A server upgrade that introduced stricter email security checks has uncovered what appears to be a long-standing Outlook issue that may have caused some users to retrieve email over unencrypted connections despite having SSL/TLS enabled in their account settings.
The discovery was reported by German system administrator Marius Schwarz after upgrading mail servers from Fedora 42 to Fedora 43, a migration that included the deployment of Dovecot 2.4.3.
The newer Dovecot release blocks cleartext authentication over unsecured connections by default, causing affected Outlook clients to suddenly fail authentication and revealing the underlying configuration problem.
According to Schwarz, users began reporting Outlook login failures shortly after the upgrade. The clients displayed the error:
“-ERR [AUTH] Cleartext authentication disallowed on non-secure (SSL/TLS) connections.”
Schwarz
Investigating the issue, Schwarz found that the affected Outlook installations had SSL/TLS enabled but were configured to use POP3 port 110, the protocol's traditional unencrypted port. Instead of warning users about the mismatch or automatically switching to port 995, the standard port for encrypted POP3 connections, Outlook allegedly continued communicating over an unencrypted channel.
Server logs showed clients connecting through port 110 and attempting authentication without transport encryption, triggering Dovecot's new security protections.
The administrator says the behavior was observed in multiple Outlook versions, including Outlook 2007, Outlook 2013, Outlook 2016, Outlook 2019, Outlook 2024, and Outlook for macOS. Based on reports from users, Schwarz believes the issue may have existed for many years unnoticed because mail servers traditionally accepted cleartext POP3 connections for compatibility.
Dovecot is a widely used open-source POP3 and IMAP server deployed by hosting providers, enterprises, and organizations worldwide. The transition to Dovecot 2.4.3 exposed the problem by refusing authentication attempts sent over unencrypted sessions, where older configurations would have allowed them.
Schwarz
If confirmed, the issue could have broader security implications than just password exposure. Email content retrieved over unencrypted POP3 sessions can also be intercepted by anyone able to monitor network traffic between the client and server. Organizations subject to regulatory requirements, including GDPR-related obligations, generally rely on TLS transport encryption to protect email data in transit.
CyberInsider has contacted Microsoft for comment, and we will issue an update when we hear back.
Schwarz notes that users should not assume a mail client's encryption checkbox guarantees encrypted communications. Administrators are advised to verify that POP3 accounts use port 995 with SSL/TLS, IMAP accounts use port 993, and that server logs confirm TLS is actually being negotiated.
It is unclear whether the issue affects current Outlook installations, legacy account configurations created years ago, or only specific setup scenarios. However, the findings suggest that some Outlook users may have been retrieving email over unencrypted connections while believing transport encryption was active.
Leave a Reply