We help IT Professionals succeed at work.

IMAP and POP - Security Implications?


I have several users who want IMAP or POP access to their Exchange accounts due to the fact that Outlook will only allow them to be connected to one Exchange server at a time.  We have RPC/HTTPS for general remote access and I'm rather reluctant to open up IMAP and POP.  Could somebody tell me what the security implications are of opening these services up?  Obvioulsly the smaller my external footprint the better but have there been any historical instances of vulnerabilites or exploits on IMAP and POP Exchange services?

Watch Question

Solutions Architect
first they are open ports on your firewall and POP3 is not secure because it uses plain text, unless you use POP3S you are sending everything in plain text that could be caputered by a sniffer and used by a hacker


Thats exactly my point, open ports are never a good thing.  Obvioulsy I would use POP3S and IMAPS but I'm still reluctant.  However, unless I can show that there's a concrete reason for keeping POP and IMAP disabled (e.g. a history of known security issues) then I'm going to have to open them up.
did everyone get iphones for christmas or something??  I wrote a policy for my company that the only way to access email remotely is either thru encrypted OWA VPN or our Citrix implementation.    I have not heard of too many problems with imaps or pop3s for security reasons but to be safe i would come up with a list of approved devices they could use to get email from those 2 ports.  Some devices out there still don't have pops or imaps support.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.