Event banner
Event details
Thanks for joining us today for an Exchange Ask Microsoft Anything (AMA)! We appreciate your questions and feedback—and look forward to continuing the discussion in the Exchange community!
- Will this block e-mails from external Exchange servers as well? For example: a customer has on-prem Exch 2010 which sends e-mail directly outbound and his/her customer using EXO.
- According to Scott in a similar question, no. They are starting with hybrid-connected servers first. Much later it sounds like they might include non-hybrid exchange servers, but only for ones related to the tenant. Customers send to another customer at O365 don't seem to be in-scope for this now or in the future (yet).
- ScottSchnoll
Microsoft
Eventually, all unpatched and unsupported Exchange Servers will be in scope.
- ScottSchnollYes, eventually those servers will be in scope, too. Exchange 2010 is unsupported and should no longer be used.
- Well, that seems counter to my similar question yesterday. I thought the tracking was only between tenant related servers (e.g. my on-prem server sending to my tenant)?
- Thinking forward...if an Exchange 2016/2019 server was indicated as vulnerable and warnings started, how quickly after patching would things return to normal? Immediately? or after some further build up of success?
- ScottSchnollIt depends on how soon after patching the server sends mail to Exchange Online. Its when it connects to the cloud service that we can see version info. So if you patch a server, and it sends email right away, it will not be throttled or blocked any more (unless it falls behind again).
- While I like what MS is trying to do here, I think the communication/announcement is lacking. I only learned about this from a tech article that popped up on my news feed a couple of months ago. It was never brought up in any of our regular meetings with MS (CSAM, Account Manager,...). We are staying on top of keeping our exchange servers patched so I'm not concerned about any impact on our organization, but I think many organizations will receive an unpleasant surprise when this goes into effect because they were not made aware
In my opinion, for Exchange Admins, it is good practice to have the Exchange Team Blog monitored regularly. https://techcommunity.microsoft.com/t5/exchange-team-blog/bg-p/Exchange
- Thanks Amjad, it is one take away for me from this event!
- ScottSchnollThanks for the feedback! We've posted details on our blog, we are sending Message Center posts to affected customers before any action is taken, and we have reports in the admin centers to notify admins. What other suggestions do you have for admin communications?
- Inform all CSAMs to communicate this to their customers. E-mail notifications are quickly ignored so probably best if they can get a meeting scheduled with customers, if they don't have any recurring meetings scheduled
- Will outbound email going through Barracuda Cloud Control from an unsupported version still be throttled/blocked?
- ScottSchnollNot immediately, as we initially are only targeting the connecting server. But eventually, we will target all Exchange Servers in the routing path.
- Would the inspection criteria ever be documented? Would be nice to be able to write a script or tool to do the same analysis on servers beforehand for corner-cases and for those servers that are not directly connected to office 365.
- Nino_BilicPlease see Exchange Health Checker - it will tell you all you need to know to update your on prem servers: https://aka.ms/ExchangeHealthChecker
- ScottSchnollYes, when we start with patchable servers, the report will indicate the minimum compliant build.
- Have not been able to register.
- ScottSchnollHi Jackie, register for what? If you mean this AMA, your comments are coming through.
- Thanks.
- Does EOP or ATP have any affect here?
- ScottSchnollNo.
- Does the use or non-use of hybrid mode change anything? What about custom send connectors pointing at Office 365? I assume not, but wanted to be sure.
JKenersoMSFTBuilding on Scott's reply... as we begin this process, it will initially be scoped to servers connecting via a connector of type on-premises. This is the connector type used by a hybrid topology.
- ScottSchnollYes; right now we are only targeting a subset of hybrid servers. We will eventually get to non-hybrid servers, but not for a while (I don't have any ETA to share).
- I assume a similar announcement would be made when/if non-hybrid servers are brought in-scope?
- Wlll data region of EXO have any influence or effect? Consider cases where there may be an on-premises Exchange server in South Africa connecting to UK endpoint for some reason (actually common from my experience). That's high latency and crosses many country borders. Similarly, any data residency concerns (like with Germany, Canada, and China, for example)?
- ScottSchnollI'm not entirely sure I understand the question. The transport system is WW, so it doesn't matter where a persistently vulnerable server is located. If it sends email to Exchange Online, we will detect it.
- Ok. Your answer is good enough. Sounds like MS won't care where the connection arrives from. What about data residency? For example, a server in UK connecting to the German O365 instance? No issues or concerns?
