Periodic Office 365 SMTP Send Error Due to TLS 1.1/1.0

Question

We have PHP web application that sends SMTP emails via authenticated smtp.office365.com. This has been working for at least a couple of years.

We are using PHP Mailer 5.2. We are forcing the crypto_method to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT.

Here's the weird thing. About 75% of the time it works fine. The rest of the time it reports SMTP ERROR: Password command failed: 421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2.

Registered Stream Socket Transports is tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2

How is it even possible that it works most of the time. If it were truly a TLS issue I'd expect it to fail 100% of the time.

Answer 1

Same here on Java application.

I've to force TLS v1.2 in SMTP properties. In my case:

config.put("mail.smtp.ssl.protocols", "TLSv1.2");

Hope you can find the answer.

Answer 2

From Microsoft:

New submission error speedbump to be introduced

We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice. The error will be:

421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

We intend to make a final announcement when we are ready to make the change to disable TLS1.0 and TLS1.1 for SMTP AUTH for the regular endpoint.

Additional documentation can be found here: Opt-in to Exchange Online endpoint for legacy TLS clients using SMTP AUTH

Exchange Transport Team