Security of Exchange services: TLS update and best practices

By / / exchange, mail server, Security, TLS

Introduction

We at OVHcloud are committed to providing secure and professional email services that meet the latest industry standards. To boost security, we’re disabling TLS 1.0 and 1.1 protocols on our Exchange solutions, in line with international standards.

Are you using a recent and updated email client? You don’t need to do anything; all email clients have already been updated and support the latest TLS (1.2). Action is needed only if you’re running a very old version.

We’re ditching older TLS versions and stepping up security across OVHcloud Exchange services. This blog will cover what’s changing and the measures we’re taking to keep your data safe. 

TLS 1.0 and 1.1 deprecations

To improve security and service quality, we’re disabling TLS 1.0 and 1.1 on all our OVHcloud Exchange solutions.
While some Microsoft systems may still use them, these TLS versions have security holes and were officially deprecated in 2021. Plus, they are already disabled on most Microsoft services, including several Exchange options.

    Single-standard supported protocols

    Our goal is to apply the same configuration across all infrastructure. Since these protocols are already inactive on most of our servers, updating will standardise our setups and elevate security.

    Supported ciphers

    We’re also making adjustments to ciphers, so only the following will be supported:

    Keep in mind, only older operating systems (outdated printers or unsupported systems) might have issues.

    Customers can use the SSL Labs tool to see which encryption protocols their machine supports.

    We use the best practices from the 2020 version 1.6 guides, see here.

      HSTS protocol activation

      We also use the HTTP Strict Transport Security (HSTS) protocol to keep connections between customers and OVHcloud Exchange servers secure.

      This protocol helps to:

      • enforce TLS usage by blocking unencrypted connections;
      • protect against Man-in-the-Middle (MITM) attacks and block redirects/downgrades to unsecured HTTPS connections;
      • automatically switch from HTTP to HTTPS for higher user security.

      OVHcloud customers won’t notice this update, which will be automatic—no action needed.

        Exchange update management

        Monthly update process

        Microsoft releases security updates for Microsoft Exchange Server every Patch Tuesday. OVHcloud applies these patches every month to bolster security for its Exchange solutions.

        Our update process

        • The 2nd Tuesday of each month: Microsoft update release.
        • Microsoft partnership: Thanks to our strong partnership, we have access to detailed information on patches and product releases. This gives us a better idea of how much work the next update will involve, so we can plan ahead.
        • Vulnerability severity analysis:
          • Moderate risk → Maintenance is planned and staggered to minimise service disruptions.
          • High risk → A dedicated team starts maintenance right after the patches are released.

        Update notifications

        • PRIVATE solution customers are notified at the start and end of updates.
        • RESELLER, HOSTED, MXPLAN, TRUSTED, and EMAILPRO customers can use Exchange’ clustering to track maintenance progress on the OVHcloud status page.

        Real-Time monitoring and protection

        We use several monitoring tools, developed in-house or provided by third-party vendors, to:

        • monitor the exposure of OVHcloud Exchange services on the internet;
        • detect vulnerabilities and unusual activity in real time;
        • generate alerts and reports for instant analysis and troubleshooting.

        Advanced spam protection

        Our OVHcloud Exchange solutions include a European anti-spam system that filters messages before they reach your inbox.

        Benefits of spam filtering:

        • advanced detection of fraudulent and phishing emails;
        • smart filtering based on machine learning;
        • significant decrease in spam and malicious emails.

        HTTP request management update

        Host Header Removal

        We’re currently fixing a server issue related to incorrect HTTP Host header usage. An invalid HTTP host header in a web request causes the server to immediately abort the request—this is specific to HTTP 1.0.

        Server Header Removal

        The HTTP server stops sending the header.

        To recap…

        We’re upgrading OVHcloud Exchange security by phasing out less secure TLS 1.0/1.1 protocols, bringing it in line with internationals security standards.
        Regular updates, HSTS activation, continuous monitoring, and advanced anti-spam protection guarantee a secure, high-performance Exchange environment for all our customers.

        Got questions about this update? Reach out to our technical support team.

        fabien bouvet
        Fabien Bouvet
        OVHcloud | + posts

        After ten years in web and mobile development, I’m now a technical writer and web redactor for OVHcloud.