POP3 settings for Exchange 2019? Are we in a time warp? No. OK, so you may be wondering why I am covering POP3 on its own instead of in just a short section in an overall configuration article on Exchange 2019. Well, this protocol is one of the oldest but also one that is misconfigured or not configured and causes headaches for users as they cannot authenticate. You will be surprised how many companies and end-users still make use of POP3. In Exchange 2010, it was pretty simple to configure POP3 in the Exchange Management Console, but in Exchange 2019 things are a bit different and you have more options to set — and, therefore, more options that can be misconfigured. (As for configuring your IMAP settings in Exchange 2019, you can check out our article here.)
Here’s what we will we be covering:
- POP internal settings
- POP external settings
- Login type
- X509 certificate
- Service settings
Let’s start with services and service settings:
Exchange 2019 POP3 services and service settings
When you install Exchange Server 2019, you will notice that the POP3 has two services just like Exchange 2016. These services are as follows:
- MS Exchange POP3
- MS Exchange POP3 BE
Why do I have two services and what function do they perform? The first service is your frontend service that POP3 clients will connect to. The second service (POP3 BE) is where connections are proxied to the backend service on a mailbox server where the active copy of the mailbox is.
POP3 still makes use of port 110 and port 995. Now that you understand what each service does, you will also notice that the services are set to manual and on the backend, it is not configured. The first step is to configure the services so they are set to automatic when the server starts up. To change this, you can launch Services.msc and manually update them or you can use PowerShell, which is a lot quicker and easier to configure them. Open up PowerShell (elevated) and run the following commands below to set the StartupType to automatic:
Set-Service MSExchangePOP3 -StartupType Automatic
Set-Service MSExchangePOP3BE -StartupType Automatic
Below is a snippet from my test lab and you can see I configured this using the Exchange Management Shell, which will also work:
As you can see above, no errors are thrown and it also looks like nothing has been done but the services have been set so the next time you reboot they will start automatically. Let’s first take a look at the default settings for POP3. To get this, you can run the following command:
Get-PopSettings -Server EX2019A | fl
POP3 internal and external settings
If you take a look at the output, you will notice that the Internal Connection settings have the local server name and the External Connection Settings is blank. This is what we need to configure now in the next section. Open up the Exchange Management Shell (elevated) and we will be running the following commands:
Set-PopSettings -server EX2019A -ExternalConnectionSettings "mail.thexchangelab.com:995:SSL","mail.thexchangelab.com:110:TLS" -X509CertificateName mail.thexchangelab.com
Set-PopSettings -server EX2019A -InternalConnectionSettings "mail.thexchangelab.com:995:SSL","mail.thexchangelab.com:110:TLS" -X509CertificateName mail.thexchangelab.com
As you can see above, we now set the POP settings for server EX2019A and both SSL and TLS is configured. The next thing we need to configure is the LoginType, this can be achieved by running a command in the Exchange Management Shell (elevated). You will notice the default is set to SecureLogin and you can leave it like that or if you want to change it to Plain Text, you have the option of setting that as well. Here is the command:
Set-PopSettings -Server EX2019A -LoginType PlainTextLogin
Press enter after running that command.
Let’s move on and chat about certificates.
If you make use of a wildcard certificate, you will notice when you enable the SSL certificate (which we will cover in the next section), you will get an error and it will tell you to run the command below:
Set-PopSettings -server EX2019A -X509CertificateName mail.thexchangelab.com
If you noticed in the image above, the X509 name was already set. I am not using a Wildcard in this example so when enabling the services, you shouldn’t receive an error. Let’s move to the last part of certificates and this is to enable our Exchange Certificate for whatever services we want it to run. You have the option of setting the following services:
Below is a sample command that enables all the services on the SSL certificate we have imported on our Exchange 2019 Server:
Enable-ExchangeCertificate -server EX2019A -Thumbprint <> -services IIS,SMTP,IMAP,POP
I left Thumbprint with brackets <> because each certificate in each environment will be different. If you are not sure how to get a certificate thumbprint on a server, you can run a simple command to get it, here is the command:
Get-ExchangeCertificate -Server EX2019A
It will return all the certificates on that Exchange 2019 server and then you can copy the thumbprint and replace <> with the long numbers/letter combination. Once all of this has been completed, you can now reboot your Exchange 2019 Server and then you can test if POP3 will connect when you set up a profile in Outlook. Remember, you need to make sure on the authentication tab when setting up the profile that you enable “my server requires authentication” for it to work, depending on how you configured the server.
Once you have enabled the certificate, you will receive a warning asking if you want to replace the default SMTP certificate with this one. If you do then type “y” (without the quotations) and press enter and the SSL certificate will now perform the SMTP role as well.
Now that you have the commands, you can create a script and run it against your next server and all the settings will be configured.
Featured image: Shutterstock