2.2.15 [RFC3501] Section 6.2.3, LOGIN Command


The specification states: "A server MAY include a CAPABILITY response code in the tagged OK response to a successful LOGIN command in order to send capabilities automatically."

Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, Microsoft Exchange Server 2016

Microsoft Exchange Server does not include a CAPABILITY response code in its response to a successful LOGIN command. Microsoft Exchange sends capabilities only in response to a CAPABILITY command from the client. For more details, see sections 2.2.13, 2.2.14, and 2.2.31 of this document.


The specification states: “Server sites SHOULD NOT use any configuration which permits the LOGIN command without such a protection mechanism against password snooping.”

Exchange 2007, Exchange 2010, Exchange 2013, Exchange 2016

By default, Microsoft Exchange does not permit plaintext password authentication when connecting insecurely, but can be configured to allow plaintext password authentication without protection against password snooping.