I know that IMAP is disabled by default in Exchange Server, but I'm curious as to why. Also, under what circumstances should an organization enable IMAP, and what types of organizations typically enable IMAP in Exchange?
Both the POP3 and IMAP services are installed, but disabled by default, in every Exchange Server release since Exchange 2003. The rationale behind the decision lies in security. It's not that IMAP and POP3 are inherently insecure, but the general school of thought is that IMAP and POP3 are not as frequently used as other protocols within Exchange to connect to mailboxes. Simply put, disabling IMAP and POP3 limits the potential attack surface on your Exchange servers.
For example, if you have a 5,000 user Exchange organization, and none of your user base connects to Exchange using either IMAP or POP3, it makes little sense to have the services running and listening. Doing so increases the number of open ports and also allocates precious memory and CPU resources to things you're not using.
Organizations generally enable IMAP -- or POP3 -- if they have users (usually senior-level executives) who use mail clients to access email that do not support MAPI or RPC over HTTP. The most prominent examples of this that I've seen are in organizations that do not support "traditional" means of connectivity to Exchange; think Thunderbird and Entourage.
It's hard to chart how many organizations use IMAP. Personally, I advise my customers against using IMAP if at all possible. My primary reason behind the suggestion is that IMAP introduces limitations to Exchange, thus not allowing the application to be used to its full potential.
That said, the following are common scenarios where I've found a definite business need to enable IMAP:
- When an organization has business software that needs a mailbox to participate in workflow processing, but only supports connectivity through IMAP. For example, one organization I worked with used Oracle HR and Payroll, which only supports IMAP connectivity for its workflow processes.
- When an organization only opens certain protocols through their firewalls for remote email access. For example, one organization I worked in did not allow OWA or RPC over HTTP, but did allow remote users to connect via IMAP.
- When an organization has employees who use "non-standard" client builds, such as Macs that do not have Microsoft Office installed but must access their company email.
About the author
Andy Grogan is an Exchange MVP based in the U.K. He has worked in the IT industry for the last 14 years -- primarily with Microsoft, HP and IBM technologies. His main passion is Exchange Server, but he also specializes in Active Directory, SQL Server and storage solutions. Grogan currently works for a large council in West London as the networks and operations manager supporting 6,000 customers on more than 240 sites. Visit Andy's website at www.telnetport25.com/.
This was first published in March 2013