Transport-Based Enforcement System in Exchange Online

 

 

 

 

 

 

 

 

by Jeyakumar Durai (JD)
Cloud Architect

Microsoft is enabling a transport-based enforcement system in Exchange Online that will eventually block emails from unsupported and unpatched Exchange servers. The Enforcement system will run in Report mode for 30 days before it starts to throttle the emails progressively and if still no action taken, emails from the unsupported Exchange Servers will be blocked eventually. Please see the table below for the details on Enforcement actions and duration happening in stages.

 

 

 

 

 

 

 

 

 

As shown in the table above, Once the Enforcement system in place and If the Exchange server is not remediated in 30 days (Stage 1), Exchange Online will begin to throttle messages from it which will cause the sending server to queue and retry the message later, resulting in delayed delivery of messages. The Throttling duration will be increased in stages if no remediation action is taken through Stage 2 to 4. If the Exchange servers are not remediated even during the Throttling-phase, then Exchange Online will start to block the emails in stages 4 to 8 and will eventually block all emails from unsupported Exchange versions. When the block is implemented, the system issues a permanent SMTP 550 error, which triggers a non-delivery report (NDR) to the sender.

Where can an Administrator see the unsupported Exchange version report for their organization?

Microsoft is adding a new mail flow report to the Exchange admin center (EAC) in Exchange Online that provides details about any unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send email.

Which of the Exchange Server versions are affected due to this Enforcement system?

The enforcement system starts with a small subset of Outdated Exchange 2007 servers but eventually applies to all unsupported Exchange versions such as Exchange 2007, 2010 and 2013 (Out of support starting April 11, 2023) and to the Exchange server 2016 and 2019 that are significantly behind in the security patches.

Will Microsoft notify the administrators when the enforcement system is in place for the tenant?

Microsoft will send targeted Message Center posts to customers 30 days before their version of Exchange Server is included in the enforcement system.

Can administrator opt-out their tenant from the Enforcement system?

NO, Administrators do not have the option to opt-out their tenant from this enforcement system but can pause it for 90 days maximum in a year.

The new mail flow report in the EAC allows an admin to request a temporary enforcement pause. This pauses all throttling and blocking and puts the server in report-only mode for the duration specified by the admin (up to 90 days per year).

What actions are to be taken by the Administrators in response to the Enforcement System?

  • Administrators can move their Exchange load from unsupported Exchange server versions to Exchange Online or to the latest Exchange server versions that are in support and decommission the unsupported Exchange servers from the environment.
  • If the Organization is running the latest Exchange server versions such as Exchange 2016 or 2019, Administrators must make sure the Exchange servers are up-to-date and not falling behind the latest security updates.

Helient strongly recommends moving your Exchange workload to Exchange Online or to the latest supported Exchange server versions in response to this Transport-based Enforcement system announced by Microsoft. If you would like more information or assistance, please contact our Industry-leading experts at service@helient.com.