using Rebex.Net;
// News, tips & tricks from Rebex developers

How to enable TLS 1.2 in legacy mail clients

  |   Lukas Matyska
HOWTO TLS

Legacy mail clients lack support for TLS 1.2 encryption, which is required by contemporary mail servers such as Microsoft Office 365 or Google Gmail. Old versions of Microsoft Outlook running on Windows XP are still surprisingly common in many enterprise networks, and often can't easily be replaced. The same applies to old SMTP-capable devices such as network printers. These legacy mail clients work fine with on-premise legacy servers such as Exchange 2013, but pose a problem when migrating to cloud-based Office 365 or another modern mail server, because TLS 1.0 has been deprecated. This is where Rebex TLS Proxy comes to the rescue!

Translating TLS 1.0 to 1.2 (or 1.3)

Rebex TLS proxy can 'translate' unencrypted (or legacy TLS 1.0) client connections to connections secured with TLS 1.2 (or TLS 1.3) protocol, making legacy clients compatible with modern mail servers.

Mail servers are usually accessed using two common protocols: IMAP for receiving, SMTP for sending. These protocols apply TLS encryption in two modes, implicit or explicit, which are covered in detail in our article about TLS modes. But in short:

  • In implicit mode, the client connects to the server and immediatelly negotiates TLS encryption.
  • In explicit mode, the client connects to the server and explicitly requests negotiation of TLS encryption using a protocol-specific command (such as STARTTLS in case of IMAP and SMTP protocols).

Office 365's SMTP server only operates in explicit mode and does not support the implicit mode. Fortunately, this is not an issue for Rebex TLS Proxy - we added SMTPE mode that makes it possible to translate incoming connections (unencrypted or implicitly-secured) to explicit node by issuing the command at the appropriate place.

Simple configuration for Office 365

Set up Rebex TLS Proxy on a PC running Windows 2012 R2, Windows 7 or higher in your local network where you operate those legacy mail clients. Then add the following two TLS tunnels. One for IMAP, one for SMTP:

tlsproxy tunnel add -i :143 -o outlook.office365.com:993 --out-protocol TLS
tlsproxy tunnel add -i :25 -o smtp.office365.com:587 --out-protocol SMTPE

Then, configure legacy mail clients to connect to ports 143 (for IMAP) and 25 (for SMTP) of the PC running Rebex TLS Proxy in plaintext (unencrypted) mode. If you prefer encrypted TLS 1.0 communication, Rebex TLS Proxy can do that as well, but you would also need an X.509 certificate, making the process slightly more complex - see modern TLS to legacy TLS example for sample configuration, or contact us at support@rebex.net for more information about advanced configurations.

Original architecture:

Architecture of connecting legacy mail clients to a legacy mail server such as Microsoft Exchange 2003

Architecture with Rebex TLS Proxy:

Architecture of connecting legacy mail clients to a modern mail server with Rebex TLS Proxy

Image credits: Icons created by Freepik - Flaticon