Disabling POP3 and IMAP4 protocols in Exchange Online

POP3 and IMAP4 are some of the distinguished elder citizens of the internet when it comes to protocols. Used for retrieval of mails from a mailbox to a mail client of some sort, both protocols are available on just about every mail server software package for the last 30 years. Unfortunately the protocols themselves are no longer secure for use in this modern world and it’s all but guaranteed we’ll never see another version increment of either protocol again. The world has changed since those early days when it comes to mail access, driven by players such as Google’s Gmail.

Our Exchange Online instance has had POP3 and IMAP4 enabled since the day I signed up for it in 2012 or so. Our on premises Exchange 2007 had both protocols enabled as well, though no user made use of them internally or externally. Thanks to COVID-19 and the whole remote work push, many more of our learners have started to use their school email accounts as they need it for MS Teams and other services. Unfortunately some of the learners did not make use of the excellent and free Microsoft Outlook app for their phones or tablets but instead made use of the built in mail clients on these devices. For some arcane reason, a very small handful of these devices configured themselves automatically to use IMAP4 for mailbox access. I don’t publish DNS entries for POP and IMAP, so how these clients configured themselves for IMAP4, I’ll never know.

Ordinarily I wouldn’t be too bothered about the access method users used. However earlier this year I came across a note in the Office 365 admin console that explained that Microsoft would be disabling “Legacy” authentication for these protocols – basically disabling the clear text and TLS sign in ability and requiring clients to use OAUTH authentication on these old protocols if I understood correctly. The main reason for the switch is security – as mentioned both protocols are old and are not going to be receiving much TLC going forward.

Further reading opened my eyes to the fact that both old protocols could also be used as a brute force attack method to try and turn a user into a SPAM bot. If you could guess a user’s password and confirm that it works by signing in over either protocol, you could then use that user to blast out SPAM via an automated API that connects to your tenant and blasts away. This has happened to us a few times where an automated attack script has attempted to brute force guess one of our users’ passwords and managed to turn said user into a SPAM bot.

I therefore decided to kill both POP3 and IMAP4 for all of our users, staff and learners alike. If we were a small business with only 5-20 users, one could disable the protocols for each user by hand in the Exchange Management Console, but for 1000+ learners this isn’t realistically possible. This leaves using good old PowerShell to do the job.

To disable the protocols, make sure you have the Exchange Online module installed, as the cmdlets used are from this module.

(Get-CASMailbox -Filter {ImapEnabled -eq "true" –or PopEnabled –eq “true”} -ResultSize Unlimited).count

The above command will return a number that indicates the number of users that have either one or both protocols enabled.

Before you actually disable the protocols though, here’s the thing: you ideally want to prevent any future users accounts that are created from automatically getting POP and IMAP enabled. Users can still be enabled manually should you need it for any given reason, but ideally the idea is to kill it for good going forward.

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

The above command will permanently disable creating new mailboxes with POP and IMAP enabled by default.

To disable POP and IMAP for all your users, use the following command:

Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

The above command essentially finds all the users with POP and/or IMAP enabled, selects their Identity and email address and pipes each user to the last command which actually disables the protocols on the mailboxes.

Now any attacker trying to worm their way in via either protocol so that they can send SPAM will hit an impenetrable wall. That’s one less attack avenue to worry about which is always a good thing. Clients won’t notice either so long as they are using a modern mail client or signing into Outlook Web App to check their mail. Win win, SPAMMERS be damned.

A BIG network change is coming soon

When I first started at my current school in 2009, I arrived with a very basic knowledge of network switching. I knew the difference between hubs and switches and I knew that some switches had a web interface you could use to configure the unit. My first job however only had unmanaged switches and the college I studied at didn’t have managed switches for students to play with. Fast forward to 2009 and I walked into a school that had 2 x HP ProCurve 2524 units, 1 x HP ProCurve 2900-24G and unmanaged D-Link switches everywhere else.

When my first colleague started a week after I did, he introduced me to what these ProCurve switches were and why they were not only so good, but that we would have to replace all the other switches in the school with ProCurves. At some point in early 2010, we managed to get a stack of ProCurve 2610 models to go around the school, replacing many, though not all of the D-Link unmanaged units. This combined with new, useful 6U cabinets and some patch and brush panels and the physical cabled network started to look a lot more respectable and far less haphazard.

As the years have rolled on since then, I fully completed the swap out of unmanaged to managed switches. Unfortunately one thing we did not anticipate at the time was the need for PoE that would come when we put in our 1st IP based CCTV cameras. Whilst we got a 2610-24 PWR model in the server room to centrally power some cameras, others had to be powered with PoE injectors, which lead to messy cabinets that ran hot thanks to having the injectors sit in the base of the cabinet. Let me not even start on the mess of power cables and adapters and multiplugs this entailed.

When the CCTV kept expanding, I realised that we were going to need to upgrade all the switches to PoE models. By this time the 2620 series was now in, so I started buying some of those models, but due to the increased price I could never do the whole network at once. This lead to the 2620 series being retired just after HPE bought Aruba and started integrating the product lines, which meant that I purchased one 2530 unit, which seemed to be superseded pretty quickly by the 2540 line. Just a few days ago, I attempted to purchase yet another 2540 unit, only to be told that they were end of life and the Aruba CX 6100 series was the replacement. Most of the network is now PoE compliant and we are using about 500 watts of power at any given moment on the network for CCTV, AP’s, phones and so on.

All the while that the edge network was being upgraded, the server room core has remained static with 1 x HP 2620, 1 x 2610-48, 1 x 2900-24G and 1 x 2610-24 PWR. This is far from ideal as the most of the fibre deployment in the school has been upgraded to OM-3 cable to give us 10Gb/s capability. This is probably still more capacity than we’ll need for years to come, but that’s another story. For the last few years I’ve been mulling the solution to bringing the core up to speed – a chassis based switch. Not only would it give a massive speed upgrade to the core, it would provide room for growth whilst not requiring more rack space. Throw in potential redundancy, quieter operation due to bigger fans and the ability to hot swap modules and the attraction to these units couldn’t be more obvious.

After weighing the pros and cons and looking at the options Aruba offers, I settled on the Aruba 5412R zl2 v3 chassis switch. It is a 12 module unit that is 7U high and can mix and match all sorts of modules – copper ethernet from 100Mb/s to 40Gb/s fibre and all sorts of things in-between. I found a bundle option which includes 92 gigabit PoE ports and 4 SFP+ ports. I had to add an extra 8 port SFP+ module to take care of our fibre as well as adding 2 power supplies. It’s not a cheap purchase, but I decided on slight overkill and go with the 12 bay unit vs the only other option which is a 6 bay unit. The 6 bay unit version just didn’t have enough expansion for my taste and since this switch is going to have to last 15 or more years, that is important to have.

The most major problem however is that due to the high cost of the unit, I wouldn’t be able to buy it in one go. Normally I’d put something so expensive in as a CAPEX request, but thanks to the school building a new wing a few years ago, CAPEX was essentially non existent as the school worked to repay the loan for that building work. I was forced to split up the cost of the unit over 2 years. Unfortunately the delay played havoc with pricing thanks to the R/$ exchange rate going south. I was despairing about being able to get the unit thanks to the quotes I was getting but thankfully one supplier came to the party and provided outstanding pricing.

I’m not sure when I’ll actually take delivery of the package due to the damned global chip shortage playing havoc with everything electronic as well as the very late in the year order. It could be late January next year or even going into February before it arrives at the school, which means that I will only be able to install it on a weekend really as we can’t take the network down for surgery during the day.

This is a stock picture of what the unit will look like, minus rack ears:

I will write another post once I’ve taken delivery of the device and have gotten it installed. Despite the flexibility of this chassis based switch, it still runs on the same sort of OS as almost every other Aruba and HP switch before it. Aruba is now introducing new switches that run on the ArubaOS-CX OS which technically runs on Linux rather than the custom OS that is ProVision. The CX-6100 model I’ve also ordered runs on this OS, so I will see what it’s like in comparison to the older ProVision based models. Long and short of it, it just means that it won’t take too long to actually commission this device software and configuration wise, taking into account that it’s replacing 4 switches. To me, that is a beautiful thing and I know I am going to have a huge smile on my face once this device is up and running.

The mSATA experiment

When it comes to storage options in this modern world of ours, M.2 NVME drives are king. Physically small & compact, the drives offer excellent speeds and reduce cable clutter inside a desktop PC and saves space, battery life and heat inside a laptop or tablet. However, ten or so years ago, M.2 did not exist as a slot, but there was something else: mSATA.

Mini-SATA never really took off in the consumer space, but did sort of have its 5 minutes of glory when Windows 8 came out and manufacturers were falling over themselves to make some form of tablet to go with the new OS. Traditional 2.5” hard drives wouldn’t work obviously, nor would a drop in standard 2.5” SSD. Soldering the storage chips to the mainboard was always an option (much like how the iPad does it) but many manufacturers instead turned to mSATA to do the job. It was expensive (all flash based SSD products were back then) and capacities were limited (again, as all SSD’s were at the time).

We have 39 PC’s in our school from the 2012-3 era that were given to us by our provincial Education Department to make up our Computer Lab at the time. These PC’s have an Intel DQ77MK motherboard in them, which has a mini PCIE slot in them that accepts mSATA drives, as well 6 normal SATA ports. Unfortunately the mSATA slot only works at 3Gb/s, which does really sort of limit what the PC can do with an mSATA SSD in it compared to hooking up a 2.5” drive to the 6GB/s SATA port.

I have been replacing the 500GB Seagate mechanical drives in these computers with normal 2.5” SSD units for a while now, but I recently took the chance to order a mSATA drive to put into one of these PC’s – I actually ordered the drive more as an experiment for myself than anything else.

Here’s the KingFast 256GB mSATA SSD I ordered. The screw holes at the top are slightly bulging as I tried and forced through screws that were too tight for the holes. The drive did not come with any mounting screws, so I was trying to find screws to use when mounting the drive inside the computer. Much to my chagrin, the correct mounting screws were actually inside the PC already, screwed into the posts that the card would rest on. Oops… Luckily no damage to the card, just a little visual ugliness to the screw holes, which obviously wouldn’t be seen once the side panel of the case was back on.

Once the card was installed in the PC, the 1st boot up and return to Windows ended up with the PC not detecting the card for some reason. I rebooted and went into the UEFI to find the card was now visible. Back once again into Windows to start the clone process from the mechanical hard drive to the SSD using Macrium Reflect. Unfortunately the entire process took close to 6 and a half hours. I don’t know why, but I have never had good speeds using Macrium to clone drives in my school, but the mechanical drive in this PC was suspect as well. What made it worse is on that day, our country started implementing rolling blackouts again and my school area was scheduled to be hit in the evening. Without intending it to be so, it had become a race of clone vs blackout. Thankfully, the clone did finish in time, so I could shut the machine down safely from home.

The next day I went up to the classroom and removed the mechanical drive and SATA cable. Put the PC back on its shelf in the teacher’s desk and the system booted from the mSATA drive with no issues. General performance in Windows is light years ahead of the mechanical drive, but it’s not quite as snappy as what a SSD with a 6GB/s link would be. Still, it’s more than adequate for the particular classroom until the room eventually gets a new computer. As for the mechanical drive I took out, I am pretty sure that the drive is dying, as nothing else can explain such putrid performance.

This will be my only real experiment with mSATA I think. None of the other types of computers in the school support it and the cost of the drives are higher than equivalent capacity 2.5” drives. Besides, M.2 drives have since superseded mSATA in every possible way that matters. This really was just to satisfy my curiosity in the end more than anything else.