Xelon Blog | Xelon AG

Office 365 forces TLS 1.2 | Blog | Xelon AG

Written by Matias Meier | Jun 18, 2018 12:00:00 PM

You don't use Office 365? Then you should read this blog post! Office 365 is forcing TLS 1.2! Office 365 is changing its receive connectors in October 2018, which directly affects email delivery to Office 365 email addresses. In concrete terms, this means that customer A (Office 365 user, TLS 1.2 supported) can continue to send emails to customer B (other mail server without TLS 1.2), but can no longer receive them.

 

Office 365 forces TLS 1.2 As of October 31, 2018, Office 365 will no longer accept mail from servers that do not support TLS 1.2. According to the current info, Office 365 will still deliver mails to you even if your servers don't speak TLS 1.2, this is only about delivery to Office 365 mail addresses. Nevertheless, it is of course recommended to also support TLS 1.2 when receiving.

Official Microsoft Blog regarding this change

What do you have to do?

Depending on the mail server you use, certain precautions must be taken.

Postfix:

Current versions of Postfix support TLS 1.2 for receiving as well as sending. No special configurations are necessary. We recommend to use a current version of Postfix.

The information below on Exchange and Windows Server has been taken from Microsoft's Exchange Team Blog.

You can find more information here

Exchange 2010:

TLS 1.2 support: starting with SP3 RU19 and latest .NET 3.5.1 version including patches

TLS 1.0/1.1 deactivation possible from: SP3 RU20

Exchange 2013:

TLS 1.2 support: from CU19, latest .NET version which is compatible to the used CU

TLS 1.0/1.1 deactivation possible from: CU20

Exchange 2016:

TLS 1.2 support: from CU8, latest .NET version which is compatible to the used CU

TLS 1.0/1.1 deactivation possible from: CU9

Of course the operating system must also support TLS 1.2.

Windows Server 2008 SP2:

TLS 1.2 is not supported by default. Install the latest updates. Check that KB3161949 and KB4019276 are installed.

For SHA512 certificates: Check KB2973337

For Exchange 2010, install additionally 3154517

Windows Server 2008 R2 SP1:

TLS 1.2 is supported by default, but disabled. Install the latest updates. Check that KB3080079 and KB3161949 are installed.

For SHA512 certificates: Check KB2973337

For Exchange 2010, install an additional 3154518

Windows Server 2012 :

TLS 1.2 is activated by default. Install the latest updates. Check that KB3161949 is installed.

For SHA512 certificates: Check KB2973337

For Exchange 2010, install an additional 3154519

Windows Server 2012 R2:

TLS 1.2 is activated by default. Install the latest updates. Check that KB3161949 is installed.

For SHA512 certificates: Check KB2973337

Windows Server 2016:

TLS 1.2 is activated by default. Install the latest updates including the monthly quality updates.

References and further information:

An Update on Office 365 Requiring TLS 1.2

Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

If you have any questions, please feel free to contact our support team.