Persistently Vulnerable Exchange Servers: prepare for email throttling & blocking

Transport-based enforcement system blocks emails from persistently vulnerable Exchange servers

Microsoft throttles and even blocks emails sent from Exchange Server to Exchange Online. The transport-based enforcement system reports emails sent from vulnerable Exchange Servers. The system initially introduces delivery delays that gradually increase, eventually blocking mail flow completely to force admins to update their on-prem environments. This is to ensure superior security of Microsoft 365 organizations. See if the feature affects you and what you can do to keep your mail flow running.

Who is affected by the new Exchange throttling policy?

According to this Exchange Team article, the update is aimed to combat “persistently vulnerable Exchange Servers”.

The system will be rolled out in stages. At first, the transport-based enforcement system will only apply to Exchange Servers that connect to Exchange Online using an inbound OnPremises connector. In other words, only hybrid environments will be affected at first. However, according to Microsoft, the system’s primary objective is to prevent potentially malicious emails from entering Exchange Online and to force organizations to patch their on-premises servers. So it’s safe to expect that eventually it will also affect organizations that fail to secure their on-prem environments, even when they’re not in hybrid.

Transport-based enforcement system applies only to high-risk environments, that is, “persistently vulnerable Exchange Servers”. Let’s see what it means.

What is a persistently vulnerable Exchange Server?

A persistently vulnerable Exchange Server is an Exchange Server instance for which there are known vulnerabilities that have not been addressed yet. So, if there is a security update (SU) you’ve been saving for later, know that the clock is ticking.

The bigger problem is when you’re on an Exchange Server version that has reached its end of life (or “end of Extended Support,” if you prefer official names). This means that your version will not receive any further SUs. In other words, it’s in the transport-based enforcement system’s crosshairs already.

How to check if my tenant is affected?

The Exchange admin center (EAC) features reports dedicated to this specific scenario. Go to the Exchange admin center > Reports > Mail flow > Out-of-date connecting on-premises Exchange servers or use this direct link.

You can also connect to your Exchange Online organization using Connect-ExchangeOnline and then run

Get-OnPremServerReportInfo

If you get the following message, there’s nothing you need to do at the moment.

PowerShell cmdlet Get-OnPremServerReportInfo

Email throttling & blocking timeline

There are two timelines that apply to Exchange Server’s mail flow throttling and blocking:

  • Transport-based enforcement system’s stages. In other words, how the system handles reporting, throttling, and blocking.
  • Feature rollout. Since email throttling and blocking can potentially affect (and harm) multiple organizations, Microsoft started with the oldest on-premises environments that supported hybrid and gradually added newer (less vulnerable) servers. Right now, we’re at the point where the transport-based enforcement system has been rolled out for all Exchange Server versions, including Exchange 2019.

Transport-based enforcement system stages

There are 8 stages in total. Stage 1 begins as soon as the system detects a non-compliant server. If the vulnerability is not resolved, the system will progress to the next stage after a specified period of time.

The first stage lasts 30 days, each next stage lasts 10 days.

  1. For the first 30 days, non-compliant server(s) will appear in the new mail flow report. During this period, there is no email throttling or blocking. It’s a warning phase that gives time to install the newest SU.
  2. Mail flow throttling begins. For 5 minutes every hour, emails will bounce with an SMTP 450 error. As a result, email delivery will be delayed.
  3. Throttle increases to 10 minutes per hour.
  4. The throttling period increases to 20 minutes per hour.
  5. Throttling caps at 30 minutes per hour. Email blocking begins. From this moment, for 5 minutes every hour, Exchange Online will bounce emails with a permanent SMTP 550 error. Those emails will not reach final recipients, and senders will need to send them again.
  6. The blocking period increases to 10 minutes per hour.
  7. The blocking period increases to 20 minutes per hour.
  8. The final stage, enforced after 90 days of non-compliance – this is when all emails from vulnerable server(s) will be blocked.

Rollout stages

The transport-based enforcement system has been introduced gradually. The start date marks the first instance when a specific Exchange distribution (version) was scanned for vulnerabilities, allowing Stage 1 Enforcement to begin.

As I said, the transport-based enforcement system is already live for all Exchange Server versions (except for Exchange Server Subscription Edition). Here’s how the rollout was staged:

  1. August 9, 2023 – Exchange 2007
  2. September 23, 2023 – Exchange 2010
  3. December 22, 2023 – Exchange 2013
  4. March 21, 2024 – Exchange 2016 and 2019

Exchange Team revealed plans related to the Transport Enforcement System

Ways to stay compliant

To prevent mail flow throttling and blocking don’t be behind with security updates of your Exchange Server. And, above all, make sure you don’t have any unpatched Exchange 2007 lurking somewhere in the basement.

If you have some legacy third-party solution that depends on an old Exchange 2010, it might be a good time to look for alternatives.

A short-term solution is to pause enforcement. You can request this option directly from the EAC mail flow report and you can use this option for up to 90 days per year to temporarily stop mail flow throttling and blocking if you let the system get beyond the Stage 1 (see enforcement stages). It’s an option that will be probably used a lot. Many companies follow a policy to wait before deploying SU on production environment to prevent rollbacks in case something breaks after an update. Which still does happen.

The 90-day limit is reset on the first day of the year.

Unfortunately, you won’t be able to ensure your on-premises environment’s security if you have an Exchange version that has reached its end of life. In this case, the only real way to move forward is to migrate to a supported Exchange version or to a cloud-only environment.

How to pause throttling and blocking by transport-enabled enforcement system

There are two ways to pause throttling and blocking of affected Exchange servers. Using either of them, you can ensure that your Microsoft 365 receives emails, even when your connected on-premises servers are not on schedule when it comes to updates.

In the Exchange admin center

Go to Exchange admin center > Reports > Mail flow > Out-of-date connecting on-premises Exchange servers > Enforcement Pause. You will see this option only if you have servers that were identified by the transport-enabled enforcement system as persistently vulnerable.

Using PowerShell

  1. First, connect to your Exchange Online organization using Connect-ExchangeOnline .
  2. Then, use the cmdlet below to check if there is an active enforcement pause:
    Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer
    Side note: The documentation on the cmdlet is limited at the moment. Please note that there are two additional blocking scenarios that you can check using this cmdlet. To get results for other scenarios, change the “-BlockingScenario” attribute value to: TenantRelayMessageRate or TenantOnPremRate.
  3. Next, run the following cmdlet to create a pause (effective immediately) or to extend the pause that’s already in place:
    New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -Number of Days /* Value up to 90 */

Interestingly, there is currently no cmdlet that would allow you to cancel the enforcement pause after you’ve updated the affected servers.

How do I migrate?

Migration under the pressure of time poses a lot of risks. Quite ironic, since in this scenario, migration is forced by a feature that should counter risks.

To migrate with confidence, use a dedicated migration tool. This way, you can benefit from:

  • 24/5 technical assistance from people who handle complex migration projects on a daily basis.
  • Streamlined and simplified migration process (no scripting or complex planning).
  • Advanced reporting.
  • Unlimited delta migrations to make sure each mailbox item is migrated.
Tools for Exchange Server

Recommended articles

How to migrate from Exchange 2013 to Microsoft 365 (Office 365) and why do it now?

How to migrate from Exchange 2013 to Microsoft 365 (Office 365) and why do it now?

Server migration is a very stressful task. It involves moving business-critical data between different locations. Since the extended official support for Exchange 2013 ended on April 11, 2023, the number of companies which are looking into migration away from it might be on the rise. While there is more than one possible target server to migrate to, Exchange 2013 to Microsoft 365 migration seems to be one of the most popular scenarios. In this article, I’ll show you what the available methods are to migrate from Exchange 2013 and how to approach them.
How to export users from Active Directory

How to export users from Active Directory

You might need to export users from Active Directory in more than one situation. Good examples include Exchange migration and creating a test Exchange environment. You can imagine how painful it would be to do those tasks manually, especially in a large organization. Luckily, users can be exported easily from Active Directory and saved into a CSV (comma separated value) file. In this article I am going to show you how to do it. Watch the video below for a quick walkthrough and read the following article if you want to learn more.
How to migrate Exchange public folders to a shared mailbox in Office 365

How to migrate Exchange public folders to a shared mailbox in Office 365

This article shows, step by step, how to easily migrate Exchange public folders to an Office 365 (Microsoft 365) shared mailbox using CodeTwo Migration software. The article also contains a guide on how to create a shared mailbox in Office 365 and how to access it from a mobile device.

Comments

  1. avatar
    Jake Clayton says:

    Running Exchange 2013 on Server 2012 R2 – and when connected to exchange-online via powershell 5.1 with my own creds, trying to run this command:

    Get-OnPremServerReportInfo but getting ” is not recognized as the name of a cmdlet”

    Is it my creds ? something else?

    • avatar
      Adam the 32-bit Aardvark says:

      My bet is that you either have insufficient permissions (although the role required to run this cmdlet is pretty basic: View-Only Recipients) or you are using an outdated Exchange Online PowerShell module. Are other cmdlets working for you? You can try updating the PowerShell module by using the following cmdlet (remember to run PowerShell console with admin permissions):
      Update-Module -Name ExchangeOnlineManagement
      Once updated, reconnect and check if any other Exchange Online cmdlets are working when using your credentials. If the issue persists, you can try updating to PowerShell 7 (or install it on another machine and try there).

  2. avatar
    James Clinton says:

    unfortunately, I have just tried the command
    New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays 90
    in powershell (after succesfully checking that the date throttling starts is this sunday, unfortunately it’s sat with a blinking cursor for the past 15 minutes
    Even checking
    Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer
    It just sits there
    anyone else enabled this delay successfully?

  3. avatar
    Peter Webster says:

    We have sevral Exchanage 2010 servers due to legacy systems and are now being throttled for rmwial from Exch to O365. Is there no way around this, except for upgrading then ?

    • avatar
      Adam the 32-bit Aardvark says:

      Unfortunately, the only real way to move forward is to upgrade to a supported Exchange version or to a cloud only environment. That’s why Microsoft announced the transport-based enforcement system earlier and is implementing it gradually. If the legacy systems you mention are based on Exchange 2010, this may be a sign that they also require upgrading.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.