Enable IMAP and Message Submission with SSL/TLS for Exchange Server 2013

From time to time I need to enable IMAP and Message Submission for Exchange servers. Most of the time it is because there is some kind of CRM / ERP System that needs to send and receive emails. Here are the steps to enable IMAP and Message Submission with SSL/TLS. I used a Wildcard certificate (*.contoso.com) to secure the data.

IMAP/S uses port 993 (TCP) and Message Submission uses port 587 (TCP). Message Submission was created to distinguish between SMTP for Servers and SMTP for Clients. SMTP for Servers runs on port 25 and SMTP for Clients (Message Submission) runs on port 587 and requieres the Client to authenticate first.

Activate IMAP

Set the IMAP services start type to “Automatic” on the Exchange server. Please note that there are two Services that need to be started to support IMAP, “Microsoft Exchange IMAP4” and “Microsoft Exchange-IMAP4-Back-End”. Use the following cmdlets in an elevated PowerShell:

Set-Service "MSExchangeImap4" -StartupType Automatic
Set-Service "MSExchangeIMAP4BE" -StartupType Automatic

Now start the IMAP services:

Start-Service "MSExchangeImap4"
Start-Service "MSExchangeIMAP4BE"

The next step is to set the certificate name for the IMAP service. Remember I am using a wildcard certificate and I need to specify the host hame for the IMAP service:

Set-ImapSettings -X509CertificateName mail.contoso.com

You need to grant users the right to use IMAP with the following cmdlet:

Set-CASMailbox -Identity "Fred" -IMAPEnabled $true


Enable TLS for Message Submission Connector

Now we need to enable TLS for the Message Submission connector in Exchange. Exchange creates a Message Submission connector by default, it is named “Server name\Client Frontend Server Name“.

First get a list of available certificates on the Server:


Now use the thumbprint of the certificate you want to use to get a reference to this certificate:

$certificate = Get-ExchangeCertificate -Thumbprint DE67EC3C8D6793535D17678FEC519072723535E2

Create the certificate name so that it can be used by the connector:

$certificateName = "<i>$($certificate.Issuer)<s>$($certificate.Subject)"

Last step is to the tell the connector witch certificate to use:

Set-ReceiveConnector "EX01\Client Frontend EX01" -TlsCertificateName $certificateName

Now clients can use Message Submission with TLS.

Login to IMAP with Outlook

As an example I configured a IMAP profile in Outlook (German version) to show you the required settings. Please note that you have to use the UPN of the user (user@domain) to logon to IMAP:

2017-05-31 10_15_42-Add-IMAP-Account

2017-05-31 10_15_42-SMTP-Authentication

2017-05-31 10_40_22-Server-Settings












Leave a Reply

Your email address will not be published. Required fields are marked *