Applies to: Exchange Server 2007 SP3
Topic Last Modified: 2009-08-17

POP3 and IMAP4 protocols are now included with Microsoft Exchange Server 2007 as part of the Client Access server role and are installed, but not enabled, by default. SMTP is also required for these clients to be able to send mail. SMTP is part of both the Edge Transport and Hub Transport server roles. Although the Edge Transport server role is recommended for the Internet-facing servers in your organization, the Hub Transport server is more suited for authenticating and providing SMTP relay services for POP3 and IMAP4 clients. Edge Transport servers are typically not connected to the domain.

Unlike previous versions of Exchange, the Release to Manufacturing version of Exchange 2007 does not include a GUI interface that you can use to manage POP3 or IMAP4. However, GUI support for POP3 and IMAP4 is included in Exchange 2007 Service Pack 1.

How to Turn On POP3

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

To use the Exchange Management Console to turn on POP3
  1. In the Services snap-in, click Services (Local) in the console tree.

  2. In the results pane, right-click Microsoft Exchange POP3, and then click Properties.

  3. On the General tab, select Automatic under Startup type, and then click Apply.

  4. Under Service status, click Start, and then click OK.

To use the Exchange Management Shell to turn on POP3
  • Type the following commands, and press ENTER after each command:

    Copy Code
    Set-service msExchangePOP3 -startuptype automatic
    Start-service -service msExchangePOP3
    

How to Turn On IMAP4

To use the Microsoft Management Console to turn on IMAP4
  1. In the Services snap-in, click Services (Local) in the console tree.

  2. In the results pane, right-click Microsoft Exchange IMAP4, and then click Properties.

  3. On the General tab, select Automatic under Startup type, and then click Apply.

  4. Under Service status, click Start, and then click OK.

To use the Exchange Management Shell to turn on IMAP4
  • Type the following commands, and press ENTER after each command:

    Copy Code
    Set-service msExchangeIMAP4 -startuptype automatic
    Start-service msExchangeIMAP4
    

How to Configure SMTP

Because the Edge Transport server role is designed to be Internet-facing, it serves the needs of your POP3 and IMAP4 clients. However, your clients may have to be authenticated for the purposes of identifying themselves (sender permissions checks) and to prove that they are allowed to relay. This authorization can be done by the Edge Transport server only if it resides in the domain. Because this is not the most common configuration, the Hub Transport server may be more suited for this purpose. If clients will be submitting mail from outside of your network, you have to open another SMTP port specifically for POP3 and IMAP4 submissions. Separating anonymous SMTP traffic from authenticated and relayed SMTP traffic can make sense for security and isolation purposes.

Exchange supports the following authorization mechanisms on Receive connectors, which you will find useful for POP and IMAP4:

  • Basic   Passwords are sent in clear text. This option is not recommended.

  • Basic Requiring TLS    The most common choice because it works with all clients and is secure.

  • Integrated Windows Authentication   This is also known as NTLM or SPA.

By default, the Hub Transport server is configured to use a Receive connector for the purposes of accepting these types of client submissions. This default client Receive connector listens on port 587, which is becoming the industry standard for client-to-server SMTP communication. Server-to-server SMTP communications use port 25. If you do not plan to deploy an Edge Transport server, the default Receive connector, which uses port 25 on a Hub Transport server, is also configured to accept these SMTP submissions from authenticated POP3 and IMAP4 clients.

How to Configure the Clients

By default, POP3 and IMAP4 are locked down to only accept SSL/TLS connections. This means that clients must connect to the secure port or negotiate explicit TLS.  Outlook Express clients and Windows Mail clients have an option to connect on the secure ports (995 for POP3 or 993 for IMAP4). If you do not use SSL, you receive the following error message:

Command is not valid in this state.

If you do not wish to enforce this requirement, you can change the -LoginTypes switch using the appropriate Exchange Management Shell cmdlet for POP3 or IMAP4.  Although the PlainTextLogin option does give you the most flexibility, we do not recommend that you use this option, as it allows passwords to be transmitted in clear text. Also, if you make any changes, you may have to restart the POP3 and IMAP4 services for the changes to take effect.

The steps below describe how to configure the client so that no configuration changes are required on the server.

To configure IMAP and POP3 in Outlook Express and Windows Mail
  1. On the Outlook Express Tools menu or the Windows Mail Tools menu, click Accounts.

  2. Click the Mail tab, and then double-click your e-mail account.

  3. Click the Servers tab.

  4. Click the list next to My incoming server is a, and then select IMAP or POP3 from the list.

  5. Click to enable the My server requires authentication check box. Additionally, you may choose to select the Log on using Secure Password Authentication feature, which uses Windows Integrated Authentication.

To configure IMAP and POP3 in Office Outlook
  1. On the Outlook Tools menu, click E-mail Accounts.

  2. Click Add New account.

  3. Select POP3 or IMAP, and then click Next.

  4. Enter the required information in the User information, Server information, and Logon information fields.

  5. Click More Settings.

  6. On the Outgoing Server tab, click to enable the My server requires authentication check box. Additionally, you may choose to select the Log on using Secure Password Authentication.

By default, both SMTP and IMAP are configured to require TLS. This means that you must also configure the client to use SSL.

Note:
The following steps are not required if you changed the LoginType from SecureLogin to PlainTextAuthentication for IMAPSettings on the Exchange server. If the LoginType was changed to PlainTextAuthentication, you can use Secure Password Authentication (Integrated Windows) for both SMTP and IMAP, and you do not have to select the SSL check boxes. The option to use SPA is only available on some clients. Make sure that you do not use the defaults, which are basic authentication without SSL.
To enable SSL in Outlook Express and Windows Mail
  1. On the Outlook Express Tools menu or the Windows Mail Tool menu, click Accounts.

  2. Click the Mail tab, and then double-click your e-mail account.

  3. Click the Advanced tab.

  4. Click to enable the This server requires a secure connection (SSL) check box(s).

To enable SSL in Office Outlook
  1. On the Outlook Tools menu, click E-mail Accounts.

  2. Click View or change existing e-mail accounts.

  3. Select the e-mail account that you want to change, and then click Change.

  4. Click More Settings.

  5. Click the Advanced tab.

  6. Click to enable the This server requires a secure connection (SSL) check box(s).

Known Issues

At this time Outlook Express 6 uses SMTP with SSL explicitly on port 25. In this case, if you do not use port 25, Outlook Express 6 clients may receive the following message:

Your server has unexpectedly terminated the connection or 0x800CCC0F.

There is now a fix available to allow Outlook Express 6 clients to use SSL on port 587. For more information, see Microsoft Knowledge Base article 933612, A mail program cannot connect to an Exchange Server 2007 server by using SSL over SMTP port 587.

This issue is fixed in the Windows Vista Mail client, in the most recent versions of Outlook, and in Windows Live Mail Desktop.

To work around this issue, you can use port 25 when requiring TLS, even if it means using a different IP address than your MX record. Note that, even with clients that support explicit TLS on port 587, you may not be able to pick some arbitrary port of your choosing. This is because the client may still try to use implicit SSL. Also, do not try to use port 465, as that is for implicit SSL, which Exchange does not support for SMTP.

For More Information

For more information about managing POP3 and IMAP4 on Exchange 2007, see Managing POP3 and IMAP4.