How to Configure SBS 2008 to Host POP3/IMAP4

[Today’s post comes to us courtesy of Shawn Sullivan] 

Today’s post will discuss the steps necessary to allow your SBS 2008 server to host POP3 and IMAP4 services for external clients. This process consists of four parts:

  1. Enabling the POP3/ IMAP4 services on the SBS 2008 server.

  2. Port forwarding POP3 /IMAP4 through the firewall to the SBS 2008 server.

  3. Configuring Exchange 2007 for authenticated client SMTP relay.

  4. Configuring POP3/IMAP4 and SMTP settings on the client.

Part 3 of this process has already been documented in the following blog post, which covers authenticated SMTP relay: How to Configure Trusted SMTP Relay in Exchange on SBS 2008.

Enabling POP3/IMAP4 on SBS 2008

After SBS 2008 setup completes, the POP3 and IMAP4 services are both stopped and set to manual for startup type. You can run the services.msc console to start them and change the startup type to automatic.


Launch the Exchange Management Console as administrator and expand Server Configuration > Client Access and click on the POP3 and IMAP4 tab. Here you can view the banner string, binding, authentication, connection, and retrieval settings for both services.


Launch the Exchange Management Shell as administrator and run Get-ImapSettings | fl or Get-PopSettings | fl to get the complete list of configuration settings in one list.



By default, both the POP3 and IMAP4 services require a TLS authenticated connection using an X.509 certificate. Exchange setup creates a certificate matching the server’s internal fully qualified domain name (FQDN) and configures both services to use it for TLS. When you run the “Internet Address Management Wizard” to configure you external FQDN, another certificate matching your external address is created and configured for POP3 and IMAP4 services. You can view your exchange certificates in the Exchange Management Shell with Get-ExchangeCertficate:


You need to change the certificate that POP3 and IMAP4 uses for TLS to the certificate that has been created by the “Internet Management Address Wizard”. This is done either through the management console or shell.

Run the Set-PopSettings or Set-ImapSettings with the –X509CertificateName option and enter the name of the certificate:


Or open the properties of POP3 or IMAP4, click on the Authentication tab, enter the certificate name.


Port forwarding POP3/IMAP4 through your firewall to the SBS 2008 server

For POP3, you need to open either TCP 110 or 995. For IMAP4, open either TCP 143 or 993, depending on whether you are configuring the client to encrypt the traffic with SSL or not. Whatever ports you are opening, they need to point to the IP address of the SBS 2008 server.

Windows Firewall is enabled on SBS 2008 by default with exceptions for both POP3 and IMAP4. Configuration changes will not be necessary.

Configuring POP3/IMAP4 settings on the client

Other than choosing the FQDN of the server you are connecting to and configuring user account settings, there are a couple of things to note about client setup.

To comply with Exchange’s default settings, Microsoft clients like Outlook, Outlook Express, or Windows Mail will need to configure POP3 to connect using SSL (port 995).

For IMAP, Outlook 2007 will allow you to authenticate with TLS using port 143. Earlier versions of Outlook, Outlook Express, and Windows Mail will need to connect using SSL (port 993).

If you are configuring your SBS 2008 server as your outgoing SMTP server, then you will need to authenticate using TLS on port 587. Once again, full details in the following blog post: How to Configure Trusted SMTP Relay in Exchange on SBS 2008.