fbpx

Toggle legacy TLS opt-in for SMTP clients

Introduction

By default, legacy TLS (1.0 and 1.1) are disabled as a security measure.

This setting helps to ensure that legacy TLS does not get enabled inadvertently and thus allow an insecure legacy protocol to be used.

However, in certain circumstances it may be necessary to override this setting and enable the legacy versions of TLS if there is no viable alternative.

In 2021 Microsoft announced that they would deprecate TLS 1.0 and 1.1 from Office 365 and Microsoft 365 (more info). For MSPs supporting legacy environments, there are often devices such as multi-function printers / scanners and legacy software applications which rely on TLS 1.0 and 1.1 to connect to Exchange Online via the SMTP email protocol.

Best practice would always say that disabling legacy TLS protocols is the ideal option and that is what we recommend.

User Impact

High

Enabling legacy TLS exposes the tenant to vulnerabilities which exist in these protocols and may place the tenant at risk.

However, disabling legacy TLS protocols while they are still in use will prevent access to Exchange Online via SMTP for some devices and applications, which in turn will stop them from sending emails. The impact of this will vary but in most cases it will cause significant impact to the end users.

Parameters

Legacy TLS Opt-in – Enabled/Disabled

Disabled is set by default and is recommended

Admin Portal Reference

This setting cannot be configured using the admin portal.

PowerShell Reference

To enabled Legacy TLS Opt-in

Set-TransportConfig -AllowLegacyTLSClients $true

To disable Legacy TLS Opt-in

Set-TransportConfig -AllowLegacyTLSClients $false

If Action is set to Notify

When Legacy TLS Opt-In matches the enabled/disabled value provided by the parameter the setting will report as compliant.

When the Legacy TLS Opt-In does not match the enabled/disabled value provided by the parameter the setting will report as non-compliant.

If Action is set to Enforce

When Legacy TLS Opt-In matches the enabled/disabled value provided by the parameter the setting will report as compliant.

When the Legacy TLS Opt-In does not match the enabled/disabled value provided by the parameter the setting will be updated to match the parameter and report as compliant-fixed.

Get Started!

The first three tenants are free! No credit card required.

Sign Up