A newly installed Exchange 2010 or later server has the POP and IMAP services disabled. The POP/IMAP settings for the server are also configured with secure default settings, so that if you were to start the services they would operate in a secure fashion by default.

The main concern with POP/IMAP security is the login process. POP/IMAP protocols allow login over unencrypted connections, transmitting login credentials across the network in clear text. By requiring secure logins on the Exchange server the credentials are passed over an encrypted connection, protecting them in transit.

It takes deliberate administrator intervention to remove the security of the POP and IMAP services in Exchange. Unfortunately it is quite common to do so, because POP and IMAP access is often required by legacy applications that may not supported secure login. Other times the excuse is simply that the administrators don’t know how to configure certificates for secure POP/IMAP login to work.

You can check the status of your POP and IMAP services in the Services.msc console or by running Get-Service in PowerShell.

PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangePOP*

Status   Name               DisplayName
------   ----               -----------
Stopped  MSExchangePop3     Microsoft Exchange POP3
Stopped  MSExchangePOP3BE   Microsoft Exchange POP3 Backend


PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangeIMAP*

Status   Name               DisplayName
------   ----               -----------
Stopped  MSExchangeImap4    Microsoft Exchange IMAP4
Running  MSExchangeIMAP4BE  Microsoft Exchange IMAP4 Backend

For Exchange 2013 or later the frontend and backend services both need to be running.

If you don’t need to enable POP or IMAP services, then there is obviously no point in modifying the POP or IMAP settings to be less secure. Leaving them at the default, secure settings is a good practice in case someone inadvertently enables one of the services.

If you do need to enable POP or IMAP access:

    1. Verify that secure login is still configured.
[PS] C:\>Get-PopSettings -Server EX2016SRV1 | Select LoginType

LoginType : SecureLogin

[PS] C:\>Get-ImapSettings -Server EX2016SRV1 | Select LoginType

LoginType : SecureLogin
  1. Start the services, and set them to automatic startup
  2. Enable an SSL certificate for POP/IMAP services. This can be the same certificate that is used for HTTPS services (OWA, ActiveSync, etc), or it can be a separate certificate. The default, self-signed certificate is unlikely to be suitable as it will cause certificate trust warnings for clients.
  3. Configure the TLS certificate name on the receive connector used by POP/IMAP clients.

If you’re unsure about your current configuration then you can download and run Exchange Analyzer which check your POP and IMAP settings for you.

What about situations where insecure logins are permitted, and you wish to start enforcing secure logins to comply with best practice? If the risk of insecure clients no longer being able to connect and disrupting your users or applications is a concern, then you can analyze your POP or IMAP protocol logs to locate any IP addresses that are the source of insecure logins. After manually remediating those clients, or if you’re willing to just enable secure logins and take the risk of some clients being disrupted, then you can configure your POP or IMAP settings using the Exchange management shell.

[PS] C:\>Set-PopSettings -Server EX2016SRV1 -LoginType SecureLogin

[PS] C:\>Set-ImapSettings -Server EX2016SRV1 -LoginType SecureLogin

A restart of the services is required for the new settings to take effect.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. tleguizamon

    Buenos días Paul.

    He seguido todos los pasos al pie de la letra, pero no logro configurar mis buzones de Exchange en Thunderbird bajo el protocolo IMAP.

    Los test de conectividad no dan error alguno. Hace varios dias que llevo con este problema y no logro resolverlo.

    CasServer LocalSite Scenario Result Latency(MS) Error
    ——— ——— ——– —— ———– —–
    CR Probar la Correct 318.48
    conectividad o
    de IMAP4

  2. Juned

    Dear please tell me how can I disable POP and IMAP protocols completely in my Exchange server 2016 organization.

    1. Amit

      You can disable the front end and back end POP and IMAP services on your CAS and MBX servers as well as disable pop and IMAP on all CASMailboxes

  3. Jozef Wu

    It seems that wildcard certificate for IMAP is not supported. I do find some backdoors with Set-ImapSettings command. Any thoughts on this?

  4. Prasanna

    Hi,

    We have certain applications which cannot authenticate using Secure login and they support only Plaintext login method.
    What happens if i change from “Secure login” to “PlainText Login”. Will it impact the users or application currently using “secure login” Method.

    Thanks,
    Prasanna

  5. elisa

    hi,
    on Exchange 2016 I cannot login via outlook/IMAP. I get error “Log onto incoming mail server (IMAP): A secure connection to the server cannot be established.”

    what did I do wrong?
    My configuration:

    ProtocolName : IMAP4
    Name : 1
    MaxCommandSize : 10240
    ShowHiddenFoldersEnabled : False
    UnencryptedOrTLSBindings : {0.0.0.0:143}
    SSLBindings : {0.0.0.0:993}
    InternalConnectionSettings : {Mail01.mydomain.com:993:SSL, Mail01.mydomain.com:143:TLS}
    ExternalConnectionSettings : {mail.mydomain.com:143:TLS}
    X509CertificateName : mail.mydomain.com
    Banner : The Microsoft Exchange IMAP4 service is ready.
    LoginType : PlainTextLogin
    AuthenticatedConnectionTimeout : 00:30:00
    PreAuthenticatedConnectionTimeout : 00:01:00
    MaxConnections : 2147483647
    MaxConnectionFromSingleIP : 2147483647
    MaxConnectionsPerUser : 16
    MessageRetrievalMimeFormat : BestBodyFormat
    ProxyTargetPort : 1993
    CalendarItemRetrievalOption : iCalendar
    OwaServerUrl :
    EnableExactRFC822Size : False
    LiveIdBasicAuthReplacement : False
    SuppressReadReceipt : False
    ProtocolLogEnabled : False
    EnforceCertificateErrors : False
    LogFileLocation : D:Exchange ServerV15LoggingImap4
    LogFileRollOverSettings : Daily
    LogPerFileSizeQuota : 0 B (0 bytes)
    ExtendedProtectionPolicy : None
    EnableGSSAPIAndNTLMAuth : True
    Server : MAIL01
    AdminDisplayName :
    ExchangeVersion : 0.10 (14.0.100.0)
    DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=MAIL01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ADP,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=adpdigital,DC=com
    Identity : MAIL011
    Guid : ebc005fa-7c9a-4c05-b5ab-50a4edb830e4
    ObjectCategory : mydomain.com/Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
    ObjectClass : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
    WhenChanged : 11/8/2016 8:34:29 AM
    WhenCreated : 8/25/2016 3:22:53 PM
    WhenChangedUTC : 11/8/2016 5:04:29 AM
    WhenCreatedUTC : 8/25/2016 10:52:53 AM
    OrganizationId :
    Id : MAIL011
    OriginatingServer : ADPDC.mydomain.com
    IsValid : True
    ObjectState : Unchanged

  6. Anil Sonar

    I have exchange server 2016 with 3 mailbox. I am unable to configured outlook client on desktop.

    Neeed your assistance.

  7. Shannon

    Seems like JIRA Cloud services only supports IMAP or POP but they do support them over 993 and 995, respectively. I try to stay away from IMAP and POP as much as possible.

Leave a Reply