Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least 2007

An IT blogger claims to have uncovered a high-impact security vulnerability in Microsoft Outlook, which was reportedly found to have been silently downgrading secure SSL/TLS connections to unencrypted plaintext without telling anyone. This appears to affect at least Outlook 2007 through 2016, and possibly even later versions, though that's as of yet unconfirmed if this behavior is present from Outlook 2019 onwards.

The report came by way of a blog post at Marius World, where the writer describes how they came across the issue after upgrading their mail servers from Fedora 42 to Fedora Server 43 (released in October 2025). Marius started getting complaints from customers unable to receive emails. All got the same error message from the mail server: "Cleartext authentication disallowed on non-secure (SSL/TLS) connections". This meant the user's mail client was trying to use an unencrypted connection, something that's been deprecated by systems administrators for decades.

Marius realized that all the affected people were using Outlook, from versions 2007 through 2016 at least. Worst of all, seemingly everyone actually had the "Use TLS/SSL" checkbox enabled, meaning that protocol security had been downgraded silently all along. The bug can be triggered by having port 110 selected and using the POP3 protocol. Having TLS forced on should have prompted the client to move to port 995 automatically, or at least attempt a TLS connection at 110 anyway. Yet Outlook just happily proceeds without encryption. "Customers have likely been retrieving their emails in plaintext for over a decade, mistakenly believing encryption was enabled," Marius states.

The reason why Fedora server administrators only recently started seeing this behavior is that version 43 upgraded the Dovecot SMTP/IMAP mail server to 2.4.3, a version that got a backend disabling unencrypted authentication altogether. Likely reasons why the issue wasn't found sooner are that nowadays the default mail account type is IMAP, and that Outlook's default configuration sets port 995 for POP3 as the default. Even still, there's a bet that a significant number of users are affected, particularly in environments that have to support many configurations, like web hosting.

The mitigation is fairly simple: check your Outlook account settings, and if you're using POP3, ensure that the connection port is 995. Having your email go through an unencrypted connection means anyone in your network or in the path to your server can happily read it, exposing not only your communications, but also those of other people. Marius also notes that this situation is technically a EU GDPR violation, since the law implicitly mandates that any customer data is sent via encrypted connections.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.