Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least 2007

Staff Editor 2026-06-05
Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least 2007

Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least 2007

https://www.tomshardware.com/tech-industry/cyber-security/outlook-may-have-allowed-unencrypted-connections-for-decades-report-claims-fedora-and-dovecot-upgrade-reveal-protocol-downgrade-issue-present-since-at-least-2007

Publish Date: 2026-06-05 06:30:00

Source Domain: www.tomshardware.com

An IT blogger claims to have uncovered a high-impact security vulnerability in Microsoft Outlook, which was reportedly found to have been silently downgrading secure SSL/TLS connections to unencrypted plaintext without telling anyone. This appears to affect at least Outlook 2007 through 2016, and possibly even later versions, though that’s as of yet unconfirmed if this behavior is present from Outlook 2019 onwards.

The report came by way of a blog post at Marius World, where the writer describes how they came across the issue after upgrading their mail servers from Fedora 42 to Fedora Server 43 (released in October 2025). Marius started getting complaints from customers unable to receive emails. All got the same error message from the mail server: “Cleartext authentication disallowed on non-secure (SSL/TLS) connections”. This meant the user’s mail client was trying to use an unencrypted connection, something that’s been deprecated by systems administrators for decades.

Marius realized that all the affected people were using Outlook, from versions 2007 through 2016 at least. Worst of all, seemingly everyone actually had the “Use TLS/SSL” checkbox enabled, meaning that protocol security had been downgraded silently all along. The bug can be triggered by having port 110 selected and using the POP3 protocol. Having TLS forced on should have prompted the client to move to port 995 automatically, or at least attempt a TLS connection at 110 anyway. Yet Outlook just happily proceeds without encryption. “Customers have likely been retrieving their emails in plaintext for over a decade, mistakenly believing encryption was enabled,” Marius states.

Latest Videos From

The reason why Fedora server administrators only recently started seeing this behavior is that version 43 upgraded the Dovecot SMTP/IMAP mail server to 2.4.3, a version that got a backend disabling unencrypted authentication altogether. Likely reasons why the issue wasn’t found sooner are that nowadays the…

Source

More Stories

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05
AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy