Introduction
Normally I don’t post a lot on what Microsoft puts on their EHLO blog as I tend to focus most of my time on PowerShell, however, this change is pretty big with a possibility of service interruption for those unaware of the change.
Do you manage an Exchange Server / Exchange Online environment? Do you keep your servers up to date and patched? If you do, then Microsoft’s change will have little to no effect on your organization. However if you have older, out of support servers or are not updating your on-premises Exchange Servers, then you may want to read the “Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online” article that was just posted by Microsoft. I don’t want to rehash what is in the article but will instead provide a summary of the article and provide some visual aids for understanding some implications / actions required.
It is worth noting that all scenarios discussed below involve organizations that have on-premises Exchange Servers connecting to Exchange Online.
What Flow is Unsupported?
For the first stage of this change, unsupported servers connecting to Exchange Online will include Exchange 2007, 2010 and 2013 as they are out of support and no longer being patched:
What Flow is Supported in the Interim?
One takeaway we need to be aware of is that while the first target is the most vulnerable Exchange 2007 enforcement the article specifically states that any server that is unsupported will be included in this process. The other caveat is that for now, the Exchange Server the is analyzed has a direct connection to Exchange Online via a Send Connector. If you were running Exchange 2010 and 2016, Exchange 2016 is up to date and the Send Connector only uses Exchange 2016, then you would not be affected by this change.
Now, what about what is supported? The key is having an Exchange Server 2016 / 2019 that is patched to current updates and is the transport server connecting to Exchange Online. If there are other older, unsupported servers in the environment and they do not connect to Exchange Online directly, then you should not experience any issues for now. Here are some supported scenarios in the Interim until ALL servers are affected:
What Flow is Supported? – End State
In the end, however, all older unsupported and “persistently vulnerable Exchange servers” will need to be removed from an environment that send email to Exchange Online. Thus, we end up with this state of only Exchange 2016 and 2019 servers:
Why This Change?
Simply put it revolves around compromised Exchange Servers. Unfortunately there has been a series of exploits against Exchange Servers which has cause all sorts of problems for the compromised organizations as well as those who receive email from these servers. Microsoft has taken the approach of not trusting older versions of Exchange as they are considered to be too large a risk to ignore. Limiting those Exchange Servers that connect to Exchange Online helps protect those in Exchange Online as well as organizations with the older server versions. The latter is assisted by Microsoft Guidance on what upgrades are needed to avoid worst case scenarios of compromised servers spewing SPAM and malicious content to unknowing recipients.
What to Expect
Every organization’s experience will vary depending on what servers they are using, what upgrade process they go through and when they are able to make changes. Microsoft will provide a plethora of information to their customers as well as providing a gradual change to their mail flow experience as to not cause too much harm up front. Make sure to use the dashboard to determine current state of on-premises Exchange Servers. If something needs to be remediated, there will be reporting, throttling and blocking for enforcement stages to deal with which should provide a cushion to organizations and allow for updates to be made in a timely manner.
Read the article for a complete list of those timelines.
To Do
If the server connecting to Exchange Online (for SMTP traffic) is Exchange 2016 or 2019, then keeping the server up to date is the only required task for now. However, if you still have older servers in the environment, now is the time to decommission them as Microsoft’s changes will eventually affect you.
In the interim stage where only the frontline Exchange servers are affected, only organizations that have servers older than 2016 like Exchange 2007, 2010 and 2013 as their frontline server will need remove them from any direct mail routing to Exchange Only. For this stage, these are the recommended actions:
Exchange 2007: requires a double hop upgrade as only Exchange 2010/2013 are supported in an Exchange organization with Exchange 2007. Thus, one upgrade to 2013 would be suggested and then another upgrade to either 2016 or 2019, AFTER removal of ALL Exchange 2007 servers. The final step would then be to remove any Exchange 2013 and older servers in the environment.
Exchange 2010: requires a single version upgrade to Exchange 2016. Once Exchange 2016 is in the Exchange organization and patched to the latest patch level, the next step should be to move any email routing connectors on Exchange 2010 that route mail to Exchange Online and transfer that capability to Exchange 2016. The final step would then be to remove any Exchange 2013 and older servers in the environment.
Exchange 2013: requires a single version upgrade to Exchange 2016 or Exchange 2019. Once Exchange 2016 or 2019 is in the Exchange organization and patched to the latest patch level, the next step should be to move any email routing connectors on Exchange 2013 that route mail to Exchange Online and transfer that capability to Exchange 2016 or 2019. The final step would then be to remove any Exchange 2013 and older servers in the environment.
Some scenarios above may be supported in the current iteration of the Exchange Deployment Assistant, which is worth reviewing for many organizations looking to upgrade Exchange.
Final Thoughts
While this change will cause some organization pain, it is really a good effort by Microsoft to pressure their customers to get up to date. With all of the recent issues of security and Exchange Servers, using the latest version will shield both Microsoft and their customers from potential harm. The gradual enforcement efforts also allow customers time to make changes to their systems. As a consultant, we find advice like this to be welcoming as we are constantly asked about Microsoft recommendations. With Exchange Online, there is no restriction for Mailflow as Exchange Online would not prevent an old server version like Exchange 2007, 2010 or 2013 from connecting and transmitting email. Now, with officially guidance we can pointedly say that Microsoft’s best practice is to remove these servers by spinning up new ones and migrating servers. This is a change for good security and will hopefully lead to less vulnerable Exchange Servers in the ether.
