By default, IMAP4 client connectivity isn't enabled in Exchange. To enable IMAP4 client connectivity, you need to perform the following steps:
Start the IMAP4 services, and configure the services to start automatically:
Microsoft Exchange IMAP4: This is the Client Access (frontend) service that IMAP4 clients connect to.
Microsoft Exchange IMAP4 Backend: IMAP4 client connections from the Client Access service are proxied to the backend service on the server that hold the active copy of the user's mailbox. For more information, see Exchange architecture.
Configure the IMAP4 settings for external clients.
By default, Exchange uses the following settings for internal IMAP4 connections:
IMAP4 server FQDN: <ServerFQDN>. For example, mailbox01.contoso.com.
TCP port and encryption method: 993 for always TLS encrypted connections, and 143 for unencrypted connections, or for opportunistic TLS (STARTTLS) that results in an encrypted connection after the initial plain text protocol handshake.
To allow external IMAP4 clients to connect to mailboxes, you need to configure the IMAP4 server FQDN, TCP port, and encryption method for external connections. This step causes the external IMAP4 settings to be displayed in Outlook on the web (formerly known as Outlook Web App) at Settings > Options > Mail > Accounts > POP and IMAP.
Estimated time to complete each procedure: 5 minutes.
Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). To find out why you should disable the SSL protocol and switch to TLS, check out Protecting you against the SSL 3.0 vulnerability.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "POP3 and IMAP4 Permissions" section in the Clients and mobile devices permissions topic.
To verify that you've successfully started the IMAP4 services, use either of the following procedures:
On the Exchange server, open Windows Task Manager. On the Services tab, verify that the Status value for the MSExchangeIMAP4 and MSExchangeIMAP4BE services is Running.
In the Exchange Management Shell, run the following command to verify that the IMAP4 services are running:
This example allows configures the following settings for external IMAP4 connections:
IMAP4 server FQDN: mail.contoso.com
TCP port: 993 for always TLS encrypted connections, and 143 for unencrypted connections or opportunistic TLS (STARTTLS) encrypted connections.
Internal Exchange server IP address and TCP port for always TLS encrypted connections: All available IPv4 and IPv6 addresses on the server on port 993 (we aren't using the SSLBindings parameter, and the default value is [::]:993,0.0.0.0:993).
Internal Exchange server IP address and TCP port for unencrypted or opportunistic TLS (STARTTLS) encrypted connections: All available IPv4 and IPv6 addresses on the server on port 143 (we aren't using the UnencryptedOrTLSBindings parameter, and the default value is [::]:143,0.0.0.0:143).
FQDN used for encryption: mail.contoso.com. This value identifies the certificate that matches or contains the IMAP4 server FQDN.
For detailed syntax and parameter information, see Set-IMAPSettings.
The external IMAP4 server FQDN that you configure needs to have a corresponding record in your public DNS, and the TCP port (143 or 993) needs to be allowed through your firewall to the Exchange server.
The combination of encryption methods and TCP ports that you use for the ExternalConnectionSettings parameter need to match the corresponding TCP ports and encryption methods that you use for the SSLBindings or UnencryptedOrTLSBindings parameters.
Although you can use a separate certificate for IMAP4, we recommend that you use the same certificate as the other Exchange IIS (HTTP) services, which is likely a wildcard certificate or a subject alternative name (SAN) certificate from a commercial certification authority that's automatically trusted by all clients. For more information, see Certificate requirements for Exchange services.
If you use a single subject certificate, or a SAN certificate, you also need to assign the certificate to the Exchange IMAP service. You don't need to assign a wildcard certificate to the Exchange IMAP service. For more information, see Assign certificates to Exchange Server services.
How you do know this step worked?
To verify that you've successfully configured the IMAP4 settings for external clients, run the following command in the Exchange Management Shell and verify the settings:
After you enable and configure IMAP4, you need to restart the IMAP4 services on the server by using the Windows Services console, or the Exchange Management Shell.
Use the Windows Services console to restart the IMAP4 services
On the Exchange server, open the Windows Services console.
In the list of services, select Microsoft Exchange IMAP4, and then click Action > Restart.
In the list of services, select Microsoft Exchange IMAP4 Backend, and then click Action > Restart.
Use the Exchange Management Shell to restart the IMAP4 services
Run the following command to restart the IMAP4 services.
To verify that you have enabled and configured IMAP4 on the Exchange server, perform the following procedures:
Open a mailbox in Outlook on the web, and then click Settings > Options.
Click Mail > Accounts > POP and IMAP and verify the correct IMAP4 settings are displayed.
Note: If you configured 993/SSL and 143/TLS values for the ExternalConnectionSettings parameter on the Set-ImapSettings cmdlet, only the 993/SSL value is displayed in Outlook on the web. Also, if the external IMAP4 settings that you configured don't appear as expected in Outlook on the web after you restart the IMAP4 services, run the commands net stop w3svc /y and net start w3svc to restart Internet Information Services (IIS).
You can test IMAP4 client connectivity to the Exchange server by using the following methods:
Internal clients: Use the Test-ImapConnectivity cmdlet. For example, Test-ImapConnectivity -ClientAccessServer <ServerName> -Lightmode -MailboxCredential (Get-Credential). For more information, see Test-ImapConnectivity.
Note: You can't use IMAP4 to connect to the Administrator mailbox. This limitation was intentionally included in Exchange 2016 and Exchange 2019 to enhance the security of the Administrator mailbox.
This module examines how clients connect to Microsoft 365. It also provides instruction on how to configure name resolution and Outlook clients, and how to troubleshoot client connectivity.