In order to continue to guarantee the security of Exchange Online, Microsoft is gradually starting to block old Exchange Server versions. The new system, which is now being introduced gradually, is called the "Transport-based Enforcement System" and has three functions: Reporting, throttling and blocking. In the first stage, administrators are informed that there are old Exchange Server versions in the company that are no longer supported and therefore no longer receive security updates. If Exchange Server versions that are no longer supported continue to be used, mails from the on-prem Exchange Server to Exchange Online are throttled, which initially reduces the throughput of mails from the on-prem Exchange Server to Exchange Online and the delivery of mails takes longer. The last phase is the blocking of mails from the no longer supported Exchange Server to Exchange Online. Exchange Online then no longer accepts mails from these Exchange servers.
The "Transport-based Enforcement System" will initially be introduced in stages and will initially only affect Exchange Server 2007 and a hybrid configuration with Exchange Online. Initially, only Exchange 2007 servers that send emails to Exchange Online / Office 365 via an inbound connector of the type "OnPremises" are affected. However, Microsoft points out that this system will be expanded and therefore all Exchange Server versions that are no longer supported will soon be blocked in the worst case. Microsoft has initially selected Exchange 2007, as this is currently the oldest Exchange Server version that can still be connected to Exchange Online in a hybrid configuration.
In future, Microsoft will extend this system to all old Exchange Server versions, regardless of how these servers send mails to Exchange Online. If Microsoft maintains this approach, the "Transport-based Enforcement System" should ensure that the old Exchange Server versions are finally replaced and disappear. If old Exchange servers are no longer able to send mails to Exchange Online in the future, the size of Exchange Online and the large number of users could quickly become too much to bear.
Transport-based enforcement system
As already mentioned, the Transport-based Enforcement System has three functions, the first of which is the reporting of Exchange Server versions that are no longer supported. In the Exchange Online Admin Center, admins can first call up an overview that shows whether there are any affected Exchange servers and the status of these servers. Microsoft has already published a screenshot of the report:
The second function is to throttle a server that is no longer supported, in this phase Exchange Online will reject mails with the following SMTP status code:
450 4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for 5 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.
The on-prem server is thus forced to keep the mail in its queue and must try to deliver the mail again later. This reduces the throughput of mails to Exchange Online and the delivery of the mails takes longer.
In the third phase, Exchange Online rejects all mails from the outdated Exchange server. The SMTP status code then reads:
550 5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for 10 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.
In this case, delivery is no longer possible and the sender receives an undeliverability report. The throttling of emails begins after 30 days, the third stage and thus the rejection of emails comes into effect after 90 days. The throttling is gradually increased, as shown in the following table:
Admins have the option of getting a little more time to replace the old servers by suspending blocking and throttling for a maximum of 90 days per year. The pausing of throttling can be configured per server, but is limited to a maximum of 90 days. For example, if you operate 2 Exchange 2007 servers, you can pause one server for 30 days and the other for 60 days, after which the 90 days are used up.
Whether an Exchange Server version is obsolete is not actively determined. The counter for the server starts running when the old Exchange Server delivers a mail to Exchange Online. As already mentioned, the Transport-based Enforcement System is initially applied to Exchange 2007 servers that are connected to Exchange Online with an Inbound Connector. So if you are still using Exchange 2007 Server, you should use the following command to check whether there is a corresponding connector:
Get-InboundConnector | ft Name,ConnectorType
The Transport-based Enforcement System is not yet active, but anyone with old Exchange servers should start thinking about the migration now at the latest, otherwise they may soon have a very tight time frame for the migration. It must also be expected that the system will be extended to other Exchange versions that are no longer supported, such as Exchange 2010 and soon Exchange 2013 (regardless of the hybrid configuration).
Here you can find the article on the Exchange Team Blog: