fbpx

Disable insecure legacy email protocols (eg SMTP, POP3, IMAP) – Default Setting for New Mailboxes

Introduction

Legacy email protocols such as POP and IMAP do not support modern authentication so brute force password spray attacks may succeed in breaching the tenants mailboxes.

To best protect from this, we recommend you disable insecure legacy email protocols for all new mailboxes.

This setting should be set in conjunction with “Disable insecure legacy email protocols (eg SMTP, POP3, IMAP) – Enforce Existing Mailboxes

License Requirement

Any Exchange Online plan

User Impact

Low
New mailboxes will have POP, IMAP and SMTP disabled on creation. Any users attempting to connect to the mailbox using legacy protocols will be blocked from doing so.

Admin Portal Reference

This setting must be switched on via PowerShell. The following cmdlets are run on the tenants Exchange Online.

Get-CASMailboxPlan -Filter {ImapEnabled -eq “true” -or PopEnabled -eq “true” } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

If Action is set to Notify

We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false and Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.

We report the setting is non-compliant if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $true or Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $false.

If Action is set to Enforce

We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false and Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.

We report the setting is compliant-fixed if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) had  their ImapEnabled and PopEnabled attribute set to $true and MSPMagic has updated them to $false or and Set-TransportConfig -SmtpClientAuthenticationDisabled was set to $false and MSPMagic change it to $true.

Get Started!

The first three tenants are free! No credit card required.

Sign Up