A newly installed Exchange 2010 or later server has the POP and IMAP services disabled. The POP/IMAP settings for the server are also configured with secure default settings, so that if you were to start the services they would operate in a secure fashion by default.
The main concern with POP/IMAP security is the login process. POP/IMAP protocols allow login over unencrypted connections, transmitting login credentials across the network in clear text. By requiring secure logins on the Exchange server the credentials are passed over an encrypted connection, protecting them in transit.
It takes deliberate administrator intervention to remove the security of the POP and IMAP services in Exchange. Unfortunately it is quite common to do so, because POP and IMAP access is often required by legacy applications that may not supported secure login. Other times the excuse is simply that the administrators don’t know how to configure certificates for secure POP/IMAP login to work.
You can check the status of your POP and IMAP services in the Services.msc console or by running Get-Service in PowerShell.
PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangePOP* Status Name DisplayName ------ ---- ----------- Stopped MSExchangePop3 Microsoft Exchange POP3 Stopped MSExchangePOP3BE Microsoft Exchange POP3 Backend PS C:\> Get-Service -ComputerName EX2016SRV1 -Name MSExchangeIMAP* Status Name DisplayName ------ ---- ----------- Stopped MSExchangeImap4 Microsoft Exchange IMAP4 Running MSExchangeIMAP4BE Microsoft Exchange IMAP4 Backend
For Exchange 2013 or later the frontend and backend services both need to be running.
If you don’t need to enable POP or IMAP services, then there is obviously no point in modifying the POP or IMAP settings to be less secure. Leaving them at the default, secure settings is a good practice in case someone inadvertently enables one of the services.
If you do need to enable POP or IMAP access:
- Verify that secure login is still configured.
[PS] C:\>Get-PopSettings -Server EX2016SRV1 | Select LoginType LoginType : SecureLogin [PS] C:\>Get-ImapSettings -Server EX2016SRV1 | Select LoginType LoginType : SecureLogin
- Start the services, and set them to automatic startup
- Enable an SSL certificate for POP/IMAP services. This can be the same certificate that is used for HTTPS services (OWA, ActiveSync, etc), or it can be a separate certificate. The default, self-signed certificate is unlikely to be suitable as it will cause certificate trust warnings for clients.
- Configure the TLS certificate name on the receive connector used by POP/IMAP clients.
If you’re unsure about your current configuration then you can download and run Exchange Analyzer which check your POP and IMAP settings for you.
What about situations where insecure logins are permitted, and you wish to start enforcing secure logins to comply with best practice? If the risk of insecure clients no longer being able to connect and disrupting your users or applications is a concern, then you can analyze your POP or IMAP protocol logs to locate any IP addresses that are the source of insecure logins. After manually remediating those clients, or if you’re willing to just enable secure logins and take the risk of some clients being disrupted, then you can configure your POP or IMAP settings using the Exchange management shell.
[PS] C:\>Set-PopSettings -Server EX2016SRV1 -LoginType SecureLogin [PS] C:\>Set-ImapSettings -Server EX2016SRV1 -LoginType SecureLogin
A restart of the services is required for the new settings to take effect.
Buenos días Paul.
He seguido todos los pasos al pie de la letra, pero no logro configurar mis buzones de Exchange en Thunderbird bajo el protocolo IMAP.
Los test de conectividad no dan error alguno. Hace varios dias que llevo con este problema y no logro resolverlo.
CasServer LocalSite Scenario Result Latency(MS) Error
——— ——— ——– —— ———– —–
CR Probar la Correct 318.48
conectividad o
de IMAP4
Dear please tell me how can I disable POP and IMAP protocols completely in my Exchange server 2016 organization.
You can disable the front end and back end POP and IMAP services on your CAS and MBX servers as well as disable pop and IMAP on all CASMailboxes
It seems that wildcard certificate for IMAP is not supported. I do find some backdoors with Set-ImapSettings command. Any thoughts on this?
Hi,
We have certain applications which cannot authenticate using Secure login and they support only Plaintext login method.
What happens if i change from “Secure login” to “PlainText Login”. Will it impact the users or application currently using “secure login” Method.
Thanks,
Prasanna
hi,
on Exchange 2016 I cannot login via outlook/IMAP. I get error “Log onto incoming mail server (IMAP): A secure connection to the server cannot be established.”
what did I do wrong?
My configuration:
ProtocolName : IMAP4
Name : 1
MaxCommandSize : 10240
ShowHiddenFoldersEnabled : False
UnencryptedOrTLSBindings : {0.0.0.0:143}
SSLBindings : {0.0.0.0:993}
InternalConnectionSettings : {Mail01.mydomain.com:993:SSL, Mail01.mydomain.com:143:TLS}
ExternalConnectionSettings : {mail.mydomain.com:143:TLS}
X509CertificateName : mail.mydomain.com
Banner : The Microsoft Exchange IMAP4 service is ready.
LoginType : PlainTextLogin
AuthenticatedConnectionTimeout : 00:30:00
PreAuthenticatedConnectionTimeout : 00:01:00
MaxConnections : 2147483647
MaxConnectionFromSingleIP : 2147483647
MaxConnectionsPerUser : 16
MessageRetrievalMimeFormat : BestBodyFormat
ProxyTargetPort : 1993
CalendarItemRetrievalOption : iCalendar
OwaServerUrl :
EnableExactRFC822Size : False
LiveIdBasicAuthReplacement : False
SuppressReadReceipt : False
ProtocolLogEnabled : False
EnforceCertificateErrors : False
LogFileLocation : D:Exchange ServerV15LoggingImap4
LogFileRollOverSettings : Daily
LogPerFileSizeQuota : 0 B (0 bytes)
ExtendedProtectionPolicy : None
EnableGSSAPIAndNTLMAuth : True
Server : MAIL01
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=1,CN=IMAP4,CN=Protocols,CN=MAIL01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ADP,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=adpdigital,DC=com
Identity : MAIL011
Guid : ebc005fa-7c9a-4c05-b5ab-50a4edb830e4
ObjectCategory : mydomain.com/Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
ObjectClass : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
WhenChanged : 11/8/2016 8:34:29 AM
WhenCreated : 8/25/2016 3:22:53 PM
WhenChangedUTC : 11/8/2016 5:04:29 AM
WhenCreatedUTC : 8/25/2016 10:52:53 AM
OrganizationId :
Id : MAIL011
OriginatingServer : ADPDC.mydomain.com
IsValid : True
ObjectState : Unchanged
I have exchange server 2016 with 3 mailbox. I am unable to configured outlook client on desktop.
Neeed your assistance.
Seems like JIRA Cloud services only supports IMAP or POP but they do support them over 993 and 995, respectively. I try to stay away from IMAP and POP as much as possible.