Introduction #
Legacy email protocols such as POP and IMAP do not support modern authentication so brute force password spray attacks may succeed in breaching the tenants mailboxes.
To best protect from this, we recommend you disable insecure legacy email protocols for all new mailboxes.
This setting should be set in conjunction with “Disable insecure legacy email protocols (eg SMTP, POP3, IMAP) – Enforce Existing Mailboxes“
License Requirement #
Any Exchange Online plan
User Impact #
Low
New mailboxes will have POP, IMAP and SMTP disabled on creation. Any users attempting to connect to the mailbox using legacy protocols will be blocked from doing so.
Admin Portal Reference #
This setting must be switched on via PowerShell. The following cmdlets are run on the tenants Exchange Online.
Get-CASMailboxPlan -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
Set-TransportConfig -SmtpClientAuthenticationDisabled $true
If Action is set to Notify #
We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false and Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.
We report the setting is non-compliant if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $true or Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $false.
If Action is set to Enforce #
We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false and Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.
We report the setting is compliant-fixed if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) had their ImapEnabled and PopEnabled attribute set to $true and MSPMagic has updated them to $false or and Set-TransportConfig -SmtpClientAuthenticationDisabled was set to $false and MSPMagic change it to $true.