Microsoft to Disable Legacy Email Protocols 01-10-22

What is happening?

Microsoft are making a mandated change on the 1st of October 2022 and will be retiring Basic Authentication for legacy protocols in Exchange Online.

About email and authentication

When you send an email from your reading.ac.uk or student.reading.ac.uk account, the email contains additional information which advises our Microsoft Exchange email server that you are authorised to send email from that email programme and email account. If you are sending email from an unsupported programme or account, you will get an error message.

The majority of apps, services and websites use Multi-Factor Authentication (MFA), i.e. as well as username and password you need to set up an additional check when logging in, whether via an app or by entering a code sent by email, phone call or text message.

There are some legacy programmes which use Basic Authentication, i.e. username and password only. Support for this is being removed by Microsoft in their Exchange email server on 1st October 2022.

What does this mean for me?

If you are using an email programme with only Basic Authentication, you will not be able to send emails from 1st October and beyond.

Who is affected?

This affects people who are using either an old or nonstandard email app, e.g.

  • If you use older Outlook email programmes, i.e. Outlook 2010 or Outlook 2013
  • If you are on a mobile device and using a non-native email app
  • If you use Thunderbird or Spark as your email client (mainly Mac users)
  • If you manually configured your email client, i.e. you put in your own information when you added your profile, which are now not recommended.

Who is not affected?

You will not be affected if your Microsoft Office is up to date i.e. you use Outlook 2016 or Microsoft 365, you use the built in email client on your mobile (e.g. Microsoft Outlook App), or you use email on the web.

How can I tell?

A simple way to tell if you are affected is how you log in to get your email.

Basic authentication only requires a username (email address) and password, as shown in this screenshot:

Screen capture showing email and password

This is an example of a modern authentication request – it requires additional approval beyond username and password.

Image showing modern authentication method

What do I need to do?

There are several ways to mitigate this by either changing or upgrading your email programme, which are summarised below:

  • All users: Use webmail/Outlook on the web instead. You can access your University email account at https://outlook.office365.com/mail/
  • All users: Change your email programme to Outlook (2016 or 365) or another email client which uses modern authentication such as Gmail. Note that all staff and students are eligible to download Outlook 365 via Microsoft 365 Apps, following these instructions: KI 0202
  • Outlook 2013 users: Remove and re-add your account choosing “Microsoft 365” as the account type.
  • Mobile users: Change or upgrade your email programme to the Microsoft Outlook app.
  • Mac users: Update iOS to current version and reinstall the Apple Mail application
  • Thunderbird users: update to latest version of Thunderbird following these instructions: KI 1209
  • “Other” mail clients, remove and add back account choosing ‘Microsoft 365’ as the account type

For the technically minded, the full table:

Legacy protocol Description What uses it Solution
Exchange ActiveSync & AutoDiscover Used to connect mailboxes to Exchange online * Windows Mail

* Calendar

* Email clients on mobile device

* Mac OS

Use webmail/ Outlook online

Use Outlook 2016 or Office 365 or Outlook for mobile

Update iOS to current version and reinstall Apple Mail

IMAP Allows access to email without downloading it to the device. Email is read directly from the email service Email clients such as Thunderbird and Spark.

Outlook and Apple Mail when manually configured

Use webmail/ Outlook online

Use Outlook 2016 or Office 365 or Outlook for mobile

Update to current  Thunderbird app

Update iOS to current version and reinstall Apple Mail

MAPI Over HTTP Primary mailbox access protocol used by Outlook 2010 SP2 and later Outlook 2010 and newer email clients on mobile devices Use Outlook 2016 or Office 365 or Outlook for mobile
SMTP Authentication TCP/IP protocol used to send/forward email; it cannot receive messages Email clients such as Thunderbird and Spark.

Outlook and Apple Mail when manually configured

Update Thunderbird

Remove and add back account choosing ‘Microsoft 365’ as the account type

“Other Clients”

(Linux mail clients, custom mail clients, etc)

Any other protocols identified as utilizing legacy authentication Application should be up-to-date and added using modern authentication protocol such as ‘Microsoft Exchange’ or ‘Microsoft 365’ option

What happens if I don’t do anything?

If you don’t do anything, you will not be able to send any emails using your current method from 1st October. As this is mandated by Microsoft, DTS have no ability to grant an extension.

Further information:

This change is examined in further detail in this Microsoft article: Deprecation of basic authentication exchange online

What version of Outlook do I have? You can usually find the Outlook product version by selecting Help > About while in Outlook. Also see this article by Microsoft.

Creating a new Outlook profile to restore default settings: KI 1813 How to create a new profile in Outlook 2016 (Windows 10) 

Contact:

If you want any advice or have any issues, please raise a ticket with the IT Service Desk.

The Retiring Activedition project – 40,000 webpages later 

In DTS and MCE, the retiring Activedition project, which has recently come to an end, has seen nearly 40,000 webpages migrated (or removed) from Activedition to the new CMS system, Sitecore.  The aim of the project was to improve security and make the websites at the University easier to use.  

The project, that spanned over 8 years, with the concentration of work since 2018, also processed nearly 56,000 multimedia files and 23,000 documents. The result left us with 7,000 pages on Sitecore, making the websites easier to navigate and find what you want.  

Burning Platform  

The migration gave a good opportunity to consolidate and freshen up the websites but the main motivation behind the project was fixing an incoming security hole. 

Activedition was coming to the end of its product lifecycle and would no longer be supported by its creators in the future. This end of support means no more security updates and continuing to use it would have opened us up to cyber-attacks.  

Mark Collett, Director of Enterprise Architecture and Digital Transformation, spoke about the need to get off a CMS with looming security issues:  

“The underlying platform was on legacy equipment where the software and databases wouldn’t be supported by the end of this month by Microsoft. 

The hardware was going out of date and would be unsupported. The CMS itself is old, and the company that developed it, its not one of the projects they’re interested in developing.  

So, it meant that we had a hard deadline for the end of this [July 2022] month to get all those pages off because if we didn’t it would pose a risk to the University.  

The website is a front facing thing for the University, so we needed to get off, what we call, a burning platform”  

He also spoke about how DTS balances making sure the University is secure against Cyber Security issues and the impact they have on Colleagues:  

“Our strategy is to try and make our systems as secure and reliable as possible and that’s always a balancing act with user experience and the impact on Colleagues. 

Currently we are running both Sitecore and Activedition. With fewer CMSs we have a simpler web estate and can focus on fewer skills sets and reduce working complexity. 

The more complexity you have in a system, the more resources you need to understand it and run it, which isn’t an efficient approach”  

Understanding and planning 

Once the go ahead for the project was given, a large body of initial analysis and planning work was conducted inside DTS by the Digital Portfolio Team (DPT).  

Part of the DPT’s job is to analyse drivers behind a project; the motivations that are the cause for a project to come into existence. This is done partly by evaluating the problem we are trying to solve. Looking at the people involved and the problems they are experiencing.  Once we have an accurate idea of the problems, we are in an informed position to choose the correct solutions.  

Mary Seddon, Head of Digital Portfolio, spoke about drivers and what she found out from talking to colleagues around the University:  

“I’m sure there are many reasons why the University needed to get off Activedition and the business case talks about several high-level drivers that we needed to meet. One being that the devolution of responsibility to an area or school creating their own webpages meant there was a loss of quality control, for instance no control over retiring or replacing a page.  It was very hard for MCE to assist people.  

Activedition was also very old fashioned to look at.  Lots of people were concerned about that, yet there was lack of control over the look and feel of the websites.  

From a technical perspective, the problems were the burning platform and the fact that the knowledge about Activedition itself, was in the hands of, and supported by, about 3 people on the planet – as far as we could tell.  We were very lucky to find Jim Hazell who knew what Activedition was.”  

She continued with the topic of how, when working on projects that affect lots of different people, you will often come across drivers from different places that conflict with each other:  

“We put a business case that brought all those needs together – those from MCE and DTS, and others – and there was understandable, good, tensions between the drivers.  Some people wanted to do a ‘like for like’ replacement and others wanted to make the websites “better”.    

At the same time, we had to do something to get off that burning platform and this is that unified us.  We were all on the objective that we need to move off Activedition for the sake of security.” 

The Great ‘Lift and Shift’  

After initial analysis work was complete the project moved into working through the websites on Activedition with the Digital Applications and Development team working out which pages could be manually moved to Sitecore, and which ones could be moved through a clever automatic process.  

Dave Jones, Head of Digital Applications and Development, spoke about how the ‘lift and shift’ process wasn’t as unceremonious as the name makes out:  

“Is it actually just straight lift and shift? Or is it lift and shape? Or is it a complete refactor?    

Initially, I think MCE and the Schools were pushing very hard for it to be effectively a refactor. That’s when we had Bunny Foot in (website consultants) and when the school webpage template was redesigned, and the site was greatly improved, but we saw that was taking forever. When we developed the idea of doing an automated process for the functions that’s when it had to be slightly more regimented. 

Functions could still tweak how things looked. Different functions could have different coloured accents on various parts of the site to differentiate them.”   

The project processed over 40,000 webpages from different websites at the University. Mustafa Rahman, CMS Web Team Lead in Dave Jones’ team, spoke about how lack of control over accounts let it get to such a high level:  

“There were easily 500 users on Activedition, and I’d guess about 340 of them were unique users. That was the hardest bit about accounts in Activedition, working out who was still active.   

With Sitecore, It’s much easier to maintain in that way, and we’ve removed a number of old accounts so there’s less accounts to maintain and more control over people adding pages and making changes”  

Collaboration, accessibility and breaking silos 

Universities can often be ‘siloed’ in how their teams operate with each of but with this project it was the opposite. It included many teams from many different departments, working together on different ways to solve one common problem.   

Martin Watts, Head of Content in the Marketing Engagement team, assisted massively with the project and spoke about his approach to multi-team collaboration:  

“This project was about making sure everyone was on board. I think there was a realisation that the only way we would succeed is if we work together and make sure we didn’t let those traditional silos get in the way.  

Ultimately, we’ve all got the same goal at the University. We’re all trying to make sure we do what the University needs us to do in order to achieve its goals”  

He also spoke about how the collaborative relationship that was established between DTS and MCE will have a positive impact on work between the two in the future:  

“The CMS team and the Content Team have worked prior to this, and we’ve had a really good working relationship, but we had worked in a sort of support capacity where if we needed support with something, the CMS team would help us.   

Going through this project was about moving to an actual web development model where we are making new things. We’re not just fixing and maintaining existing things and that required quite a mind shift.”  

Martin finished by talking about how pleased he was that accessibility requirements resonated so well with colleagues around the University:  

“People thought it was an excellent reason for doing this, not just about meeting a simple compliance thing. It’s about ensuring that our websites are inclusive for all users, regardless of their access needs and I thought that was that was really good.  

In terms of what was really helpful, we had Miroslava Flimelova come in and join us and basically supports us with that work throughout the project. She was fantastic to work with because she’s just so knowledgeable but also really keen to help ensure that we make things accessible. If we don’t know what we’re doing, we can ask her a question and she’s always happy to help.”  

A solid state for the future   

The retiring Activedition has provided a solid bed for future web estate development. Sometimes, in order to improve things, you have to revaluate what you are working with and simplify it down to a state that is a solid foundation to work from in the future.  

It was also a collaboration between many different people and teams at the University and showed that digital departments can work together and even improve working relationships and processes for future projects.  

Mark Foster, Project Manager in the PMO, had these closing statements on the project and the people he’d met on the long time he spent managing it:  

“Just given the nature of the project over that period of time, there’s been significant or notable numbers of people leaving, joining, seconding in and out, babies being born, there’s all sorts of stuff going on. So that made it quite a bit of a family thing in the end because people sort of religiously came to stand ups.”  

 

Changes to email distribution lists

Email distribution list logo

Email distribution lists are used throughout the university to send one email to lots of people simultaneously. These mailing lists could include people outside the University (external) as well as University staff and students. Up until now, we’ve used Mailman (https://www.lists.rdg.ac.uk/mailman) for creating the majority of mailing lists, whether for external or internal recipients.

Moving from Mailman Lists to Outlook Distribution Groups

What is happening?

DTS assesses software used at the University to ensure it meets current standards and requirements. Older programs that can’t meet these demands are being replaced and phased out, and Mailman has fallen into this category. For this reason, we are now tackling replacing Mailman with the solution depending on the recipients of the list:

  1. Lists that have internal recipients – these are moving to Microsoft Outlook Distribution Groups (this project has been underway for a while and you may have already been advised and moved to Microsoft Outlook Distribution Groups)
  2. Lists that have external recipients – these will be moving to a new service called LISTSERV (this project is currently in a trial period with a select number of lists; there will be a further post with more information soon)

I’ll explain more about Microsoft Outlook Distribution Groups later in this post, with links to our Knowledge Item articles which will guide you through the main functionality.

Some background

The decision to move away from Mailman has not been taken lightly. The main issue we face with Mailman is that there has been nobody updating or supporting it for several years (last release was 2016).

  • No developer = no patches or updates
  • No vendor = no support
  • No patches or updates or support = security risk

With no changes since 2016, Mailman is increasingly open to vulnerabilities.

  • The Mailman admin panel has not been available offsite since Christmas 2021 due to security concerns which cannot be fixed.
  • New features to improve email security, such as Advanced Threat Protection (ATP) and Safelinks cannot be implemented.
  • Emails from Mailman lists are being marked as Junk or Quarantined. This means that emails coming from reading.ac.uk are being treated as suspicious.

Outlook Distribution Groups (for internal addressees)

If your Mailman list only contains internal recipients, then we are turning your list into an Outlook Distribution Group.

What are the benefits?

We are all familiar with using Microsoft Outlook, so the main benefit is that there’s no new interface to learn, and its contained within your Microsoft 365 environment so no new software to install and manage.

Here are some other benefits:

  • Global Address Lists – There’s no need to remember lengthy email addresses of the Distribution Group. They are all visible in the Distribution Group section of the Global Address Lists in Microsoft Outlook desktop or web app.
  • Software is up to date – Microsoft ensures the application is patched or updated to avert security vulnerabilities and users don’t need to do anything.
  • Better message delivery times – Posts are speedily delivered i.e. Mailman lists currently step through 13 hops (different servers) in order to get to recipients. With the new system, this is now cut down to 3.
  • Managing membership is easier – There’s no need to remember URLs or open a web-based link to manage members. Avoiding such unnecessary step also cuts down on delivery times and remove ghost members.
  • Accurate Membership list – There’s no need for Distribution Groups owners to unsubscribe a leaver as Active Directory is automatically updated. Currently, there are duplicate email aliases, inactive/leavers that cause Non-Delivery Reports (NDR) in Mailman Administrators mailbox on a daily basis. Removing inactive/leavers also cuts down on delivery times.

Key information for existing list owners

Much of the functionality of Mailman is also available in Outlook, but here are a few things that you need to be aware of:

  1. Most mailing list subscribers shouldn’t notice any difference. 
  2. Emails sent to a Distribution Group will appear to come from the sender. If you don’t want your name to appear on the email, please use a Shared Mailbox to send the email (e.g. “IT Communications”). The same is true of sent items, they will appear in your Sent items unless you have sent from a role-based account, in which case they appear in the Sent items of that account.
  3. Any messages you receive about your Distribution Group will come into your inbox (or, if you used a Shared Mailbox to send a message, it will come into that inbox). For example, if you need to moderate a message, you will be notified via your inbox.
  4. Moderating and approving posts can only be done through the web interface (outlook.office.com)
  5. You can only add members who have an @reading.ac.uk email address. If you need to add external members, please contact the IT Service Desk.

Instructions for using Outlook Distribution Groups

How to access your distribution list: You can access your Distribution Groups via Outlook Online (outlook.office.com).

How to send posts to a distribution list: To email your members, put the list address in the To field of a new email (or the BCC field, if you don’t want your recipients to be able to see and contact all members of the Group).

Group Manager admin tools: The preferred way to administer your lists is through Group Manager, which is available on Apps Anywhere.

Outlook Web tools: You can access admin tools through Outlook Online (outlook.office.com).

Note: some lists do not appear in the Global Address list. If you cannot find yours, please raise a ticket with the IT Service Desk to perform these functions.

Further information

The best place to get up to date information for Microsoft products is from Microsoft themselves. This support page is about Outlook Distribution Groups: Microsoft Outlook 365 distribution group support page

Contact

If you have any questions or require advice, please contact our IT Service Desk.