Enable IMAP and Message Submission with SSL/TLS for Exchange Server 2013

From time to time I need to enable IMAP and Message Submission for Exchange servers. Most of the time it is because there is some kind of CRM / ERP System that needs to send and receive emails. Here are the steps to enable IMAP and Message Submission with SSL/TLS. I used a Wildcard certificate (*.contoso.com) to secure the data.

IMAP/S uses port 993 (TCP) and Message Submission uses port 587 (TCP). Message Submission was created to distinguish between SMTP for Servers and SMTP for Clients. SMTP for Servers runs on port 25 and SMTP for Clients (Message Submission) runs on port 587 and requieres the Client to authenticate first.

Activate IMAP

Set the IMAP services start type to “Automatic” on the Exchange server. Please note that there are two Services that need to be started to support IMAP, “Microsoft Exchange IMAP4” and “Microsoft Exchange-IMAP4-Back-End”. Use the following cmdlets in an elevated PowerShell:

Set-Service "MSExchangeImap4" -StartupType Automatic
Set-Service "MSExchangeIMAP4BE" -StartupType Automatic

Now start the IMAP services:

Start-Service "MSExchangeImap4"
Start-Service "MSExchangeIMAP4BE"

The next step is to set the certificate name for the IMAP service. Remember I am using a wildcard certificate and I need to specify the host hame for the IMAP service:

Set-ImapSettings -X509CertificateName mail.contoso.com

You need to grant users the right to use IMAP with the following cmdlet:

Set-CASMailbox -Identity "Fred" -IMAPEnabled $true


Enable TLS for Message Submission Connector

Now we need to enable TLS for the Message Submission connector in Exchange. Exchange creates a Message Submission connector by default, it is named “Server name\Client Frontend Server Name“.

First get a list of available certificates on the Server:


Now use the thumbprint of the certificate you want to use to get a reference to this certificate:

$certificate = Get-ExchangeCertificate -Thumbprint DE67EC3C8D6793535D17678FEC519072723535E2

Create the certificate name so that it can be used by the connector:

$certificateName = "<i>$($certificate.Issuer)<s>$($certificate.Subject)"

Last step is to the tell the connector witch certificate to use:

Set-ReceiveConnector "EX01\Client Frontend EX01" -TlsCertificateName $certificateName

Now clients can use Message Submission with TLS.

Login to IMAP with Outlook

As an example I configured a IMAP profile in Outlook (German version) to show you the required settings. Please note that you have to use the UPN of the user (user@domain) to logon to IMAP:

2017-05-31 10_15_42-Add-IMAP-Account

2017-05-31 10_15_42-SMTP-Authentication

2017-05-31 10_40_22-Server-Settings












Get-ADUser returns empty value for Active Directory attribute msDS-UserPasswordExpiryTimeComputed

Today I wrote a script for a customer of mine to send emails to remote users that their password will expire in 10 days or less and they have to change it. To get the Information when the Password of a user will expired I used the PowerShell cmdlet Get-ADUser and received the AD property ‘msDS-UserPasswordExpiryTimeComputed’:

$users = Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $false} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "UserPrincipalName", "GivenName", "SN", "Mail" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, "UserPrincipalName", "GivenName", "SN", "Mail" | Sort DisplayName

This worked on the Domain Controller but not on the Exchange Server so I was wondering why. After some tests I found the reason: On the Domain Controller I used a domain administrator to execute the PowerShell cmdlet, on the Exchange server I was using a standard scheduled task user with only local administration rights. So I granted the task user the permission to read the property in the Active Directory Users and Computers console:

  1. Open Active Directory Users and Computers console
  2. Right click the domain and select “Properties”
  3. Switch to the “Security” tab and add the task user with read permission
  4. Select the task user and click on ‘Advanced’
  5. Find the Task user in the list, mark it and click on ‘Edit’
  6. Select ‘Descendant User objects’ in the ‘Apply to’ drop down and switch to the ‘Properties’ tab
  7. Scroll down the list and make sure that the option ‘Read msDS-UserPasswordExpiryTimeComputed’ is allowed
  8. Click on OK and leave the Dialogs

After the change my task user was able to read the property and the script showed me the time the Password will expire.

Download Location of Citrix Netscaler VPX Express edition

I only access the Citrix Website from time to time so I am always searching for the download page of the Netscaler VPX Express Edition. If you need it too you can find it under the following URL:


You need a Citrix account to access this site.

You can also navigate there from the regular download page via https://www.citrix.com/downloads -> “Select a product: Netscaler ADC” -> “Netscaler VPX Express”. Please note that there is no 12.x Netscaler VPX Express Edition. Only the 11.x branch is available.