A newly installed Exchange 2010 or later server has the POP and IMAP services disabled. The POP/IMAP settings for the server are also configured with secure default settings, so that if you were to start the services they would operate in a secure fashion by default.
The main concern with POP/IMAP security is the login process. POP/IMAP protocols allow login over unencrypted connections, transmitting login credentials across the network in clear text. By requiring secure logins on the Exchange server the credentials are passed over an encrypted connection, protecting them in transit.
It takes deliberate administrator intervention to remove the security of the POP and IMAP services in Exchange. Unfortunately it is quite common to do so, because POP and IMAP access is often required by legacy applications that may not supported secure login. Other times the excuse is simply that the administrators don’t know how to configure certificates for secure POP/IMAP login to work.
You can check the status of your POP and IMAP services in the Services.msc console or by running Get-Service in PowerShell.
PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangePOP* Status Name DisplayName ------ ---- ----------- Stopped MSExchangePop3 Microsoft Exchange POP3 Stopped MSExchangePOP3BE Microsoft Exchange POP3 Backend PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangeIMAP* Status Name DisplayName ------ ---- ----------- Stopped MSExchangeImap4 Microsoft Exchange IMAP4 Running MSExchangeIMAP4BE Microsoft Exchange IMAP4 Backend
For Exchange 2013 or later the frontend and backend services both need to be running.
If you don’t need to enable POP or IMAP services, then there is obviously no point in modifying the POP or IMAP settings to be less secure. Leaving them at the default, secure settings is a good practice in case someone inadvertently enables one of the services.
If you do need to enable POP or IMAP access:
- Verify that secure login is still configured.
[PS] C:\>Get-PopSettings -Server EX2016SRV1 | Select LoginType LoginType : SecureLogin [PS] C:\>Get-ImapSettings -Server EX2016SRV1 | Select LoginType LoginType : SecureLogin
- Start the services, and set them to automatic startup
- Enable an SSL certificate for POP/IMAP services. This can be the same certificate that is used for HTTPS services (OWA, ActiveSync, etc), or it can be a separate certificate. The default, self-signed certificate is unlikely to be suitable as it will cause certificate trust warnings for clients.
- Configure the TLS certificate name on the receive connector used by POP/IMAP clients.
If you’re unsure about your current configuration then you can download and run Exchange Analyzer which check your POP and IMAP settings for you.
What about situations where insecure logins are permitted, and you wish to start enforcing secure logins to comply with best practice? If the risk of insecure clients no longer being able to connect and disrupting your users or applications is a concern, then you can analyze your POP or IMAP protocol logs to locate any IP addresses that are the source of insecure logins. After manually remediating those clients, or if you’re willing to just enable secure logins and take the risk of some clients being disrupted, then you can configure your POP or IMAP settings using the Exchange management shell.
[PS] C:\>Set-PopSettings -Server EX2016SRV1 -LoginType SecureLogin [PS] C:\>Set-ImapSettings -Server EX2016SRV1 -LoginType SecureLogin
A restart of the services is required for the new settings to take effect.