Information
Internet Message Access Protocol version 4 (IMAP4) is an email protocol for sending and receiving email between a client and server. Unlike POP3 it can synchronize email and folders between the client and server. On Exchange Server 2019 with the Mailbox role installed, it is set to manual startup by default.
Rationale:
IMAP4 by default is configured to use basic authentication, which can potentially expose credentials in plain text. While it can be configured to use SSL/TLS for encryption, it is important to disable unnecessary services that duplicate the functionality of more widely used and supported protocols. ActiveSync and MAPI, in contrast, offer superior security by default, provide an enhanced user experience, and are Microsoft's primary focus for support and improvement. By disabling IMAP4, organizations can reduce their attack surface and prioritize the use of more secure and feature-rich protocols.
Impact:
Devices that require IMAP4 to function will be unable to send or receive email from the Exchange Server. This should not be a problem for most client applications as Outlook 2013 and newer support modern authentication methods (OAuth) and protocols.
If an organization is required to use IMAP4 then care must be taken to only enable IMAP4, the ImapEnabled parameter, for the mailbox in question.
Solution
To implement the recommended state, execute the following PowerShell commands:
Stop-Service MSExchangeImap4,MSExchangeIMAP4BE
Get-Service MSExchangeImap4,MSExchangeIMAP4BE | Set-Service -StartupType Disabled
Default Value:
StartType: Manual