New opt-in endpoint for POP3/IMAP4 clients that need legacy TLS

Exchange Online ended support for TLS1.0 and TLS1.1 in October 2020. This year, we plan to disable these older TLS versions for POP3/IMAP4 clients to secure our customers and meet compliance requirements. However, we know that there is still significant usage of POP3/IMAP4 clients that don’t support TLS 1.2, so we’ve created an opt-in endpoint for these clients so they can use TLS1.0 and TLS1.1. This way, an organization is secured with TLS1.2 unless they specifically decide to opt for a less secure posture.

Only WW tenants can use this new endpoint. Tenants in US government clouds have higher security standards and cannot use older versions of TLS.

To take advantage of this new endpoint, admins will have to:

  1. Use Set-TransportConfig to set the AllowLegacyTLSClients parameter to True.
  2. Configure legacy POP3/IMAP4 clients and devices to use pop-legacy.office365.com / imap-legacy.office365.com as the new endpoint. Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use pop-legacy.partner.outlook.cn / imap-legacy.partner.outlook.cn.

Starting in February 2023, we will reject a small percentage of connections that use TLS1.0 for POP3/IMAP4. Clients should retry as they do with any other temporary error that can occur when connecting. Over time we will increase the percentage of rejected connections, causing delays in connecting that should be more and more noticeable. The error will be:

TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/popimap_tls.

We intend to fully disable TLS 1.0 and TLS 1.1 for POP3/IMAP4 on the regular endpoint by the end of April 2023.  Affected customers will receive a Message Center post in a few days notifying them of this change.

Additional documentation can be found here: Opt in to the Exchange Online endpoint for legacy TLS clients using POP3 or IMAP4.

Exchange Team