Microsoft Exchange and Remote Desktop Services Specialists


Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Why you shouldn't use a POP3 Connector

There are so many reasons why you shouldn't use a POP3 connector on an Exchange server that it is difficult to know where to start.
I don't simply mean the POP3 Connector supplied with Small Business Server, but any third party POP3 Connector. They all have the same issues.

With the correct choice of services and configuration, there is almost no reason why a POP3 connector should be used as part of the deployment of Exchange.

POP3 is a client to server protocol. Designed for pulling email from the server for storage in the client. Exchange is not a POP3 client. All that the POP3 connector does is pull the email down, then place it in to the SMTP queue for delivery to the end users.

With the SBS POP3 Connector, that is done at 15 minute intervals.

I have outlined the most common arguments for using the POP3 connector below and why they don't make a very good case.
Then I have outlined the major benefits of using SMTP delivery.

I may well update this article in the future, so if you are using the RSS feed and it comes up again, then that is why.

Common Arguments for using the POP3 Connector.

I don't have a static IP address.

Not having a static IP address is not a hurdle for hosting your own email.
Simply use one of the dynamic DNS services to map a dynamic DNS to your MX record host, or just use the dynamic DNS address host in your MX records.
You will need to put a tool on to the server to keep the dynamic DNS address active, but there are lots around.

My ISP blocks port 25.

If you are running Exchange on a "residential" connection, or the ISP wants you to upgrade to a business class connection that costs many times the normal amount for basically the same service, then you may find that port 25 is blocked.
For outbound email you can use an SMTP Connector.
For inbound email, simply subscribe to one of the mail hop services. These services provide you with hosts that you put in to your MX records and will receive email for you. They then forward the email to you on an alternative port that is not being blocked.
Furthermore, in the event of a failure of your server or internet connection, these services will queue the email for you, which also deals with the "protection" reason (see below).

It provides "protection" in case the server goes down.

One of the most common reasons that people want to use the POP3 connector is because of the protection that is provides for them in case the server goes down.
This is often the reason given by people who don't understand the way that email and SMTP delivery works on the internet.

You should have complete control over your email at all times.
In fact, you should have control over all aspects of your internet service.

What happens if your ISP goes bust? It happens. Not as often as it once did, but it does happen.
If you are using a dedicated web hosting company, then they are more likely to go bust than regular ISPs, because the hosting market is so competitive. (I can rent a dedicated server for UK£45 a month - on that I could get 100 web sites very easily).

You have an disagreement over a bill with your ISP. They cut off access to your email until you pay the bill - holding you to ransom. 

You should have the email delivered to your server at all times, using SMTP. That is what Exchange is designed to do.

However, many people will see that the Exchange server is a single point of failure for email delivery. Unless you pay out for additional services and applications, that will be a factor for most companies.
You also have the internet connection - that is often a single point of failure as well.

SMTP email has some protection built in. Most servers are configured to attempt to deliver email for 48 hours before giving up. If email is that critical to your business, then you will not wait 48 hours before getting some kind of email service. Where hardware is available, I can have a server back running in around four to six hours. It may not have the old information available to the users, but what most companies want is new email, the old content can wait a bit longer.

If hardware isn't available, then you can use an alternative email service, collect the email with POP3 and then import it back in to Outlook. That can be fixed up in around 30 minutes, with just clients to configure.

If you are in a larger site with multiple servers, then it probably doesn't apply as you will be able to make internal arrangements.

My mention of POP3 in the previous paragraphs doesn't mean using the ISPs POP3 service, or supports the use of the POP3 connector.

How can you protect yourself?

The biggest problem with making alternative arrangements is the DNS propagation time. It takes 48 hours for DNS changes to fully propagate round the Internet. Therefore if you were to rely on replacement DNS changes, you would loose email.

The trick that I like to use is to use a second MX record and a dynamic DNS service provider.
The dynamic DNS entry is pointed at your existing IP address - so you have two MX records pointing at the same location:

MX value: 10
MX value: 50 Type: A Value: Type A: Value

Note that two hosts have been used, not a alias to the original host.
While this does break the official best practises for MX records in having two records pointing at the same host (which will be flagged if you use for example), in operation it has no effect.

In the event of a failure, the original lowest value MX record is no longer responding. The sending servers will try the higher value MX record - which at the point of failure also isn't responding.

Simply change the IP ADDRESS on the dynamic DNS record to point to your alternative server or internet connection. No other changes are required, and email will begin to flow very shortly afterwards.
You haven't got to wait for DNS changes to propagate, because they are already there. The dynamic DNS services have setup their service so that host changes are reflected around the internet very quickly.

Once the original server has been fixed, change the entry back again and email to the alternative server or IP address will very quickly dry up.

Why not use a Backup MX Service?

You may have seen advertised backup MX services. This is where another server is configured in your MX records to accept email for your domain - using similar values to my example above.

The reason not to use backup MX services is quite simple.
In most cases it is only spammers who will use the second (higher value) MX record to send email. The theory being that the backup record is not so heavily protected against spam.

One of the most effective ways to deal with bandwidth use by spam and virus carrying messages is to simply refuse delivery for users who are unknown on your server.
This feature works by rejecting the message at the SMTP stage, before the message has been delivered. In a small site it is very effective.

If you are using a backup MX server, then you will probably be unable to use that feature, because the backup server has already accepted the message. Attempting to refuse delivery of the message will cause the messages to queue on the ISPs server as they are trying to bounce the message back to the "sender". In most cases the sender of the spam is spoofed and doesn't exist.

My ISP / Web Host doesn't provide an SMTP feed.
That excuse is one that is regularly heard. You don't need an SMTP feed to host your own email. That excuse often comes from the ISP / host, who just want control over everything. They recognise that you could be using your own email server, and want to ensure that you have a level of reliance on their service. They may even be charging you on a per mailbox basis, and don't want to see their revenue stream removed.

To have email delivered to your email server, all you need to do is get your MX records configured to point at your server instead of theirs. If they will not change the MX records, then transfer the domain to a domain name registrar where you have complete control. You can continue to use the ISP/host for hosting the web site (despite what they may say).

I have users who need to collect email from outside by POP3.
If you have any kind of permanent connection to the Internet, then they should be collecting email from the Exchange server. Configuring a domain and Exchange server to share a domain with another email server is problematic and an administrative overhead you could probably do without. It can be done, and is documented on the MS KB but I wouldn't advise it.

If you are on Windows 2003/Exchange 2003 or SBS 2003 then remote users should be configured to use RPC over HTTPS. This gives the user the Exchange feature set, without requiring a VPN. It just needs an Internet connection.

I don't have a permanent internet connection.
Of the main reasons for using a POP3 connector, this one is probably the only reason for using it for some sites. It is probably the ONLY reason I would deploy the POP3 connector, and that would be only after all other alternatives have been investigated an found not to be available.
However you still don't have to use the POP3 connector.
Use an ISP that supports ETRN collection. This is effectively "SMTP on Demand". The Exchange server connects to the Internet and then sends the ETRN server a command to say that it is ready to receive email, and the ETRN server then delivers it. You get most of the benefits of the SMTP type delivery, but without the hassles of POP3 collection.

The CEO wants to import his personal email in to his Exchange mailbox.
This reason has started to become more frequent with the increasing amount of space available in web mail services. There is no technical reason why this is a bad idea. Depending on the relationship you have with the staff member who requests it, you may not have any other choice.

However the best counter-argument for this reason is the loss of privacy. It is personal email. Once it has been imported in to Exchange, it becomes business content. It will be backed up and could be read by anyone else once the staff member has left the company.

Does that email have a place going through company systems?

I am also very suspicious of someone using personal email for business purposes. Why would they want to mix personal and business email up. The main reason is so that they can remain in touch once the business email is no longer available. Or perhaps they don't trust business email or are hiding something.

Benefits of SMTP Email Delivery

If you are currently on a POP3 connector, then why should you switch to SMTP delivery?

It is How Exchange is designed to work.
Exchange was built around the SMTP protocol, and is designed to work with SMTP.

Almost Instant Email Delivery
Most POP3 connectors will only collect email at most every minute, and the SBS POP3 Connector at 15 minute intervals.

As a consultant, one of the easiest ways for me to look good is to ditch the POP3 connector and switch the client to SMTP. The users see an immediate benefit as email is delivered shortly after it is sent - not when the server decides to collect it.

Add and Remove Users easily
You can simply add and remove users, email accounts, distribution lists to the server without having to worry about the configuration of the POP3 account. If you have named mailboxes with the ISP, then you don't need to configure those either.
If you are using a "Catch All" type mailbox, then you have bigger problems which can be solved by using SMTP delivery

The most effective anti spam measures are based on SMTP delivery
If you want to effectively deal with spam, then you need to block it at the point of delivery. With a POP3 connector you cannot do that, as it has already been "delivered" - to your ISPs server. If you attempt to block the message after that point your ISP will probably make you stop and insist that you download all the email that is waiting for you.

If you are using a "catch all" email account, which POP3 connectors, do, you will be bringing down spam messages with your legitimate email. As the sender of the spam messages is more often than not spoofed, your server will be unable to bounce the message and the messages will either queue or have to be dropped. This is a waste of bandwidth.

The two most effective methods of dealing with the major of spam messages are filtering unknown users ( and grey listing ( .
Both of those require the email to be delivered directly so that the messages can be blocked.
Those measures are also effective against many of the email virus threats.

Remote Sites Know the Message Has Been Delivered
When you have your email delivered directly, remote sites can check their logs to see that the message has been correctly delivered to your server.

Experiences with Grey Listing

I have heard from many sources that grey listing can be an effective weapon for fighting spam, yet hadn't had an opportunity to try it out.

However one of my clients was being hammered hard with spam, with 700+ messages a day being filtered by Intelligent Message Filter, and lots of messages getting past "I Hate Spam" from Sunbelt Software. Therefore I thought they would be a good site to test the method with.

I installed Vamsoft's ORF ( on to the gateway machine and left it to get on with it, enabling just the grey listing and the automatic white list* feature.

* The automatic white list is built by watching outbound email and recording the email address used. When the external recipient replies, the message comes straight back in as the server then knows that the email address is legitimate.

The effect was immediate and noticeable. I watched the logs of the application very carefully to ensure that no legitimate email was being blocked. The amount of spam that was blocked by the application was considerable. After a running a week, the application reported that over 85% of all email that was being received was spam.

That doesn't count messages that were dropped by the filter on unknown users (

The process isn't 100% effective, IMF was still catching some messages - but this was down to 20 or 30 a day, a massive reduction in the pre-grey listing number.
Users were also reporting that a few items were reaching their inboxes, but nothing like the level they had been receiving.

I have since deployed the application on four other sites, including my own Exchange server and seen similar significant drops in the number of spam messages being received.

As with user filtering, this technique also saves the bandwidth, as the messages are not even delivered to your server, so don't have to be processed.

The Vamsoft product works with any IIS SMTP mail server, so if you have Exchange 2000 then you can use it as well. It also features Active Directory filtering, which Exchange 2003 has built in, allowing users of the older version of Exchange to benefit.

How Does It Work?

Grey Listing is very simple idea.

A server attempts to deliver the message to the server. If the server hasn't received an email from that sender before, then it rejects the message with a temporary failure.

The systems that spammers use don't care about failure messages. They aren't interested in the failure and will therefore not try again. Spammers want to drop and run, before any system blocks the IP address that they are sending their email messages from.

However a legitimate email server will try again. Most email servers will try again for up to 48 hours, so you will get the email message eventually.

Are there any risks?

Any anti spam technique comes with risks. Unless you have a human looking at every message, you are relying on the computer making the decision whether the message is spam or not.

This technique will introduce a delay for new email messages - I have seen the delay as short as 90 seconds up to 20 minutes or more. If your business cannot tolerate any delay in email message delivery then this technique is not for you.

I have also seen a few email messages fail to be delivered from some sites that generate large amounts of email - such as eBay and a few ISPs. This is because each message appears to come from a different IP address in their server cluster.
With eBay, white listing their domain isn't advised as that will also allow in phishing emails.


While spammers don't comply with the RFC on SMTP email delivery and try just the once to deliver their email messages, this technique will be an effective first strike weapon in the war on spam. It shouldn't be considered the only weapon, but combined with other techniques can make spam more manageable.