With Microsoft about to close the access of some versions of Outlook to Microsoft 365 and Outlook 365 services – that happens on november 1 – It is important to remember that this is not the only change that will occur in Outlook. A second change scheduled for next year can have a bigger impact on the way your email client connects, and it can affect other email applications as well.
Because it could affect many users and businesses, Microsoft is giving everyone a fair warning, a year in advance. Oct. February 1, 2022, Microsoft wants to be disable basic authentication for their online mail services. This is not the first time the company has warned us about this. That I had planned to disable authentication earlier this year, before he realized he couldn’t do it without impacting businesses and users still battling the pandemic. Hence the delay.
So what is basic authentication? It’s what we’re used to by now: username and password access to old post office protocol or “pop-up” email, where you log in and download emails to your computer. You may think that POP access using Basic Authentication should be secure enough, assuming you don’t click malicious links, keep your computer up to date, and use a secure browser.
It turns out that attackers can use the weaknesses built into this ancient protocol to break into online mail servers. As long as those mail servers have to support these older protocols, attackers can use any number of brute force attacks and other devious methods of breaking into your mailbox. (If you have an easy-to-crack password, an attacker can use dictionary attacks to eventually guess your password.)
The ins and outs of POP3 and IMAP
POP3 is one of the oldest mail protocols out there. Originally described in 1984 in RFC 918, it was followed by POP2 in 1985 in RFC 937. Then POP3 arrived in 1988 with RFC 1081. It was designed to support downloading of emails from the mail server to a local email client. Once the emails are downloaded, you can choose to leave copies on the server or delete them. It was designed at a time when mail server operators wanted users to pull emails from their servers to save space. In the last 10 years, Internet Message Access Protocol (IMAP) has risen to the forefront, although POP3 is still in use.
Note: the new changes will not affect SMTP authentication. This is generally used in businesses to connect devices such as printers and copiers so that they can send scanned documents. If you use Microsoft 365 and rely on SMTP AUTH to connect your scanners, this should continue to work. If you happen to discover that SMTP AUTH is not working after the October 2022 change was implemented, you can re-enable it with the following cmdlet.
To enable it across the tenant in your account, go to Exchange PowerShell:
Set-TransportConfig -SmtpClientAuthenticationDisabled $ True
To enable SMTP authentication for a specific mailbox:
Set-CASMailbox -Identity “[email protected] -SmtpClientAuthenticationDisabled $ False
Furthermore, as Microsoft points out in its blog postthere will still be an optional endpoint to allow SMTP AUTH clients to authenticate using legacy TLS for devices.
To take advantage of this new endpoint, administrators will need to:
Set the AllowLegacyTLSClients parameter on the Set-TransportConfig cmdlet to True.
(Legacy clients and devices will need to be configured to send using the new smtp-legacy.office365.com endpoint to connect.)
If you rely on legacy protocols from all kinds of devices, it can often be easier to use a third-party solution like smtp2go.com; allows you to configure a static IP address to which you are allowed to send emails. That way, you can easily configure older devices to continue using email without reducing the security of your Microsoft 365 deployment.
If you are an individual user who is not running Microsoft 365 as a mail platform, you may still be affected by the upcoming changes. Many ISPs are using Microsoft 365 as their renamed mail platform, and many other ISPs are doing the same because basic authentication exposes mail servers to hacking. (Many providers have already moved to different platforms.) How do you know if you are still using Basic Authentication? That’s really easy to determine – check your email settings to see if they show that you are using POP3 or IMAP as your mail server protocols. If so, you are still using basic authentication.
Another way to see what you are using is to look at the authentication graph that is offered to you. (You can see examples of this by scrolling through various blogs here other here showing the oldest Basic Authentication connection).
In general, what is the best way to deal with these changes?
What to do now
First, determine if it will be affected. If you already use a web interface to log into your email and you don’t use an email application, you will not be affected. In that case, it basically depends on whatever authentication the web interface supports. If you use an application such as Outlook, Thunderbird, Ebird, or other email clients, you may need to redo your email account to activate the application to configure your account with modern authentication protocols. Contact your email provider to see if they plan to make any changes. If you are affected, you can always use your ISP’s web interface to read email until you decide on a long-term solution.
In the long term, it is advisable not to use POP3 or IMAP in email. Attackers use them too often to brute-force email servers. Change is difficult and the move to a new email platform is disruptive, but so are successful email attacks. Plan ahead now to deal with the changes ahead.
Copyright © 2021 IDG Communications, Inc.