Three detailed articles on Exchange Server and TLS 1.2 have been published on the Exchange Team Blog. The articles are not only well worth reading, but also have an important background:
From October 2018 Office 365 TLS 1.2 required and does not accept mails from servers that only support TLS 1.0 or TLS 1.1.
In plain language, this means that if your Exchange server wants to deliver emails to Office 365 recipients and does not support TLS 1.2, the emails will not reach the recipient from October 2018. The same naturally also applies to smart hosts and relays that want to deliver emails to Office 365.
As far as is known, the change will affect the route of emails to Office 365 from October. Opportunistic TLS will continue to apply for emails from Office 365 to recipients outside Office 365. If the receiving mail server does not support TLS, the mail can also be sent from Office 365 without transport encryption.
Perhaps the small graphic can explain it better:
More information can be found in the three articles on the Exchange Team Blog:
- Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
- Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
- Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
The article also describes which settings need to be made for Windows Server so that Exchange can use TLS 1.2. As already mentioned, the same applies to upstream SPAM filters, smart hosts and relays that deliver mails to Office 365. For these, it must also be ensured that they support and use TLS 1.2.