Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026.
The Transport Layer Security (TLS) cryptographic protocol protects users’ information from eavesdropping, tampering, and message forgery when accessing email over the Internet via client/server applications.
However, the original TLS 1.0 specification and its TLS 1.1 successor have been in use for over two decades, with TLS 1.0 initially introduced in 1999 and TLS 1.1 in 2006, and are now considered outdated and insecure for encrypting traffic.
As Microsoft explained on Monday, most users won’t be affected by this change since the vast majority of POP and IMAP traffic to Exchange Online today uses TLS 1.2 or higher, and modern email clients already support these newer protocols.
“We’re planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry‑deprecated for some time and are no longer considered secure,” Microsoft said.
“Several years ago we started the move to block these older versions, but we did allow you to use them by opting-in, we’re now removing support for them entirely. Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation we are announcing today.”
What will happen after TLS1.0/11 gets deprecated, according to a Monday message center update:
- POP3 and IMAP4 connections will require TLS 1.2 or later.
- Connections using TLS 1.0 or TLS 1.1 will fail.
- Legacy applications or devices may stop connecting.
- Custom or embedded systems may require updates.
TLS 1.2+ required to avoid disruptions
Before legacy TLS starts getting deprecated in July, Exchange Online customers who use POP or IMAP to access email are advised to ensure that their email clients and applications support TLS 1.2 or later and don’t use legacy endpoints to connect to the service.
Microsoft also recommended that users update custom or embedded applications (such as devices or legacy services) to versions that support modern TLS versions to avoid any issues.
“If you aren’t sure if you are using legacy versions, check the configuration of your POP and IMAP clients and if you are, your application or device vendor can typically confirm TLS support and provide upgrade guidance,” Microsoft added.
This is part of a broader move to ensure that Internet traffic is secured against network sniffing attacks with modern communication protocols.
In a coordinated October 2018 announcement, Microsoft, Apple, Google, and Mozilla revealed that they would retire the insecure TLS 1.0 and TLS 1.1 protocols in the first half of 2020. Microsoft followed up on this and began enabling TLS 1.3 by default starting with Windows 10 Insider builds released in August 2020.
The U.S. National Security Agency (NSA) also provides guidance on identifying and replacing outdated TLS protocol versions and configurations with modern, secure alternatives to decrease attack surfaces and prevent unauthorized access to data.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.