Microsoft is right to throttle outdated Exchange servers

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Harry

Member
Oct 13, 2020
17
3
I am happy that Microsoft will try to eliminate outdated Exchange servers, and many corporate email administrators probably also are. I spend a lot of my time on third-party risk and third-party breaches. Microsoft's stated reason for throttling outdated Exchange servers is the mail that they send. I'm more concerned about mail they receive, particularly from me. It is well documented that Exchange attacks like ProxyShell have led to loss of confidentiality and the installation of ransomware. Steve argues that organizations running outdated Exchange servers are perfectly happy with their old installations. I doubt it. The reality is that decision makers in the organizations with those servers do not care about security. They prioritize short term savings over the security and privacy of their customers and employees. Email admins and security people (if they exist) in those organizations have probably already made the case to upgrade for security reasons. Now Microsoft is helping them make it happen.

Think about why we have privacy laws. They exist because most organizations will not voluntarily enact burdensome and expensive privacy practices. Most organizations do what they have to do and not much more. I applaud Microsoft for taking this action. I don't want to have to send out a breach notification because one of our third parties and you shouldn't want to receive one.
 
Last edited:
Who coded the old software? (Hint: Microsoft did.) They released the software as fit for purpose and not dangerous to operate. If that software is, or has become, dangerous to operate, then Microsoft should be providing enough support to eliminate any danger in operating it... whether it is within warranty or not. Would you accept that your vehicle could suddenly have the steering wheel stop functioning safely while is use? If that could happen, would you consider it a design or manufacturing flaw and expect the manufacture to do a recall? I think the issue is the Microsoft it trying to shirk their legal duty to make sure their server software does not become a danger to its users. No doubt it would be cheaper for them to just give free upgrades to users that have entered into a dangerous situation.
 
  • Like
Reactions: SeanBZA
Who coded the old software? (Hint: Microsoft did.) They released the software as fit for purpose and not dangerous to operate. If that software is, or has become, dangerous to operate, then Microsoft should be providing enough support to eliminate any danger in operating it... whether it is within warranty or not. Would you accept that your vehicle could suddenly have the steering wheel stop functioning safely while is use? If that could happen, would you consider it a design or manufacturing flaw and expect the manufacture to do a recall? I think the issue is the Microsoft it trying to shirk their legal duty to make sure their server software does not become a danger to its users. No doubt it would be cheaper for them to just give free upgrades to users that have entered into a dangerous situation.
Should Microsoft continue to patch Windows 95?
 
I can see a good number of operations with old Exchange versions using them inside a semi transparent proxy, that handles things like handling known bugs, and handling known attacks, either by simply dumping the message, or rewriting it to a benign version. A feature they likely will do now is also handle outgoing email, rewriting headers to spoof that the sender is a current version, or simply not sending any header info other than the bare minimum required by the RFC to handle the message, or using the header from one of the open source options, as MS has to accept those, or risk having half the email servers never forward mail to them. or the organisations can pay the cheaper cost of having Google handle email transport, as that comes with a pretty good spam filter that always is current, and malware detection that actually works.
 
Something that was never mentioned in various reports is that it is limited to connections done through Inbound Connectors of the OnPremises (aka Your organization's email server) type, at least as of writing.

This is rather a significant nuance, because this is something that the Exchange Online (or Microsoft 365) tenant administrator will have configured manually. This does not touch any other connector type or pure Internet email (SMTP) connections. That's also something that should be within the organization's own control, as long as you control your own Exchange Online tenant and your own on-premises Microsoft Exchange servers.

The messaging around this change was... horrible at best, and it should have been better communicated by both Microsoft and tech journalists.
 
Last edited:
Should Microsoft continue to patch Windows 95?
Well an desktop OS can be taken offline and still remain a desktop OS. A mail server cannot (and still be what you purchased it for.) If any company creates a tool that is supposed to be an online server, then they should be required to continue to patch it minimally enough to not allow it to be a risk for the rest of the online community. One way to do that would be to set a hard STOP date when you create it... and say something like "this product comes with a predetermined end of life date of __date__ and it will completely cease to function at that time." At least that way it would be clear what you are purchasing.
 
Not to be beat this thing to death, but while I agree with a lot being said, 2 things are not that well known and deserve further details.
- The Exchange servers that are in-scope for now are part of Hybrid setups (which means the enterprise has at least partially moved on Office 365 and may have a few remaining mailboxes or even 0 mailboxes but just apps sending emails over) so only this onprem to online mail flow will be affected.
- @Steve for the same reason, I don't see it as a money grab since Coexistence / Hybrid servers have a free server license attached to the Office 365 subscription (https://techcommunity.microsoft.com...tive-updates-for-exchange-server/ba-p/3285026)
- lastly there is no way for Office 365 to know the real version of the Exchange server beside looking at the SMTP EHLO banner being sent by the server, which is modifiable via a simple command so people who actively want not to upgrade will still be able to keep their server. I thinks the goal is more to grab the attention of admin for those "unattended servers".

[for full disclosure I am a MS employee]
Guillaume