or higher."
"And the vast majority of POP and IMAP traffic to Exchange Online today uses these newer protocols."
[6]Microsoft opens door to the past by releasing 86-DOS and PC-DOS 1.00
[7]Microsoft's GitHub shifts to metered AI billing amid cost crisis
[8]Microsoft Outlook for iOS still down and out for many after 'service change'
[9]OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock
Google Workspace still supports TLS 1.0 and 1.1, according to its [10]documentation , although it would be prudent for users to select a more recent protocol, assuming that their client supports it. However, Google's browser tentacle, along with the likes of Firefox and Edge, [11]announced that the legacy protocols were not long for this world in 2018.
The Exchange Online switch-off for TLS 1.0 and 1.1 has been a long time coming, but there could still be disruption despite the protocols' relatively low usage. Legacy devices or software, for example, might stop working as connections fail.
As far as Microsoft is concerned, "Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation."
[12]
So, anyone using Exchange Online who opted into the legacy protocols should check how their email clients are connecting, or risk summer support calls if things start failing in July. ®
Get our [13]Tech Resources
[1] https://techcommunity.microsoft.com/blog/exchange/deprecating-legacy-tls-and-endpoints-for-pop-and-imap-in-exchange-online/4515201
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/04/29/microsoft_pc_dos_1_point_oh/
[7] https://www.theregister.com/2026/04/28/microsofts_github_shifts_to_metered/
[8] https://www.theregister.com/2026/04/28/a_service_change_takes_down/
[9] https://www.theregister.com/2026/04/28/openai_climbs_into_amazons_bedrock/
[10] https://knowledge.workspace.google.com/admin/gmail/advanced/send-email-over-a-secure-tls-connection
[11] https://www.theregister.com/2018/10/16/browser_tls_killed/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Redmond [1]warned , "We will start to block legacy version connections starting in July 2026."
The move is long overdue, and the Windows giant has been warning users for years that it was coming. Support for TLS 1.0 and 1.1 in Exchange Online ended in 2020. In 2023, Microsoft announced plans to disable those older TLS versions for POP3 and IMAP4 clients in the name of compliance and security, but acknowledged that there was a "significant" number of POP3/IMAP4 clients that didn't support TLS 1.2 or later, and so added an endpoint for clients to opt to keep using the legacy protocols.
[2]
It was, however, very much an opt-in thing, and in July 2026, the time will run out.
[3]
[4]
Transport Layer Security (TLS) dates back decades. 1.0 was published in 1999, and 1.1 in 2006. Both were deprecated in 2021, and Microsoft stated that they "are no longer considered secure."
However, Microsoft is also famous for backward compatibility, and has historically taken a very cautious approach when it comes to switching off services that might make its corporate customers shriek. Hence, Redmond kept the lights on for TLS 1.0 and 1.1, even considering the inherent insecurity of the technology.
[5]
Microsoft expects minimal impact from the change. The company wrote, "Modern email clients and libraries already support TLS 1.2 or higher."
"And the vast majority of POP and IMAP traffic to Exchange Online today uses these newer protocols."
[6]Microsoft opens door to the past by releasing 86-DOS and PC-DOS 1.00
[7]Microsoft's GitHub shifts to metered AI billing amid cost crisis
[8]Microsoft Outlook for iOS still down and out for many after 'service change'
[9]OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock
Google Workspace still supports TLS 1.0 and 1.1, according to its [10]documentation , although it would be prudent for users to select a more recent protocol, assuming that their client supports it. However, Google's browser tentacle, along with the likes of Firefox and Edge, [11]announced that the legacy protocols were not long for this world in 2018.
The Exchange Online switch-off for TLS 1.0 and 1.1 has been a long time coming, but there could still be disruption despite the protocols' relatively low usage. Legacy devices or software, for example, might stop working as connections fail.
As far as Microsoft is concerned, "Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation."
[12]
So, anyone using Exchange Online who opted into the legacy protocols should check how their email clients are connecting, or risk summer support calls if things start failing in July. ®
Get our [13]Tech Resources
[1] https://techcommunity.microsoft.com/blog/exchange/deprecating-legacy-tls-and-endpoints-for-pop-and-imap-in-exchange-online/4515201
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/04/29/microsoft_pc_dos_1_point_oh/
[7] https://www.theregister.com/2026/04/28/microsofts_github_shifts_to_metered/
[8] https://www.theregister.com/2026/04/28/a_service_change_takes_down/
[9] https://www.theregister.com/2026/04/28/openai_climbs_into_amazons_bedrock/
[10] https://knowledge.workspace.google.com/admin/gmail/advanced/send-email-over-a-secure-tls-connection
[11] https://www.theregister.com/2018/10/16/browser_tls_killed/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afJ_eqyBakEPozTqDZU4pgAAAkw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Nate Amsden
Re: Good. It was time.
You say that if the biggest risk to these systems is the encryption used. Who's doing MITM? Really the biggest risk by a factor of 1000x is phishing/social engineering/etc. Gain access to the account the easy way.
Not that this change affects me I host my own email. The org I work for uses office365 but I use OWA(Linux) and Classic Outlook(Win).
Anonymous Coward
Re: Good. It was time.
State actors (both foreign intelligence services and domestic surveillance) as well as corporate spies.
Phishing/social is obviously the bigger problem, but protocol standards are something IT has more control over.
"Two things are infinite: The universe and human stupidity, and I'm not sure about the universe." - Albert Einstein
Jou (Mxyzptlk)
We disable tls 1.2 by default...
...on Windows. 'been doing that for a long time.
mebh
Editor?
What is this sentence:
"Support for TLS 1.0 and 1.1 in Exchange Online ended in 2020."
intended to mean, in the context of the rest of the article making it clear that Exchange Online very much supports TLS 1.0 and 1.1 today?
Jou (Mxyzptlk)
Re: Editor?
You know the "What we expect from customers is not what we expect from ourselves", right?
Good. It was time.
Users should be on TLS >= 1.2.
Most users have no clue what TLS is. In this case, depreciation was pretty much the only way to get users to take action. Unlike other change for the sake of protocol change, this one bought significant features to the table.
I'm normally against forced depreciation, but what was the alternative option here?
Hopefully these users will get caught up on a modern cryptographic protocol, and hopefully, the updated clients will also be post-quantum ready. That changeover is going to be rough if done slowly, and even rougher if it has to be accelerated out of immediate necessity.