Administrators Need to Plan for Change in Clients and Apps
Last week’s announcement that Microsoft will disable basic authentication for Exchange Online connection protocols from October 2022 certainly got people’s attention. Hopefully the message is sinking in that it’s time to prepare for basic authentication to stop working for protocols like POP3, IMAP4, EWS, and ActiveSync. As we’ll discuss later, Microsoft is making an exception for SMTP AUTH, but that’s no excuse not to do the work to make sure a smooth transition occurs. Some tenant administrators and users might be going to receive a terrific surprise when the hammer descends.
Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.
Client Upgrades
One good thing to do now is plan for the replacement of old, insecure email clients. Many of the older clients still connecting with POP3 and IMAP4 tend to pass cleartext credentials. Microsoft has upgraded its implementation of POP3 and IMAP4 to support modern authentication, but even so, it’s time to consider the discontinuation of these antiquated protocols. Noble as their service has been to email, the best days for these protocols are long past.
Many people like using the email client included in mobile devices. These clients connect using Exchange ActiveSync (EAS). Some clients support modern authentication with EAS, and some don’t (and will be affected when basic authentication disappears). Outlook Mobile is the obvious replacement. It’s solid, supports more features than EAS will ever do, and is included in Exchange Online licenses.
Applications
The deprecation of basic authentication will impact applications and devices too. Applications should move to the Microsoft authentication platform (MSAL) to achieve “modern” (OAuth-based) authentication. If you’re a PowerShell user, you should connect using the Exchange Online management module instead of traditional Remote PowerShell.
The SMTP AUTH Exception
And then we come to SMTP AUTH. This protocol poses a conundrum for Microsoft. They would very much like to disable it along with the other protocols but if they do, multi-function devices configured to send email using Exchange Online will stop being able to send messages. The same will happen for PowerShell scripts which use the Send-MailMessage cmdlet. This is the reason why Microsoft says: “effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that).”
After checking with Microsoft, here’s what will happen:
If a tenant has never used SMTP AUTH, Microsoft is already actively blocking the protocol (see my earlier article) by setting the SmtpClientAuthenticationDisabled organization-wide control. Tenant administrators can disable SMTP AUTH for the organization today by running the command:
If a tenant is using SMTP AUTH, Microsoft will not disable the protocol. The presumption is that the organization knows how they use SMTP AUTH and has good business reasons to continue using SMTP AUTH.
If a tenant discovers that they need to use SMTP AUTH after Microsoft disables the protocol, they can run the Set-TransportConfig cmdlet to update SmtpClientAuthenticationDisabled to $False. However, the big downside in taking this step is that it enables SMTP AUTH across the entire tenant. A per-mailbox setting is available to allow access to SMTP AUTH that overrides the organization configuration. It’s obviously better to limit access to potentially insecure protocols, so it’s recommended that you enable the protocol on a per-mailbox basis to restrict access just to the mailboxes which need to use SMTP AUTH. For example, this command allows the James Smith mailbox to use SMTP AUTH:
Eventually, I think Microsoft will disable SMTP AUTH permanently for Exchange Online. Granting an exception at this point is sensible because it smoothens the path to the October 1, 2022, target date for disconnecting the other protocols. Let’s face it, statistics and telemetry show that most Microsoft 365 account compromises arise through successful attacks using basic authentication protocols like POP3 and IMAP4. The priority must be to remove these routes routinely exploited by password spray and other attacks. Delaying the deprecation of SMTP AUTH for now buys Microsoft and customers some extra time, but the writing is firmly on the wall that the era of basic authentication for all Exchange Online connectivity protocols is coming to an end.
While working with end users to change their email clients, it would be a great idea to introduce them to the wonders of multi-factor authentication. If you’re going to have disruption in the user community because basic authentication disappears for email, you might as well disrupt users a little more to copper fasten their account security.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.
11 Replies to “SMTP AUTH Exception Smoothens Path to Basic Auth Removal from Exchange Online”
On my last job we had internal SMTP server running on Windows Server, which in turn was using a connector to Exchange Online (which i think is using secure auth and was one of the proposed options by MS). so MFDs were not talking directly to EO, but to that internal SMTP servers. Same for other systems that needed to send emails (like internal old SharePoint 2013, etc.).
I am sure people will come up with many inventive solutions to keep systems running. Finding all the devices and applications which send email via Exchange is one task. Reconfiguring them all to use an alternative route or different implementation is the larger challenge.
The microsoft SMTP service (running on old IIS6) is also using Basic Authentication. And there is no replacement from Microsoft for this legacy bit of software.
It was abandoned because there are few people left trying to send email from a web app running on server 2008. It’s pretty hard to find a head cleaner for a 5.25 inch floppy drive as well.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
On my last job we had internal SMTP server running on Windows Server, which in turn was using a connector to Exchange Online (which i think is using secure auth and was one of the proposed options by MS). so MFDs were not talking directly to EO, but to that internal SMTP servers. Same for other systems that needed to send emails (like internal old SharePoint 2013, etc.).
I am sure people will come up with many inventive solutions to keep systems running. Finding all the devices and applications which send email via Exchange is one task. Reconfiguring them all to use an alternative route or different implementation is the larger challenge.
The microsoft SMTP service (running on old IIS6) is also using Basic Authentication. And there is no replacement from Microsoft for this legacy bit of software.
It was abandoned because there are few people left trying to send email from a web app running on server 2008. It’s pretty hard to find a head cleaner for a 5.25 inch floppy drive as well.