When it comes to connecting clients to Exchange, it seems that Outlook Anywhere and ActiveSync get all the limelight. For Outlook clients and mobile devices, that is fine, but what about those other systems that are out there, like legacy clients, scripted processes, and server side routines? Fortunately for all of those, we can easily support them as IMAP Exchange or POP Exchange clients by enabling the reliable client protocols IMAP and POP3. Whether you want to use IMAP on Exchange or POP3 on Exchange, it’s a simple matter to enable and configure the protocols so you can connect clients to their mailboxes.
POP vs. IMAP
Before you begin, it may help to understand the differences between the two protocols. Both predate our favorite MAPI protocol by several years, and were developed as vendor neutral, open protocols. Today, we use the third version of POP, called POP3 and defined in RFC 1939, and IMAP version 4, which we still just call IMAP and which is defined in RFC 3501. Both have been extended by various subsequent RFCs, but those two cover the highlights. In general terms, the older POP standard is used by clients to pull messages off their email server. The newer IMAP standard leaves messages on the server, and can deal with folders (or as Gmail implements them, labels). Both work well, and both support authentication and encryption with SSL/TLS. If you want to pull your email off an ISP’s server that offers only limited storage, use POP. If you want to access your email from multiple systems, like your computer and your smart phone, IMAP is the way to go.
Enabling POP and IMAP in Exchange 2010
So here’s the good news. Both protocols are already installed when you install the Client Access Server (CAS) role, so all you have to do to “turn them on” is go into services.msc, set the start-up type to automatic, and start them up.
All Exchange mailboxes are able to use POP and IMAP by default, so as long as you are willing to use clear-text protocols, or self-signed certificates, you’re done. Of course, we all know that we shouldn’t use clear-text protocols, and self-signed certificates tend to make clients complain, so we do have a little more work to do.
Securing POP and IMAP
Since Exchange mailboxes are tied to Active Directory account, we really don’t want to let clients authenticate using the clear-text versions of POP and IMAP. While both protocols support a secure password authentication option, it is far more common to use TLS to encrypt the entire communications channel, instead of just the authentication piece. Fortunately they both support the use of TLS. If you don’t have a valid certificate on your CAS server yet, see this post for how to use the Exchange Certificate Wizard to request and install a certificate. If you have already obtained a valid certificate from a public CA and installed it on your CAS server, configuring POP and IMAP to use it is a simple process:
- Launch the Exchange Management Console.
- Browse down to Server Configuration, Client Access.
- Click on the POP3 and IMAP4 tab.
4. Right-click on IMAP4, choose properties, and then go to the Authentication tab.
5. Select Secure logon, and if necessary, enter the friendly name of the appropriate certificate.
6. Do the same for the POP3 service.
7. Restart both services using services.msc. You must do this for the settings to take effect.
Restricting access to POP and IMAP
Remember, all mailboxes can use POP and IMAP as soon as you enable the services. If you want to disable access to these, you can use the Exchange Management Console to disable a specific mailbox on the Mailbox Features tab.
That’s not very scalable, so go for the Exchange Management Shell command:
Set-CASMailbox –Identity username –POPEnabled $false –IMAPEnabled $false
To provide access to the protocols you will need to open the appropriate ports on your firewall. Here’s a table to help you request the firewall rules you will need.
Protocol TCP port
POP3 over SSL 995
IMAP over SSL 993
IMAP Exchange client configuration
To configure an IMAP Exchange client, set up the client to connect to your Exchange server using a TLS connection. Here is a screenshot of Window Live Mail, where we configure our IMAP Exchange client to use the server imap.exchange.com for incoming mail using IMAP, smtp.exchange.com for outgoing mail, and set both to use SSL connections.
Remember, even though it says to authenticate using Clear text, we are securing our credentials from prying eyes by using TLS.
POP Exchange client configuration
To configure a POP Exchange client, set up the client to connect to your Exchange server using a TLS connection. Here is a screenshot of Window Live Mail, where we configure our POP Exchange client to use the server pop.exchange.com for incoming mail using POP3, smtp.exchange.com for outgoing mail, and set both to use SSL connections.
Again, even though it says to authenticate using Clear text, we are securing our credentials from prying eyes by using TLS.
If you need to support clients that aren’t MAPI or ActiveSync capable, and cannot use OWA, POP Exchange or IMAP Exchange is the way to go. With the information above, you have all you need to enable and secure these protocols for your users.