Description

Microsoft said in a statement that it is working on a new system that prevents emails from being retrieved from the Exchange Server used for the company that is EOL or does not have the latest patches installed.

Here is what Microsoft shared with the subject:

“As we continue to improve cloud security, we started working on emails sent to Exchange Online from unsupported and unpatched Exchange servers. There are many risks of running unsupported or unpatched software, but by far the biggest risk is security. When a version of Exchange Server is no longer supported, it will not receive security updates, so vulnerabilities discovered after support ends cannot be closed. There are similar risks associated with running software that has not been patched for known vulnerabilities. After a security update is released, attackers reverse engineer the updates to better understand how to exploit the vulnerability on unpatched servers. Unsupported or unpatched servers are vulnerable and cannot be trusted. Therefore, we cannot trust email messages sent from them.

To solve this problem, we are introducing three new core auditing features in Exchange Online: Reporting, Restriction and Blocking. This new system will continuously analyze email sending servers and if the sender does not close Exchange server vulnerabilities, over time email traffic will be restricted and eventually blocked.

Reporting

We are adding new reporting to the Exchange admin center (EAC) in Exchange Online. With this new reporting, Exchange Online administrators will be able to analyze sending email servers.

Restriction

The system will monitor the email servers for a while, and if the vulnerabilities are not closed in time, the email traffic will be slowed down.

“450 4.7.230 Connecting Exchange server version out of date; Exchange Online connection throttled for Minutes/hour. For more information, see https://aka.ms/BlockUnsafeExchange.”
will return the message.

The duration of the lockdown will gradually increase over time. However, if the problems on the server are not fixed within 30 days after the email restrictions start, emails will start to be blocked. Blocking
After a certain period of time, emails from that server are blocked. Exchange Online will return a non-deliverable report (NDR) error to the sender. “550 5.7.230 Connecting Exchange server version out of date; Exchange Online connection blocked for 10 minutes/hour. For more information, see https://aka.ms/BlockUnsafeExchange.“

The table below shows the phasing of gradual sanctions over time.

Starting with Exchange Server 2007!

This mandatory new system will eventually be applied to all versions of Exchange Server and all email coming into Exchange Online. We start with Exchange 2007 servers. Exchange
Start with 2007 because it is the oldest Exchange version that supports Exchange hybrid configuration. Following this initial deployment, other versions of Exchange Server will be phased in and eventually expanded to include all versions of Exchange Server, regardless of how they send mail to Exchange Online. Alert messages will be sent to inform customers. In addition, notification messages will be sent to customers 30 days before Exchange Server versions are included in the new system. In-house
Notification messages will also be sent 30 days before we take action on mail coming from Exchange servers.”

Recommendations

– Missing all security updates of your on-premises Exchange Server infrastructures
make sure it is done.

– Upgrade any on-premises Exchange servers that are end-of-life, no longer supported, or whose support will expire to the latest version available, or migrate your entire email infrastructure to Exchange Online.

The following table shows the lifetime (EOL) of Exchange servers

  • Use security products such as Spam Gateway for secure email traffic.
  • Please inform your business partners or customers with whom you communicate via email.