"Customers have likely been retrieving their emails in plaintext for over a decade, mistakenly believing encryption was enabled"
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The report came by way of a blog post at Marius World, where the writer describes how they came across the issue after upgrading their mail servers from Fedora 42 to Fedora Server 43 (released in October 2025). Marius started getting complaints from customers unable to receive emails. All got the same error message from the mail server: "Cleartext authentication disallowed on non-secure (SSL/TLS) connections". This meant the user's mail client was trying to use an unencrypted connection, something that's been deprecated by systems administrators for decades.
Marius realized that all the affected people were using Outlook, from versions 2007 through 2016 at least. Worst of all, seemingly everyone actually had the "Use TLS/SSL" checkbox enabled, meaning that protocol security had been downgraded silently all along. The bug can be triggered by having port 110 selected and using the POP3 protocol. Having TLS forced on should have prompted the client to move to port 995 automatically, or at least attempt a TLS connection at 110 anyway. Yet Outlook just happily proceeds without encryption. "Customers have likely been retrieving their emails in plaintext for over a decade, mistakenly believing encryption was enabled," Marius states.
The reason why Fedora server administrators only recently started seeing this behavior is that version 43 upgraded the Dovecot SMTP/IMAP mail server to 2.4.3, a version that got a backend disabling unencrypted authentication altogether. Likely reasons why the issue wasn't found sooner are that nowadays the default mail account type is IMAP, and that Outlook's default configuration sets port 995 for POP3 as the default. Even still, there's a bet that a significant number of users are affected, particularly in environments that have to support many configurations, like web hosting.
The mitigation is fairly simple: check your Outlook account settings, and if you're using POP3, ensure that the connection port is 995. Having your email go through an unencrypted connection means anyone in your network or in the path to your server can happily read it, exposing not only your communications, but also those of other people. Marius also notes that this situation is technically a EU GDPR violation, since the law implicitly mandates that any customer data is sent via encrypted connections.
Russian GRU hackers are hijacking TP-Link and MikroTik routers to steal Outlook credentials, cybersecurity center warns
Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/outlook-may-have-allowed-unencrypted-connections-for-decades-report-claims-fedora-and-dovecot-upgrade-reveal-protocol-downgrade-issue-present-since-at-least-2007#main
- https://www.tomshardware.com/subscription
- Tom's Hardware Unfiltered: Computex 2026, Day 4 — the B2B shift, and we say farewell to Taipei
- Nvidia is reportedly still planning fabled RTX 50 Super series for 2026, leak claims — lineup could now include a potential 'RTX 5060 Super' with 12GB of VRAM
- Finland deploys new system to detect threats to undersea cables — distributed acoustic sensors measure vibrations from the seabed and informs the authorities an
- Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least
- Qualcomm Roundtable Interview transcript — SVP of Compute and Gaming talks Snapdragon C, RTX Spark, and the agentic AI future
Informational only. No financial advice. Do your own research.